Edit tour

Windows Analysis Report
Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe

Overview

General Information

Sample name:	Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe
Analysis ID:	1585142
MD5:	b5a730ecd9b2cf1543037c62ee0bf39e
SHA1:	d3391a3a3f925010fe724981a0f63afbe9131caa
SHA256:	f53d0f2f29ef10e16cd2d607a545c3523dfc9f4e0b04e0b4258740357c525253
Tags:	exeuser-threatcat_ch
Infos:

Detection

PureLog Stealer, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suspicious powershell command line found

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe (PID: 7280 cmdline: "C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe" MD5: B5A730ECD9B2CF1543037C62EE0BF39E)

Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe (PID: 7464 cmdline: "C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe" MD5: B5A730ECD9B2CF1543037C62EE0BF39E)

powershell.exe (PID: 7900 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8184 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5084 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2120 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["104.250.180.178"], "Port": 7061, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1266915236.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1266915236.0000000004189000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.3713364376.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000005.00000002.3713364376.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xcb33:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xcbd0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xcce5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc14d:$cnc4: POST / HTTP/1.1
00000000.00000002.1273463780.0000000005B10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1266441228.0000000003181000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1266441228.0000000003181000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x16893:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x72b3f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x81abb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x16930:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x72bdc:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x81b58:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x16a45:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x72cf1:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x81c6d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x15ead:$cnc4: POST / HTTP/1.1 0x72159:$cnc4: POST / HTTP/1.1 0x810d5:$cnc4: POST / HTTP/1.1
Process Memory Space: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe PID: 7280	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe PID: 7280	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe PID: 7464	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.41a7848.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.5b10000.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.41c7868.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x8766:$str01: $VB$Local_Port 0x878a:$str02: $VB$Local_Host 0x749b:$str03: get_Jpeg 0x7822:$str04: get_ServicePack 0x9719:$str05: Select * from AntivirusProduct 0x9e55:$str06: PCRestart 0x9e69:$str07: shutdown.exe /f /r /t 0 0x9f1b:$str08: StopReport 0x9ef1:$str09: StopDDos 0x9ff3:$str10: sendPlugin 0xa181:$str12: -ExecutionPolicy Bypass -File " 0xa632:$str13: Content-length: 5235
0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xaf33:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xafd0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xb0e5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xa54d:$cnc4: POST / HTTP/1.1
0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.5b10000.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.41c7868.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.41a7848.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
5.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.400000.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0xa566:$str01: $VB$Local_Port 0xa58a:$str02: $VB$Local_Host 0x929b:$str03: get_Jpeg 0x9622:$str04: get_ServicePack 0xb519:$str05: Select * from AntivirusProduct 0xbc55:$str06: PCRestart 0xbc69:$str07: shutdown.exe /f /r /t 0 0xbd1b:$str08: StopReport 0xbcf1:$str09: StopDDos 0xbdf3:$str10: sendPlugin 0xbf81:$str12: -ExecutionPolicy Bypass -File " 0xc432:$str13: Content-length: 5235
5.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xcd33:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xcdd0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xcee5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc34d:$cnc4: POST / HTTP/1.1
0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x8766:$str01: $VB$Local_Port 0x878a:$str02: $VB$Local_Host 0x749b:$str03: get_Jpeg 0x7822:$str04: get_ServicePack 0x9719:$str05: Select * from AntivirusProduct 0x9e55:$str06: PCRestart 0x9e69:$str07: shutdown.exe /f /r /t 0 0x9f1b:$str08: StopReport 0x9ef1:$str09: StopDDos 0x9ff3:$str10: sendPlugin 0xa181:$str12: -ExecutionPolicy Bypass -File " 0xa632:$str13: Content-length: 5235
0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xaf33:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xafd0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xb0e5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xa54d:$cnc4: POST / HTTP/1.1
0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0xa566:$str01: $VB$Local_Port 0x194e2:$str01: $VB$Local_Port 0xa58a:$str02: $VB$Local_Host 0x19506:$str02: $VB$Local_Host 0x929b:$str03: get_Jpeg 0x18217:$str03: get_Jpeg 0x9622:$str04: get_ServicePack 0x1859e:$str04: get_ServicePack 0xb519:$str05: Select * from AntivirusProduct 0x1a495:$str05: Select * from AntivirusProduct 0xbc55:$str06: PCRestart 0x1abd1:$str06: PCRestart 0xbc69:$str07: shutdown.exe /f /r /t 0 0x1abe5:$str07: shutdown.exe /f /r /t 0 0xbd1b:$str08: StopReport 0x1ac97:$str08: StopReport 0xbcf1:$str09: StopDDos 0x1ac6d:$str09: StopDDos 0xbdf3:$str10: sendPlugin 0x1ad6f:$str10: sendPlugin 0xbf81:$str12: -ExecutionPolicy Bypass -File "
0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xcd33:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1bcaf:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xcdd0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1bd4c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xcee5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1be61:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc34d:$cnc4: POST / HTTP/1.1 0x1b2c9:$cnc4: POST / HTTP/1.1
0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0xa566:$str01: $VB$Local_Port 0x66812:$str01: $VB$Local_Port 0x7578e:$str01: $VB$Local_Port 0xa58a:$str02: $VB$Local_Host 0x66836:$str02: $VB$Local_Host 0x757b2:$str02: $VB$Local_Host 0x929b:$str03: get_Jpeg 0x65547:$str03: get_Jpeg 0x744c3:$str03: get_Jpeg 0x9622:$str04: get_ServicePack 0x658ce:$str04: get_ServicePack 0x7484a:$str04: get_ServicePack 0xb519:$str05: Select * from AntivirusProduct 0x677c5:$str05: Select * from AntivirusProduct 0x76741:$str05: Select * from AntivirusProduct 0xbc55:$str06: PCRestart 0x67f01:$str06: PCRestart 0x76e7d:$str06: PCRestart 0xbc69:$str07: shutdown.exe /f /r /t 0 0x67f15:$str07: shutdown.exe /f /r /t 0 0x76e91:$str07: shutdown.exe /f /r /t 0
0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xcd33:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x68fdf:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x77f5b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xcdd0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6907c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x77ff8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xcee5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x69191:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7810d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc34d:$cnc4: POST / HTTP/1.1 0x685f9:$cnc4: POST / HTTP/1.1 0x77575:$cnc4: POST / HTTP/1.1
Click to see the 18 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe", ParentImage: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe, ParentProcessId: 7464, ParentProcessName: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe', ProcessId: 7900, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe", ParentImage: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe, ParentProcessId: 7464, ParentProcessName: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe', ProcessId: 7900, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe, ProcessId: 7464, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe", ParentImage: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe, ParentProcessId: 7464, ParentProcessName: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe', ProcessId: 7900, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T06:23:45.439164+0100	2853193	1	Malware Command and Control Activity Detected	192.168.2.7	57658	104.250.180.178	7061	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

Avira: detection malicious, Label: HEUR/AGEN.1309493

Found malware configuration

Source: 00000000.00000002.1266441228.0000000003181000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["104.250.180.178"], "Port": 7061, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

ReversingLabs: Detection: 13%

Multi AV Scanner detection for submitted file

Source: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Virustotal: Detection: 22%			Perma Link
Source: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	ReversingLabs: Detection: 13%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1266441228.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 104.250.180.178
Source: 00000000.00000002.1266441228.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 7061
Source: 00000000.00000002.1266441228.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <123456789>
Source: 00000000.00000002.1266441228.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 00000000.00000002.1266441228.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String decryptor: XWorm V5.2
Source: 00000000.00000002.1266441228.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String decryptor: USB.exe
Source: 00000000.00000002.1266441228.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String decryptor: %AppData%
Source: 00000000.00000002.1266441228.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String decryptor: XClient.exe

Source: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49805 -> 104.250.180.178:7061
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:57658 -> 104.250.180.178:7061

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 104.250.180.178

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.7:49805 -> 104.250.180.178:7061

Source: global traffic

TCP traffic: 192.168.2.7:57585 -> 162.159.36.2:53

Source: Joe Sandbox View

IP Address: 104.250.180.178 104.250.180.178

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178

Source: powershell.exe, 0000000D.00000002.1373668423.000000000794C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi%
Source: powershell.exe, 00000009.00000002.1333508589.0000000006F44000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1355468184.0000000003345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 0000000F.00000002.1421128767.0000000007370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microxm:
Source: powershell.exe, 00000009.00000002.1330138217.00000000053AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1368599067.0000000005DBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1415048632.00000000058CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1470287733.000000000609C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000012.00000002.1448903818.0000000005186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000009.00000002.1323732246.0000000004496000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1357518402.0000000004EA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1396986319.00000000049B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1448903818.0000000005186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe, 00000005.00000002.3718623470.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1323732246.0000000004341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1357518402.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1396986319.0000000004861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1448903818.0000000005031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000009.00000002.1323732246.0000000004496000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1357518402.0000000004EA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1396986319.00000000049B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1448903818.0000000005186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000012.00000002.1448903818.0000000005186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000009.00000002.1323732246.0000000004341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1357518402.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1396986319.0000000004861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1448903818.0000000005031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000012.00000002.1470287733.000000000609C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000012.00000002.1470287733.000000000609C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000012.00000002.1470287733.000000000609C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000012.00000002.1448903818.0000000005186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000009.00000002.1323732246.0000000004B1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1323732246.0000000004CA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000009.00000002.1330138217.00000000053AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1368599067.0000000005DBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1415048632.00000000058CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1470287733.000000000609C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 5.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 5.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000005.00000002.3713364376.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1266441228.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 0_2_016B3E0C	0_2_016B3E0C
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 0_2_016B7018	0_2_016B7018
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 0_2_056FC570	0_2_056FC570
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 0_2_056FA820	0_2_056FA820
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 0_2_056FA819	0_2_056FA819
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 0_2_05707DF8	0_2_05707DF8
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 0_2_05700040	0_2_05700040
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 0_2_05700E02	0_2_05700E02
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 0_2_05700E08	0_2_05700E08
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 0_2_05707DEA	0_2_05707DEA
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 5_2_018E6225	5_2_018E6225
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 5_2_018E4AC8	5_2_018E4AC8
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 5_2_018E1458	5_2_018E1458
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 5_2_063527B8	5_2_063527B8
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 5_2_063547A8	5_2_063547A8
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 5_2_06357428	5_2_06357428
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 5_2_06357A50	5_2_06357A50
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 5_2_063558A3	5_2_063558A3
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 5_2_06353088	5_2_06353088
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 5_2_06352470	5_2_06352470
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 5_2_06355A6B	5_2_06355A6B
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 5_2_06355AFB	5_2_06355AFB
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 5_2_06355B81	5_2_06355B81
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 5_2_06355980	5_2_06355980
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 5_2_063559D9	5_2_063559D9
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 5_2_0657E278	5_2_0657E278
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 5_2_06577648	5_2_06577648
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 5_2_065759CC	5_2_065759CC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0420B490	9_2_0420B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0420B470	9_2_0420B470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_082E3E98	9_2_082E3E98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04B9B4A0	13_2_04B9B4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04B9B490	13_2_04B9B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08CD3AA8	13_2_08CD3AA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_08763AA8	15_2_08763AA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_04EBB498	18_2_04EBB498
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_04EBB488	18_2_04EBB488
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_08F53B28	18_2_08F53B28

Source: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe, 00000000.00000002.1266915236.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe
Source: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe, 00000000.00000002.1266915236.0000000004189000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe
Source: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe, 00000000.00000002.1266441228.0000000003181000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe
Source: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe, 00000000.00000002.1266915236.00000000041FB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe
Source: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe, 00000000.00000000.1255318369.0000000000DE2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameYYKU.exe: vs Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe
Source: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe, 00000000.00000002.1273463780.0000000005B10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe
Source: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe, 00000000.00000002.1278949492.0000000007700000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe
Source: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe, 00000000.00000002.1265966284.00000000016EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe
Source: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe, 00000005.00000002.3734022260.0000000006549000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe
Source: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe, 00000005.00000002.3731226365.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameYYKU.exe: vs Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe
Source: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe, 00000005.00000002.3713364376.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe
Source: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Binary or memory string: OriginalFilenameYYKU.exe: vs Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe

Source: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 5.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 5.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000005.00000002.3713364376.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1266441228.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: XClient.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.41c7868.6.raw.unpack, DlRvq5yJkomY4LIf3S.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack, evBSdWeBEycC8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack, 3QiiXqkghrMk1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack, 3QiiXqkghrMk1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.41a7848.4.raw.unpack, DlRvq5yJkomY4LIf3S.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.5b10000.7.raw.unpack, DlRvq5yJkomY4LIf3S.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack, evBSdWeBEycC8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack, 3QiiXqkghrMk1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack, 3QiiXqkghrMk1.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack, gtv0gssvKWWRAOg38T65o.cs	Base64 encoded string: 'Y2m7z9x6jWcENPlNUeR5pyCUQgkINBomStoNpnlrWGD5k8Gdna37HW29JZ4or9rJpFPkm1RbMV6kU97GRxKdNyK7'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack, gtv0gssvKWWRAOg38T65o.cs	Base64 encoded string: 'Y2m7z9x6jWcENPlNUeR5pyCUQgkINBomStoNpnlrWGD5k8Gdna37HW29JZ4or9rJpFPkm1RbMV6kU97GRxKdNyK7'

Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.7700000.8.raw.unpack, GShuP2yT9H8049qW37.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.7700000.8.raw.unpack, GShuP2yT9H8049qW37.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.7700000.8.raw.unpack, GShuP2yT9H8049qW37.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.43c1530.3.raw.unpack, GShuP2yT9H8049qW37.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.43c1530.3.raw.unpack, GShuP2yT9H8049qW37.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.43c1530.3.raw.unpack, GShuP2yT9H8049qW37.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.7700000.8.raw.unpack, EE6pka6mgheKNjHlqT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack, y42W1bnvO6P0K.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack, y42W1bnvO6P0K.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.436e910.5.raw.unpack, GShuP2yT9H8049qW37.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.436e910.5.raw.unpack, GShuP2yT9H8049qW37.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.436e910.5.raw.unpack, GShuP2yT9H8049qW37.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.43c1530.3.raw.unpack, EE6pka6mgheKNjHlqT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack, y42W1bnvO6P0K.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack, y42W1bnvO6P0K.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.436e910.5.raw.unpack, EE6pka6mgheKNjHlqT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@15/21@0/1

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:820:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7204:120:WilError_03
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Mutant created: \Sessions\1\BaseNamedObjects\XczLagvCjDnYaiUQ
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7908:120:WilError_03

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Virustotal: Detection: 22%
Source: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	ReversingLabs: Detection: 13%

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe

File read: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe "C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe"
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process created: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe "C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe"
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process created: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe "C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: XClient.lnk.5.dr

LNK file: ..\..\..\..\..\XClient.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.41c7868.6.raw.unpack, DlRvq5yJkomY4LIf3S.cs	.Net Code: X2WPMWey8AqqJOPa61l(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{X2WPMWey8AqqJOPa61l(typeof(IntPtr).TypeHandle),typeof(Type)})
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.V5iefvrq5ojDNrXhTMMo4zwFWo7bRXWxOZCqoGeeUpQmix0ckylU4EMAyEK5rzrqFBO4vVj,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.GFSxJ5J90XVIk,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq._1CGKpY5HgwGOF,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.u4082n7RFaVyO,_3QiiXqkghrMk1.Ds6pGCLI6znqx()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{mJgaCaREgzuBt[2],_3QiiXqkghrMk1.BvKeDBBOxQxE8(Convert.FromBase64String(mJgaCaREgzuBt[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { mJgaCaREgzuBt[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.41a7848.4.raw.unpack, DlRvq5yJkomY4LIf3S.cs	.Net Code: X2WPMWey8AqqJOPa61l(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{X2WPMWey8AqqJOPa61l(typeof(IntPtr).TypeHandle),typeof(Type)})
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.5b10000.7.raw.unpack, DlRvq5yJkomY4LIf3S.cs	.Net Code: X2WPMWey8AqqJOPa61l(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{X2WPMWey8AqqJOPa61l(typeof(IntPtr).TypeHandle),typeof(Type)})
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.V5iefvrq5ojDNrXhTMMo4zwFWo7bRXWxOZCqoGeeUpQmix0ckylU4EMAyEK5rzrqFBO4vVj,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.GFSxJ5J90XVIk,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq._1CGKpY5HgwGOF,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.u4082n7RFaVyO,_3QiiXqkghrMk1.Ds6pGCLI6znqx()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{mJgaCaREgzuBt[2],_3QiiXqkghrMk1.BvKeDBBOxQxE8(Convert.FromBase64String(mJgaCaREgzuBt[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { mJgaCaREgzuBt[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: WtIrNy0hVmv60 System.AppDomain.Load(byte[])
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: EcGTN38sUvr8r System.AppDomain.Load(byte[])
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: EcGTN38sUvr8r
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.7700000.8.raw.unpack, GShuP2yT9H8049qW37.cs	.Net Code: MdNI1c6KXb System.Reflection.Assembly.Load(byte[])
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.436e910.5.raw.unpack, GShuP2yT9H8049qW37.cs	.Net Code: MdNI1c6KXb System.Reflection.Assembly.Load(byte[])
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: WtIrNy0hVmv60 System.AppDomain.Load(byte[])
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: EcGTN38sUvr8r System.AppDomain.Load(byte[])
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: EcGTN38sUvr8r
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.43c1530.3.raw.unpack, GShuP2yT9H8049qW37.cs	.Net Code: MdNI1c6KXb System.Reflection.Assembly.Load(byte[])

Suspicious powershell command line found

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe'
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe'
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe'	Jump to behavior

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 5_2_018E3328 push es; iretd	5_2_018E3387
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 5_2_06356407 push es; ret	5_2_06356970
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 5_2_06354488 pushfd ; ret	5_2_06354489
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Code function: 5_2_063543A8 push eax; ret	5_2_063543A9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0420E610 push es; ret	9_2_0420E620
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0420633D push eax; ret	9_2_04206351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0420DA21 push es; ret	9_2_0420DA80
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0420DA71 push es; ret	9_2_0420DA80
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04B9223B push ss; ret	13_2_04B9224A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04B9636D push eax; ret	13_2_04B96381
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04B92CEB push 04B807C3h; retf	13_2_04B92D0E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_04EB42BD push ebx; ret	18_2_04EB42DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_04EB635D push eax; ret	18_2_04EB6371
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_04EB2C5C push 04B807ECh; retf	18_2_04EB2CFE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_08F57488 push eax; retf	18_2_08F57489

Source: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Static PE information: section name: .text entropy: 7.334520763870806
Source: XClient.exe.5.dr	Static PE information: section name: .text entropy: 7.334520763870806

Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.41c7868.6.raw.unpack, DlRvq5yJkomY4LIf3S.cs	High entropy of concatenated method names: 'kZ9YdQeiiHN6iHHplRr', 'wEfHEVeR3qXSbOkcscO', 'RLbYs7foSU', 'PW2e71euAk0VMGlpcQV', 'gjVptie4PJx3mKSamWn', 'LKcyQ4eq4Fn8S34m92l', 'RgtTUJcyZL', 'TBNYf2t1gt', 'NdiYZfNUem', 'u6GYH5kC76'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.41c7868.6.raw.unpack, vH9V9oD7tIKkmfHnnj.cs	High entropy of concatenated method names: 'CO1Gqr7JX', 'O7OmLZJsW', 'AEjTXD5ed', 'DjTcZUKVY', 'V5WOgiNs3', 'ri688DDjg', 'pN9ncriqM', 'x0i4vkLXV', 'aFLjtabv9', 'zVDpUJsTO'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack, OEGyOZzp9CU9Z.cs	High entropy of concatenated method names: 'QYSru9RU5dJWd', 'oi9Msqd9lmqFp', 'Gh7hF3Ceyz4jK', 'x2Kcz0n4msm1l2xM', '_4hDI5T8H5DCOIm19', 'T6aFt50BZla82ZA2', 'zpcOiMJTAlF4Htxi', 'TMFXXcHHzUU18I1r', 'ZSkwZRotVkMfXhhu', 'Um2YTXt47I4LIxgc'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack, v5gt0V01k1MSsC0vwoxxBSwsEW4T1eqJw046P2ak3r4M2UHQ1RfEfyXqwlgDqRqjrSOTYe7.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'QTea7y2A8yGbO3jMXxuYC9YMcx5anBR', 'ZTIL5yWBKqapf9Byr2X2ov4nJgGIqjf', 'WHkIaWdsBqOvjqgK5gnz3Hq7FGRo7av', 'ksvOYOxtyeEJgsYuEk2j6FJUFQEL7jb'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack, xEwUvc4BlwXCJ.cs	High entropy of concatenated method names: 'upuCmD95kpAQn', 'y64QqzLLzgvYy', 'nHNLF6ETZc4pz', 'wFe23vyXZnI9p', 'oPyUSoKLxc3MJ', 'j0yacKOMxpzCw3ZgwzP7SYa9OQxk42U', 'sG0Gu7E9uPceY4JkCHFeLM6rppnIbSk', 'Ic69UCn21qS8jQPeUpzcxe67X8Wwo7C', 'TVdrYhGtHgnmKaKEGnnQHc1AVeCLwz9', 'h9lFeGqDok6PiuQlRtN7JIQA7sN9FeZ'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack, qMGvLJvouSdkL.cs	High entropy of concatenated method names: 'wAkM01TBZTMeC', 'ciAT4tkkLZ8RM', 'kyv1OiOaRjUOS', 'Is1Vu2C8gzfuWAcZ', 'ZrXVwJq1NPBYst66', 'YSiZ9OqRAn5DEoap', 'kpqsU8I4EmsXem6T', 'Y40LWH71GiExNonP', 'wlqe8L0mqhORb3Xh', 'cBzGfHA7YZurGUjI'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack, 3QiiXqkghrMk1.cs	High entropy of concatenated method names: '_7TDRTDNWODVx9', 'bjpklCnAU25Ps', '_7whWzOffgktu7', 'H6OjpWJSuZpR7', 'LgXlVehbtF6PL', 'VPnNUxfUUOfKi', 'kVcqKyJkqeEYF', 'I9f9xqzndWbJy', 'Yh4ih3UMSubwZ', '_99oZuJy83I8YX'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack, y42W1bnvO6P0K.cs	High entropy of concatenated method names: 'LG61tF1NXxMw5', 'oGvBieVy94qbk', 'YRTDDNA0tkzMF', 'VhxySITiopS46', 'qjbfovDtQWz1b', 'kLPAgXYZstRMB', 'hjXpfk41rTAw1', 'zs2SZYN7C9FhZ', 'zFQIATYwwABMt', 'qai42JONF5klU'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack, 4QBfyOitSe4w0.cs	High entropy of concatenated method names: 'wcUZ2mvylwf7l', 'WtIrNy0hVmv60', 'JJgHyUlgPqlHQ', 'oHuREPEY4JElU', '_6vBzT4Nf8lYoy', 'Pai19egUGSisn', 'R5KRLNkgechqT', 'BCrPs0JGWRM5b', 'aoGqSGI44Uvct', 'irOTow0Wq5kJo'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack, yI26puFLQ4OeW.cs	High entropy of concatenated method names: 'RPwrCFQWFVe3z', 'ykPv5m8mGukHt', 'rl3v1HQ21t3Ss', 'p5lTD1bRQsSns', 'N73EDMwGLrsYV', '_7giKgaxCmtum3', 'zR4TMA5bTqEsF', 'lNVI49QJGetLk', 'ivrYT9hUulqbg', 'G1GjbMsl7I84P'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.7700000.8.raw.unpack, ojh1D8FvKfH1GM6U9a.cs	High entropy of concatenated method names: 'rZbMme0JMP', 'nWiM8cD1YA', 'xbuHAXOWR2', 'gKnHf8ti3Z', 'bvaHKcWnB1', 'l8kHD0X9kE', 'Od0HoMqg9n', 'Ol2HlVsLXs', 'i1lHrDo5Bv', 'kN9HcsY7Gb'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.7700000.8.raw.unpack, EE6pka6mgheKNjHlqT.cs	High entropy of concatenated method names: 'oaMG0ZuZdY', 'OHnGOjlq1t', 'w2xGT1DDUu', 'tavGiBNi74', 'cdHGeyaRgd', 'z9bGbGeBFZ', 'Y3vGB8RaTQ', 'vjSGZ5UDor', 'IChGjcYeYA', 'b0WGwa6q9J'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.7700000.8.raw.unpack, MmdT64InpdQhSnCp2i.cs	High entropy of concatenated method names: 'kUaCuE6pka', 'AghCyeKNjH', 'rCACYFXYNE', 'CJNCJpsjh1', 'i6UCs9atSc', 'RpyCWyrc9g', 'XWuq6lPBnwFoSYpisY', 'yokOMn6vOC7EttGc6C', 'fJgb7EwJwUmXoHu9ky', 'YNoCCCKGwP'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.7700000.8.raw.unpack, prRLCBHibaNubiIccS.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'nCHXjpqbfB', 'PdQXwI6LsB', 'at3Xz8WohN', 'FtqpEh5E3w', 'v92pCuUeS6', 'RdjpXM1p5B', 'L87pptdLn8', 'pAhFc8Ai7W9y960icg6'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.7700000.8.raw.unpack, txK1mAGBkYFU1KHjCn.cs	High entropy of concatenated method names: 'Dispose', 'yavCjRY89W', 'YbtXgfvPEv', 'X3mveM3oRr', 'mBVCwcO7iG', 'PTkCzuaktI', 'ProcessDialogKey', 'nviXEt65ab', 'xuuXC0Jk71', 'DG3XX2Raii'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.7700000.8.raw.unpack, vScOpyUyrc9gfmk7ZS.cs	High entropy of concatenated method names: 'jEt7hZfokL', 'x4j7GMWHCS', 'BOK7MANTsO', 'Yg17uw4wLF', 'QH87yCr5hl', 'M02MekdSRG', 'fFGMb0KCys', 'UOdMBITUgp', 'emjMZ0f5q5', 'm8mMjNvOCv'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.7700000.8.raw.unpack, wTsqNT09FILQ301DWJ.cs	High entropy of concatenated method names: 'Lt2scv1Lhl', 'SDFs33N6q8', 'qAMs0yIGAb', 'cDQsO6CVfJ', 'kf8sgL8wCr', 'JswsA5paqq', 'LvjsfagTNj', 'X2OsK8bHLJ', 'QGPsDfH6dg', 'QSEsopu5Qm'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.7700000.8.raw.unpack, aOgPk6gLYFac2Lr8Wa.cs	High entropy of concatenated method names: 'zIKqbtV9dgpZipFOt6O', 'NsxtltV8xTCy5JpMbfe', 'pU175NUWpe', 'E4i7R8SoYK', 'Gmj7LEVbva', 'XoQeyRVYiKSOkQU9XMj', 'hYafcHVhHrysCfD2XFq'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.7700000.8.raw.unpack, lRaiiiw1LdKAjBYoFg.cs	High entropy of concatenated method names: 'NEVLH6eK8W', 'rpJLMi6Llt', 'ELvL7uP3KU', 'GRvLu370PP', 'VA4LRUUd95', 'ww8Lyl0oMF', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.7700000.8.raw.unpack, QJJ1UKbOiFJkBv0TwE.cs	High entropy of concatenated method names: 'eCMxZHJt5s', 'm0exwwZONV', 'Lsy5E6rQMb', 'sHZ5CNryUN', 'xpkxS8L0Yl', 'jlYx3FRHL8', 'gVsx4dYHIJ', 'qu8x0fdL8c', 'NuhxOdjSgI', 'F2gxT8h8rM'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.7700000.8.raw.unpack, GShuP2yT9H8049qW37.cs	High entropy of concatenated method names: 'IwLph18xcZ', 'UmLp9ArTyg', 'p6RpGe9ShW', 'eBvpHAZAoO', 'hiFpMBeQtn', 'B9Qp7W1oLA', 'jJ1put5fVr', 'j4DpyZVyLc', 'uUip2uyJox', 'zitpYebZtr'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.7700000.8.raw.unpack, WC3WydBy4PavRY89WJ.cs	High entropy of concatenated method names: 'hgURsVYwlJ', 'WUURxSbPEG', 'gS7RRYC6LF', 'MCmRQLeWjX', 'f6rRtgOTDR', 'vvwRn0S9VI', 'Dispose', 'D4g593upF2', 'EGf5Gbn1NA', 'hB95HVwbPD'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.7700000.8.raw.unpack, sT1TJsoARUm0WTBeJq.cs	High entropy of concatenated method names: 'K46u9bJotV', 'kCGuHj5hAf', 'DPpu7cYHZk', 'nAc7wZnDhE', 'CA57zm8N82', 'kVauEfZPC0', 'SFOuClCmPY', 'KjkuXpR5Hu', 'wKQuptlNsi', 'RlXuIRZhNx'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.7700000.8.raw.unpack, NKCEEgrpaMI3te1jIm.cs	High entropy of concatenated method names: 'LDKudogu3V', 'tL3uPsqTNo', 'KILu1wbYU8', 'FNOuqdcP9X', 'DfhumhXn5P', 'qIWuNrguFi', 'Fqdu8GEd5y', 'mOhu60crLm', 'GE7ua2PleZ', 'JhUuFPF5Bg'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.7700000.8.raw.unpack, YVrSuXCC5oWPfVql8qK.cs	High entropy of concatenated method names: 'yrNLwV8Z04', 'XhcLzY1Tab', 'mIWQEaMrSa', 'W7JQC0HkaR', 'NjCQXLrBiy', 'WJhQpiqUxc', 'go2QI8W6yE', 'pZQQh0e80S', 'Hc8Q9hPO7F', 'Nu8QGHUs4b'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.7700000.8.raw.unpack, Nw8FZHXa4HrnLdge1E.cs	High entropy of concatenated method names: 'fSW15LSB2', 'gDHqfYTGu', 'JgfN9HVJZ', 'jwE8QGhwD', 'Lcwa7UZ6k', 'GDcF78tIh', 'qF6qrJpQ8KFZlqw9IC', 'O97ptqjQq7ch4NsGs5', 'f9E5WkrOi', 'WisLd7g2U'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.7700000.8.raw.unpack, Tt65abjduu0Jk718G3.cs	High entropy of concatenated method names: 'HiiRUam6Tk', 'iAgRgS2NYG', 'YncRAiiMbD', 'pm9RfvpRx7', 'LjhRKLijNC', 'nk9RD5lCHe', 'LkrRoH59I7', 'LMJRlsNUlq', 'rYWRr6nWgw', 'OmORc7CHIY'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.7700000.8.raw.unpack, MB6YHdCICeoEWxMlXow.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DKXvRe2mhY', 'DnGvLMkc3I', 'y8KvQUpqUl', 'DdWvvaHl97', 'ChyvteVQNj', 'fauvk87nIX', 'o5RvnpX04c'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.7700000.8.raw.unpack, aHFMfb4YpGlIABGleS.cs	High entropy of concatenated method names: 'Il7V6rwT7K', 'cNdVaF5N8C', 'HhEVU3mrxT', 'DEZVgPhiAW', 'EylVfHha29', 'dP0VKp9Xvv', 'DUEVoiDvOS', 'qvKVl8gjnF', 'pWLVcGX2Ap', 'LlnVSEYND1'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.7700000.8.raw.unpack, eeLXVxCEpL7kpCQlxoA.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'r6uLSfUy33', 'oLKL3aSeev', 'cDRL4SGCv0', 'MMcL05qhvA', 'u4VLOJu4Aj', 'rrqLT60Xdg', 'DVALiCOHNu'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.7700000.8.raw.unpack, pHNYiICX3EJxkRrYUek.cs	High entropy of concatenated method names: 'ToString', 'JAIQ6Ih0Ch', 'yNyQavDNun', 'q9BQFyhWq5', 'LmHQU0lWNL', 'RaWQgnLMc6', 'u7VQAHDDRc', 'wm4QfSHpPA', 'o3xnnnkrTmee11p4q8K', 'HvpAemkMSwlQSxSpiFi'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.7700000.8.raw.unpack, hCVsodzfLsmg0DeQMh.cs	High entropy of concatenated method names: 'mwGLNjcqKD', 'i0dL6QcA4d', 'OKoLadw38I', 'cr8LUE5Jto', 'ufxLgiQfAA', 'kmmLfuv3O3', 'rmRLKhaS6l', 'HXwLnpvnQ6', 'D6kLdlNBky', 'VgZLPdpYeu'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.7700000.8.raw.unpack, b0gnK5aCAFXYNE8JNp.cs	High entropy of concatenated method names: 'Jk7Hqjx9ko', 'q8bHNQpYfQ', 'iiYH6O9sxE', 'zvTHa842y1', 'vKyHsZVkyr', 'BiEHWg4qL3', 'RQUHxYL2FX', 'W9XH5MbEnB', 'QsZHRMLVLm', 'SZYHLcFGEI'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.41a7848.4.raw.unpack, DlRvq5yJkomY4LIf3S.cs	High entropy of concatenated method names: 'kZ9YdQeiiHN6iHHplRr', 'wEfHEVeR3qXSbOkcscO', 'RLbYs7foSU', 'PW2e71euAk0VMGlpcQV', 'gjVptie4PJx3mKSamWn', 'LKcyQ4eq4Fn8S34m92l', 'RgtTUJcyZL', 'TBNYf2t1gt', 'NdiYZfNUem', 'u6GYH5kC76'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.41a7848.4.raw.unpack, vH9V9oD7tIKkmfHnnj.cs	High entropy of concatenated method names: 'CO1Gqr7JX', 'O7OmLZJsW', 'AEjTXD5ed', 'DjTcZUKVY', 'V5WOgiNs3', 'ri688DDjg', 'pN9ncriqM', 'x0i4vkLXV', 'aFLjtabv9', 'zVDpUJsTO'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.436e910.5.raw.unpack, ojh1D8FvKfH1GM6U9a.cs	High entropy of concatenated method names: 'rZbMme0JMP', 'nWiM8cD1YA', 'xbuHAXOWR2', 'gKnHf8ti3Z', 'bvaHKcWnB1', 'l8kHD0X9kE', 'Od0HoMqg9n', 'Ol2HlVsLXs', 'i1lHrDo5Bv', 'kN9HcsY7Gb'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.436e910.5.raw.unpack, EE6pka6mgheKNjHlqT.cs	High entropy of concatenated method names: 'oaMG0ZuZdY', 'OHnGOjlq1t', 'w2xGT1DDUu', 'tavGiBNi74', 'cdHGeyaRgd', 'z9bGbGeBFZ', 'Y3vGB8RaTQ', 'vjSGZ5UDor', 'IChGjcYeYA', 'b0WGwa6q9J'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.436e910.5.raw.unpack, MmdT64InpdQhSnCp2i.cs	High entropy of concatenated method names: 'kUaCuE6pka', 'AghCyeKNjH', 'rCACYFXYNE', 'CJNCJpsjh1', 'i6UCs9atSc', 'RpyCWyrc9g', 'XWuq6lPBnwFoSYpisY', 'yokOMn6vOC7EttGc6C', 'fJgb7EwJwUmXoHu9ky', 'YNoCCCKGwP'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.436e910.5.raw.unpack, prRLCBHibaNubiIccS.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'nCHXjpqbfB', 'PdQXwI6LsB', 'at3Xz8WohN', 'FtqpEh5E3w', 'v92pCuUeS6', 'RdjpXM1p5B', 'L87pptdLn8', 'pAhFc8Ai7W9y960icg6'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.436e910.5.raw.unpack, txK1mAGBkYFU1KHjCn.cs	High entropy of concatenated method names: 'Dispose', 'yavCjRY89W', 'YbtXgfvPEv', 'X3mveM3oRr', 'mBVCwcO7iG', 'PTkCzuaktI', 'ProcessDialogKey', 'nviXEt65ab', 'xuuXC0Jk71', 'DG3XX2Raii'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.436e910.5.raw.unpack, vScOpyUyrc9gfmk7ZS.cs	High entropy of concatenated method names: 'jEt7hZfokL', 'x4j7GMWHCS', 'BOK7MANTsO', 'Yg17uw4wLF', 'QH87yCr5hl', 'M02MekdSRG', 'fFGMb0KCys', 'UOdMBITUgp', 'emjMZ0f5q5', 'm8mMjNvOCv'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.436e910.5.raw.unpack, wTsqNT09FILQ301DWJ.cs	High entropy of concatenated method names: 'Lt2scv1Lhl', 'SDFs33N6q8', 'qAMs0yIGAb', 'cDQsO6CVfJ', 'kf8sgL8wCr', 'JswsA5paqq', 'LvjsfagTNj', 'X2OsK8bHLJ', 'QGPsDfH6dg', 'QSEsopu5Qm'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.436e910.5.raw.unpack, aOgPk6gLYFac2Lr8Wa.cs	High entropy of concatenated method names: 'zIKqbtV9dgpZipFOt6O', 'NsxtltV8xTCy5JpMbfe', 'pU175NUWpe', 'E4i7R8SoYK', 'Gmj7LEVbva', 'XoQeyRVYiKSOkQU9XMj', 'hYafcHVhHrysCfD2XFq'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.436e910.5.raw.unpack, lRaiiiw1LdKAjBYoFg.cs	High entropy of concatenated method names: 'NEVLH6eK8W', 'rpJLMi6Llt', 'ELvL7uP3KU', 'GRvLu370PP', 'VA4LRUUd95', 'ww8Lyl0oMF', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.436e910.5.raw.unpack, QJJ1UKbOiFJkBv0TwE.cs	High entropy of concatenated method names: 'eCMxZHJt5s', 'm0exwwZONV', 'Lsy5E6rQMb', 'sHZ5CNryUN', 'xpkxS8L0Yl', 'jlYx3FRHL8', 'gVsx4dYHIJ', 'qu8x0fdL8c', 'NuhxOdjSgI', 'F2gxT8h8rM'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.436e910.5.raw.unpack, GShuP2yT9H8049qW37.cs	High entropy of concatenated method names: 'IwLph18xcZ', 'UmLp9ArTyg', 'p6RpGe9ShW', 'eBvpHAZAoO', 'hiFpMBeQtn', 'B9Qp7W1oLA', 'jJ1put5fVr', 'j4DpyZVyLc', 'uUip2uyJox', 'zitpYebZtr'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.436e910.5.raw.unpack, WC3WydBy4PavRY89WJ.cs	High entropy of concatenated method names: 'hgURsVYwlJ', 'WUURxSbPEG', 'gS7RRYC6LF', 'MCmRQLeWjX', 'f6rRtgOTDR', 'vvwRn0S9VI', 'Dispose', 'D4g593upF2', 'EGf5Gbn1NA', 'hB95HVwbPD'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.436e910.5.raw.unpack, sT1TJsoARUm0WTBeJq.cs	High entropy of concatenated method names: 'K46u9bJotV', 'kCGuHj5hAf', 'DPpu7cYHZk', 'nAc7wZnDhE', 'CA57zm8N82', 'kVauEfZPC0', 'SFOuClCmPY', 'KjkuXpR5Hu', 'wKQuptlNsi', 'RlXuIRZhNx'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.436e910.5.raw.unpack, NKCEEgrpaMI3te1jIm.cs	High entropy of concatenated method names: 'LDKudogu3V', 'tL3uPsqTNo', 'KILu1wbYU8', 'FNOuqdcP9X', 'DfhumhXn5P', 'qIWuNrguFi', 'Fqdu8GEd5y', 'mOhu60crLm', 'GE7ua2PleZ', 'JhUuFPF5Bg'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.436e910.5.raw.unpack, YVrSuXCC5oWPfVql8qK.cs	High entropy of concatenated method names: 'yrNLwV8Z04', 'XhcLzY1Tab', 'mIWQEaMrSa', 'W7JQC0HkaR', 'NjCQXLrBiy', 'WJhQpiqUxc', 'go2QI8W6yE', 'pZQQh0e80S', 'Hc8Q9hPO7F', 'Nu8QGHUs4b'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.436e910.5.raw.unpack, Nw8FZHXa4HrnLdge1E.cs	High entropy of concatenated method names: 'fSW15LSB2', 'gDHqfYTGu', 'JgfN9HVJZ', 'jwE8QGhwD', 'Lcwa7UZ6k', 'GDcF78tIh', 'qF6qrJpQ8KFZlqw9IC', 'O97ptqjQq7ch4NsGs5', 'f9E5WkrOi', 'WisLd7g2U'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.436e910.5.raw.unpack, Tt65abjduu0Jk718G3.cs	High entropy of concatenated method names: 'HiiRUam6Tk', 'iAgRgS2NYG', 'YncRAiiMbD', 'pm9RfvpRx7', 'LjhRKLijNC', 'nk9RD5lCHe', 'LkrRoH59I7', 'LMJRlsNUlq', 'rYWRr6nWgw', 'OmORc7CHIY'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.436e910.5.raw.unpack, MB6YHdCICeoEWxMlXow.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DKXvRe2mhY', 'DnGvLMkc3I', 'y8KvQUpqUl', 'DdWvvaHl97', 'ChyvteVQNj', 'fauvk87nIX', 'o5RvnpX04c'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.436e910.5.raw.unpack, aHFMfb4YpGlIABGleS.cs	High entropy of concatenated method names: 'Il7V6rwT7K', 'cNdVaF5N8C', 'HhEVU3mrxT', 'DEZVgPhiAW', 'EylVfHha29', 'dP0VKp9Xvv', 'DUEVoiDvOS', 'qvKVl8gjnF', 'pWLVcGX2Ap', 'LlnVSEYND1'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.436e910.5.raw.unpack, eeLXVxCEpL7kpCQlxoA.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'r6uLSfUy33', 'oLKL3aSeev', 'cDRL4SGCv0', 'MMcL05qhvA', 'u4VLOJu4Aj', 'rrqLT60Xdg', 'DVALiCOHNu'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.436e910.5.raw.unpack, pHNYiICX3EJxkRrYUek.cs	High entropy of concatenated method names: 'ToString', 'JAIQ6Ih0Ch', 'yNyQavDNun', 'q9BQFyhWq5', 'LmHQU0lWNL', 'RaWQgnLMc6', 'u7VQAHDDRc', 'wm4QfSHpPA', 'o3xnnnkrTmee11p4q8K', 'HvpAemkMSwlQSxSpiFi'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.436e910.5.raw.unpack, hCVsodzfLsmg0DeQMh.cs	High entropy of concatenated method names: 'mwGLNjcqKD', 'i0dL6QcA4d', 'OKoLadw38I', 'cr8LUE5Jto', 'ufxLgiQfAA', 'kmmLfuv3O3', 'rmRLKhaS6l', 'HXwLnpvnQ6', 'D6kLdlNBky', 'VgZLPdpYeu'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.436e910.5.raw.unpack, b0gnK5aCAFXYNE8JNp.cs	High entropy of concatenated method names: 'Jk7Hqjx9ko', 'q8bHNQpYfQ', 'iiYH6O9sxE', 'zvTHa842y1', 'vKyHsZVkyr', 'BiEHWg4qL3', 'RQUHxYL2FX', 'W9XH5MbEnB', 'QsZHRMLVLm', 'SZYHLcFGEI'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.5b10000.7.raw.unpack, DlRvq5yJkomY4LIf3S.cs	High entropy of concatenated method names: 'kZ9YdQeiiHN6iHHplRr', 'wEfHEVeR3qXSbOkcscO', 'RLbYs7foSU', 'PW2e71euAk0VMGlpcQV', 'gjVptie4PJx3mKSamWn', 'LKcyQ4eq4Fn8S34m92l', 'RgtTUJcyZL', 'TBNYf2t1gt', 'NdiYZfNUem', 'u6GYH5kC76'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.5b10000.7.raw.unpack, vH9V9oD7tIKkmfHnnj.cs	High entropy of concatenated method names: 'CO1Gqr7JX', 'O7OmLZJsW', 'AEjTXD5ed', 'DjTcZUKVY', 'V5WOgiNs3', 'ri688DDjg', 'pN9ncriqM', 'x0i4vkLXV', 'aFLjtabv9', 'zVDpUJsTO'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack, OEGyOZzp9CU9Z.cs	High entropy of concatenated method names: 'QYSru9RU5dJWd', 'oi9Msqd9lmqFp', 'Gh7hF3Ceyz4jK', 'x2Kcz0n4msm1l2xM', '_4hDI5T8H5DCOIm19', 'T6aFt50BZla82ZA2', 'zpcOiMJTAlF4Htxi', 'TMFXXcHHzUU18I1r', 'ZSkwZRotVkMfXhhu', 'Um2YTXt47I4LIxgc'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack, v5gt0V01k1MSsC0vwoxxBSwsEW4T1eqJw046P2ak3r4M2UHQ1RfEfyXqwlgDqRqjrSOTYe7.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'QTea7y2A8yGbO3jMXxuYC9YMcx5anBR', 'ZTIL5yWBKqapf9Byr2X2ov4nJgGIqjf', 'WHkIaWdsBqOvjqgK5gnz3Hq7FGRo7av', 'ksvOYOxtyeEJgsYuEk2j6FJUFQEL7jb'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack, xEwUvc4BlwXCJ.cs	High entropy of concatenated method names: 'upuCmD95kpAQn', 'y64QqzLLzgvYy', 'nHNLF6ETZc4pz', 'wFe23vyXZnI9p', 'oPyUSoKLxc3MJ', 'j0yacKOMxpzCw3ZgwzP7SYa9OQxk42U', 'sG0Gu7E9uPceY4JkCHFeLM6rppnIbSk', 'Ic69UCn21qS8jQPeUpzcxe67X8Wwo7C', 'TVdrYhGtHgnmKaKEGnnQHc1AVeCLwz9', 'h9lFeGqDok6PiuQlRtN7JIQA7sN9FeZ'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack, qMGvLJvouSdkL.cs	High entropy of concatenated method names: 'wAkM01TBZTMeC', 'ciAT4tkkLZ8RM', 'kyv1OiOaRjUOS', 'Is1Vu2C8gzfuWAcZ', 'ZrXVwJq1NPBYst66', 'YSiZ9OqRAn5DEoap', 'kpqsU8I4EmsXem6T', 'Y40LWH71GiExNonP', 'wlqe8L0mqhORb3Xh', 'cBzGfHA7YZurGUjI'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack, 3QiiXqkghrMk1.cs	High entropy of concatenated method names: '_7TDRTDNWODVx9', 'bjpklCnAU25Ps', '_7whWzOffgktu7', 'H6OjpWJSuZpR7', 'LgXlVehbtF6PL', 'VPnNUxfUUOfKi', 'kVcqKyJkqeEYF', 'I9f9xqzndWbJy', 'Yh4ih3UMSubwZ', '_99oZuJy83I8YX'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack, y42W1bnvO6P0K.cs	High entropy of concatenated method names: 'LG61tF1NXxMw5', 'oGvBieVy94qbk', 'YRTDDNA0tkzMF', 'VhxySITiopS46', 'qjbfovDtQWz1b', 'kLPAgXYZstRMB', 'hjXpfk41rTAw1', 'zs2SZYN7C9FhZ', 'zFQIATYwwABMt', 'qai42JONF5klU'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack, 4QBfyOitSe4w0.cs	High entropy of concatenated method names: 'wcUZ2mvylwf7l', 'WtIrNy0hVmv60', 'JJgHyUlgPqlHQ', 'oHuREPEY4JElU', '_6vBzT4Nf8lYoy', 'Pai19egUGSisn', 'R5KRLNkgechqT', 'BCrPs0JGWRM5b', 'aoGqSGI44Uvct', 'irOTow0Wq5kJo'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack, yI26puFLQ4OeW.cs	High entropy of concatenated method names: 'RPwrCFQWFVe3z', 'ykPv5m8mGukHt', 'rl3v1HQ21t3Ss', 'p5lTD1bRQsSns', 'N73EDMwGLrsYV', '_7giKgaxCmtum3', 'zR4TMA5bTqEsF', 'lNVI49QJGetLk', 'ivrYT9hUulqbg', 'G1GjbMsl7I84P'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.43c1530.3.raw.unpack, ojh1D8FvKfH1GM6U9a.cs	High entropy of concatenated method names: 'rZbMme0JMP', 'nWiM8cD1YA', 'xbuHAXOWR2', 'gKnHf8ti3Z', 'bvaHKcWnB1', 'l8kHD0X9kE', 'Od0HoMqg9n', 'Ol2HlVsLXs', 'i1lHrDo5Bv', 'kN9HcsY7Gb'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.43c1530.3.raw.unpack, EE6pka6mgheKNjHlqT.cs	High entropy of concatenated method names: 'oaMG0ZuZdY', 'OHnGOjlq1t', 'w2xGT1DDUu', 'tavGiBNi74', 'cdHGeyaRgd', 'z9bGbGeBFZ', 'Y3vGB8RaTQ', 'vjSGZ5UDor', 'IChGjcYeYA', 'b0WGwa6q9J'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.43c1530.3.raw.unpack, MmdT64InpdQhSnCp2i.cs	High entropy of concatenated method names: 'kUaCuE6pka', 'AghCyeKNjH', 'rCACYFXYNE', 'CJNCJpsjh1', 'i6UCs9atSc', 'RpyCWyrc9g', 'XWuq6lPBnwFoSYpisY', 'yokOMn6vOC7EttGc6C', 'fJgb7EwJwUmXoHu9ky', 'YNoCCCKGwP'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.43c1530.3.raw.unpack, prRLCBHibaNubiIccS.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'nCHXjpqbfB', 'PdQXwI6LsB', 'at3Xz8WohN', 'FtqpEh5E3w', 'v92pCuUeS6', 'RdjpXM1p5B', 'L87pptdLn8', 'pAhFc8Ai7W9y960icg6'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.43c1530.3.raw.unpack, txK1mAGBkYFU1KHjCn.cs	High entropy of concatenated method names: 'Dispose', 'yavCjRY89W', 'YbtXgfvPEv', 'X3mveM3oRr', 'mBVCwcO7iG', 'PTkCzuaktI', 'ProcessDialogKey', 'nviXEt65ab', 'xuuXC0Jk71', 'DG3XX2Raii'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.43c1530.3.raw.unpack, vScOpyUyrc9gfmk7ZS.cs	High entropy of concatenated method names: 'jEt7hZfokL', 'x4j7GMWHCS', 'BOK7MANTsO', 'Yg17uw4wLF', 'QH87yCr5hl', 'M02MekdSRG', 'fFGMb0KCys', 'UOdMBITUgp', 'emjMZ0f5q5', 'm8mMjNvOCv'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.43c1530.3.raw.unpack, wTsqNT09FILQ301DWJ.cs	High entropy of concatenated method names: 'Lt2scv1Lhl', 'SDFs33N6q8', 'qAMs0yIGAb', 'cDQsO6CVfJ', 'kf8sgL8wCr', 'JswsA5paqq', 'LvjsfagTNj', 'X2OsK8bHLJ', 'QGPsDfH6dg', 'QSEsopu5Qm'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.43c1530.3.raw.unpack, aOgPk6gLYFac2Lr8Wa.cs	High entropy of concatenated method names: 'zIKqbtV9dgpZipFOt6O', 'NsxtltV8xTCy5JpMbfe', 'pU175NUWpe', 'E4i7R8SoYK', 'Gmj7LEVbva', 'XoQeyRVYiKSOkQU9XMj', 'hYafcHVhHrysCfD2XFq'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.43c1530.3.raw.unpack, lRaiiiw1LdKAjBYoFg.cs	High entropy of concatenated method names: 'NEVLH6eK8W', 'rpJLMi6Llt', 'ELvL7uP3KU', 'GRvLu370PP', 'VA4LRUUd95', 'ww8Lyl0oMF', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.43c1530.3.raw.unpack, QJJ1UKbOiFJkBv0TwE.cs	High entropy of concatenated method names: 'eCMxZHJt5s', 'm0exwwZONV', 'Lsy5E6rQMb', 'sHZ5CNryUN', 'xpkxS8L0Yl', 'jlYx3FRHL8', 'gVsx4dYHIJ', 'qu8x0fdL8c', 'NuhxOdjSgI', 'F2gxT8h8rM'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.43c1530.3.raw.unpack, GShuP2yT9H8049qW37.cs	High entropy of concatenated method names: 'IwLph18xcZ', 'UmLp9ArTyg', 'p6RpGe9ShW', 'eBvpHAZAoO', 'hiFpMBeQtn', 'B9Qp7W1oLA', 'jJ1put5fVr', 'j4DpyZVyLc', 'uUip2uyJox', 'zitpYebZtr'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.43c1530.3.raw.unpack, WC3WydBy4PavRY89WJ.cs	High entropy of concatenated method names: 'hgURsVYwlJ', 'WUURxSbPEG', 'gS7RRYC6LF', 'MCmRQLeWjX', 'f6rRtgOTDR', 'vvwRn0S9VI', 'Dispose', 'D4g593upF2', 'EGf5Gbn1NA', 'hB95HVwbPD'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.43c1530.3.raw.unpack, sT1TJsoARUm0WTBeJq.cs	High entropy of concatenated method names: 'K46u9bJotV', 'kCGuHj5hAf', 'DPpu7cYHZk', 'nAc7wZnDhE', 'CA57zm8N82', 'kVauEfZPC0', 'SFOuClCmPY', 'KjkuXpR5Hu', 'wKQuptlNsi', 'RlXuIRZhNx'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.43c1530.3.raw.unpack, NKCEEgrpaMI3te1jIm.cs	High entropy of concatenated method names: 'LDKudogu3V', 'tL3uPsqTNo', 'KILu1wbYU8', 'FNOuqdcP9X', 'DfhumhXn5P', 'qIWuNrguFi', 'Fqdu8GEd5y', 'mOhu60crLm', 'GE7ua2PleZ', 'JhUuFPF5Bg'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.43c1530.3.raw.unpack, YVrSuXCC5oWPfVql8qK.cs	High entropy of concatenated method names: 'yrNLwV8Z04', 'XhcLzY1Tab', 'mIWQEaMrSa', 'W7JQC0HkaR', 'NjCQXLrBiy', 'WJhQpiqUxc', 'go2QI8W6yE', 'pZQQh0e80S', 'Hc8Q9hPO7F', 'Nu8QGHUs4b'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.43c1530.3.raw.unpack, Nw8FZHXa4HrnLdge1E.cs	High entropy of concatenated method names: 'fSW15LSB2', 'gDHqfYTGu', 'JgfN9HVJZ', 'jwE8QGhwD', 'Lcwa7UZ6k', 'GDcF78tIh', 'qF6qrJpQ8KFZlqw9IC', 'O97ptqjQq7ch4NsGs5', 'f9E5WkrOi', 'WisLd7g2U'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.43c1530.3.raw.unpack, Tt65abjduu0Jk718G3.cs	High entropy of concatenated method names: 'HiiRUam6Tk', 'iAgRgS2NYG', 'YncRAiiMbD', 'pm9RfvpRx7', 'LjhRKLijNC', 'nk9RD5lCHe', 'LkrRoH59I7', 'LMJRlsNUlq', 'rYWRr6nWgw', 'OmORc7CHIY'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.43c1530.3.raw.unpack, MB6YHdCICeoEWxMlXow.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DKXvRe2mhY', 'DnGvLMkc3I', 'y8KvQUpqUl', 'DdWvvaHl97', 'ChyvteVQNj', 'fauvk87nIX', 'o5RvnpX04c'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.43c1530.3.raw.unpack, aHFMfb4YpGlIABGleS.cs	High entropy of concatenated method names: 'Il7V6rwT7K', 'cNdVaF5N8C', 'HhEVU3mrxT', 'DEZVgPhiAW', 'EylVfHha29', 'dP0VKp9Xvv', 'DUEVoiDvOS', 'qvKVl8gjnF', 'pWLVcGX2Ap', 'LlnVSEYND1'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.43c1530.3.raw.unpack, eeLXVxCEpL7kpCQlxoA.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'r6uLSfUy33', 'oLKL3aSeev', 'cDRL4SGCv0', 'MMcL05qhvA', 'u4VLOJu4Aj', 'rrqLT60Xdg', 'DVALiCOHNu'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.43c1530.3.raw.unpack, pHNYiICX3EJxkRrYUek.cs	High entropy of concatenated method names: 'ToString', 'JAIQ6Ih0Ch', 'yNyQavDNun', 'q9BQFyhWq5', 'LmHQU0lWNL', 'RaWQgnLMc6', 'u7VQAHDDRc', 'wm4QfSHpPA', 'o3xnnnkrTmee11p4q8K', 'HvpAemkMSwlQSxSpiFi'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.43c1530.3.raw.unpack, hCVsodzfLsmg0DeQMh.cs	High entropy of concatenated method names: 'mwGLNjcqKD', 'i0dL6QcA4d', 'OKoLadw38I', 'cr8LUE5Jto', 'ufxLgiQfAA', 'kmmLfuv3O3', 'rmRLKhaS6l', 'HXwLnpvnQ6', 'D6kLdlNBky', 'VgZLPdpYeu'
Source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.43c1530.3.raw.unpack, b0gnK5aCAFXYNE8JNp.cs	High entropy of concatenated method names: 'Jk7Hqjx9ko', 'q8bHNQpYfQ', 'iiYH6O9sxE', 'zvTHa842y1', 'vKyHsZVkyr', 'BiEHWg4qL3', 'RQUHxYL2FX', 'W9XH5MbEnB', 'QsZHRMLVLm', 'SZYHLcFGEI'

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	File created: \draft hbl# ttpe6948502 so#4174 - lcl shipping advice (khh-hkg)-fob .scr.exe
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	File created: \draft hbl# ttpe6948502 so#4174 - lcl shipping advice (khh-hkg)-fob .scr.exe
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	File created: \draft hbl# ttpe6948502 so#4174 - lcl shipping advice (khh-hkg)-fob .scr.exe
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	File created: \draft hbl# ttpe6948502 so#4174 - lcl shipping advice (khh-hkg)-fob .scr.exe
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	File created: \draft hbl# ttpe6948502 so#4174 - lcl shipping advice (khh-hkg)-fob .scr.exe
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	File created: \draft hbl# ttpe6948502 so#4174 - lcl shipping advice (khh-hkg)-fob .scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	File created: \draft hbl# ttpe6948502 so#4174 - lcl shipping advice (khh-hkg)-fob .scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	File created: \draft hbl# ttpe6948502 so#4174 - lcl shipping advice (khh-hkg)-fob .scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	File created: \draft hbl# ttpe6948502 so#4174 - lcl shipping advice (khh-hkg)-fob .scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	File created: \draft hbl# ttpe6948502 so#4174 - lcl shipping advice (khh-hkg)-fob .scr.exe	Jump to behavior

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe

File created: C:\Users\user\AppData\Roaming\XClient.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe PID: 7280, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Memory allocated: 1690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Memory allocated: 3180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Memory allocated: 5180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Memory allocated: BC50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Memory allocated: CC50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Memory allocated: CF10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Memory allocated: DF10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Memory allocated: 18E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Memory allocated: 32B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Memory allocated: 31B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Window / User API: threadDelayed 4919	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Window / User API: threadDelayed 4929	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5699	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4048	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6169	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2679	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7590	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2148	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6109
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3641

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe TID: 7300	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe TID: 8180	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe TID: 8180	Thread sleep time: -36893488147419080s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe TID: 8112	Thread sleep count: 4919 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe TID: 8112	Thread sleep count: 4929 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8064	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7136	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6676	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4340	Thread sleep count: 7590 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7268	Thread sleep count: 2148 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7492	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7996	Thread sleep count: 6109 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7996	Thread sleep count: 3641 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6528	Thread sleep time: -3689348814741908s >= -30000s

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe, 00000005.00000002.3714751554.00000000015B4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe'
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe'

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process created: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe "C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Queries volume information: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Queries volume information: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe, 00000005.00000002.3714751554.00000000015B4000.00000004.00000020.00020000.00000000.sdmp, Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe, 00000005.00000002.3714751554.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe, 00000005.00000002.3714751554.0000000001557000.00000004.00000020.00020000.00000000.sdmp, Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe, 00000005.00000002.3736798959.0000000007350000.00000004.00000020.00020000.00000000.sdmp, Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe, 00000005.00000002.3736798959.0000000007378000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.41a7848.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.5b10000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.41c7868.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.5b10000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.41c7868.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.41a7848.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1266915236.00000000041C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1266915236.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1273463780.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected XWorm

Source: Yara match	File source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3713364376.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1266441228.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe PID: 7280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe PID: 7464, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.41a7848.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.5b10000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.41c7868.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.5b10000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.41c7868.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.41a7848.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1266915236.00000000041C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1266915236.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1273463780.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected XWorm

Source: Yara match	File source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.31e6e0c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.318ab60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3713364376.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1266441228.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe PID: 7280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe PID: 7464, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	2 Registry Run Keys / Startup Folder	11 Process Injection	1 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 PowerShell	1 DLL Side-Loading	2 Registry Run Keys / Startup Folder	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	22%	Virustotal		Browse
Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	13%	ReversingLabs
Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	100%	Avira	HEUR/AGEN.1309493
Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\XClient.exe	100%	Avira	HEUR/AGEN.1309493
C:\Users\user\AppData\Roaming\XClient.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\XClient.exe	13%	ReversingLabs

Source	Detection	Scanner	Label
http://crl.mi%	0%	Avira URL Cloud	safe
http://crl.microxm:	0%	Avira URL Cloud	safe
104.250.180.178	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
104.250.180.178	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000009.00000002.1330138217.00000000053AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1368599067.0000000005DBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1415048632.00000000058CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1470287733.000000000609C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micro	powershell.exe, 00000009.00000002.1333508589.0000000006F44000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1355468184.0000000003345000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.microxm:	powershell.exe, 0000000F.00000002.1421128767.0000000007370000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000012.00000002.1448903818.0000000005186000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000009.00000002.1323732246.0000000004496000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1357518402.0000000004EA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1396986319.00000000049B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1448903818.0000000005186000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000009.00000002.1323732246.0000000004341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1357518402.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1396986319.0000000004861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1448903818.0000000005031000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000012.00000002.1448903818.0000000005186000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000009.00000002.1323732246.0000000004B1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1323732246.0000000004CA2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.mi%	powershell.exe, 0000000D.00000002.1373668423.000000000794C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000009.00000002.1323732246.0000000004496000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1357518402.0000000004EA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1396986319.00000000049B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1448903818.0000000005186000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000012.00000002.1470287733.000000000609C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000009.00000002.1330138217.00000000053AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1368599067.0000000005DBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1415048632.00000000058CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1470287733.000000000609C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000012.00000002.1470287733.000000000609C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000012.00000002.1470287733.000000000609C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe, 00000005.00000002.3718623470.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1323732246.0000000004341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1357518402.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1396986319.0000000004861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1448903818.0000000005031000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000012.00000002.1448903818.0000000005186000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.250.180.178	unknown	United States		9009	M247GB	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585142
Start date and time:	2025-01-07 06:19:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@15/21@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 282 Number of non-executed functions: 44
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.56.254.164, 13.107.246.45, 172.202.163.200
Excluded domains from analysis (whitelisted): fs.microsoft.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:20:05	API Interceptor	8839977x Sleep call for process: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe modified
00:20:10	API Interceptor	40x Sleep call for process: powershell.exe modified
07:37:55	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.250.180.178	aDGx3jaI7i.exe	Get hash	malicious	Remcos	Browse
	ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe	Get hash	malicious	Remcos	Browse
	THITWNSEI24112908089786756456545346568789-00010.scr.exe	Get hash	malicious	XWorm	Browse
	SKM_BH450i2411261138090453854974574748668683985857435.scr.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse
	#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe	Get hash	malicious	PureLog Stealer, Remcos	Browse
	Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Get hash	malicious	PureLog Stealer, Remcos	Browse
	CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse
	Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Get hash	malicious	Remcos	Browse
	PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Get hash	malicious	XWorm	Browse
	rSOD219ISF-____.scr.exe	Get hash	malicious	Remcos	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
M247GB	Hilix.m68k.elf	Get hash	malicious	Mirai	Browse	45.13.30.97
	5EfYBe3nch.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LiteHTTP Bot, LummaC Stealer, Poverty Stealer, Stealc	Browse	185.244.212.106
	random.exe	Get hash	malicious	Poverty Stealer	Browse	185.244.212.106
	mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	45.88.100.158
	db0fa4b8db0333367e9bda3ab68b8042.i686.elf	Get hash	malicious	Mirai, Gafgyt	Browse	213.109.189.115
	UD3cS4ODWz.exe	Get hash	malicious	Unknown	Browse	185.156.175.43
	nXNMsYXFFc.exe	Get hash	malicious	Unknown	Browse	185.156.175.43
	UD3cS4ODWz.exe	Get hash	malicious	Unknown	Browse	185.156.175.43
	nXNMsYXFFc.exe	Get hash	malicious	Unknown	Browse	185.156.175.43
	ub8ehJSePAfc9FYqZIT6.arm6.elf	Get hash	malicious	Unknown	Browse	92.118.56.167

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.log

Download File

Process:	C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.379389566227414
Encrypted:	false
SSDEEP:	48:+WSU4xympjgZ9tz4RIoUl8NPZHUl7u1iMuge//ZS50UXus:+LHxvCZfIfSKRHmOugbKs
MD5:	B8583AFBB02E23991C3713146A7352B3
SHA1:	E17E9B2B500724AAB823DD656655628C9EFD616A
SHA-256:	F02728F3354B312DA641AF8D2355ECF55B1019ADB3C4E3518E5840AA7FBAF7FF
SHA-512:	E0482CADE0709609AC2A96CEE2DA5618E4DB7266DCD73E0F37A89F95FFDB51E9E6224C75A3F0D4E14BEF6B60942F869F2F0FC0327E65B31208ED14A1D2BA2BE5
Malicious:	false
Preview:	@...e...............................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.598349098128234
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsra:EFYJKDoWra
MD5:	2C11513C4FAB02AEDEE23EC05A2EB3CC
SHA1:	59177C177B2546FBD8EC7688BAD19D08D32640DE
SHA-256:	BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
SHA-512:	08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
Malicious:	false
Preview:	....### explorer ###..[WIN]r

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_50s1bmwm.0wf.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ag4xh2pk.kqi.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aqewf2zr.r45.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gxnxruir.5mu.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hszerapu.fmw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kiqugtpy.jan.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kkchklss.xah.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_msxpimxa.zgb.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_njt55zfj.rgi.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o3l1gumt.t04.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ozmcuojc.osw.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vby1k0o5.suj.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vulpt4uq.v4z.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w3fiiuid.fwh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ypoc31ci.oly.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zpudavzk.1nf.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Download File

Process:	C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Jan 7 05:37:51 2025, mtime=Tue Jan 7 05:37:51 2025, atime=Tue Jan 7 05:37:51 2025, length=612864, window=hide
Category:	dropped
Size (bytes):	768
Entropy (8bit):	5.101695108930609
Encrypted:	false
SSDEEP:	12:8Us24nJ/90N+2Chzi1Y//T/LLfJnlHYjAxzvANHkd/tbRdzBmV:8U2nJ/9B2w9TfJl8AxbDdxRdtm
MD5:	D3ADDCFDB50919545FDDBB4E62C9D59F
SHA1:	B0BCFF9B254AA8E82D2CD29BDAFD8AD7A3386234
SHA-256:	685622A00702D403B8FFE0EC4BE856065051F4FF8F48892D0C55FD23E819F1B1
SHA-512:	C286E565E4B0066EAD49C6BD1512B9257DA41BC3EF955E5A66035F22A040FAE8173930647A86FDFB1E3917454369437A14778A2732BEC36A03ADD1ED759F41FC
Malicious:	false
Preview:	L..................F.... ...m....`..m....`..m....`...Z......................v.:..DG..Yr?.D..U..k0.&...&......Qg._....I...`..o-...`......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.='Z...........................3N.A.p.p.D.a.t.a...B.V.1.....'Z}..Roaming.@......EW.='Z}*...........................}.R.o.a.m.i.n.g.....b.2..Z..'Z.4 .XClient.exe.H......'Z.4'Z.4....I.......................Z.X.C.l.i.e.n.t...e.x.e.......]...............-.......\............o`......C:\Users\user\AppData\Roaming\XClient.exe........\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.`.......X.......399601...........hT..CrF.f4... .==.......,......hT..CrF.f4... .==.......,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\XClient.exe

Download File

Process:	C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	612864
Entropy (8bit):	7.3207731258802635
Encrypted:	false
SSDEEP:	12288:OTM7WYMV+I4MVKWGq/eWoe0m3rc3DcURo4VRbn1kyYh:ISGRgZqJzo3k4v1JY
MD5:	B5A730ECD9B2CF1543037C62EE0BF39E
SHA1:	D3391A3A3F925010FE724981A0F63AFBE9131CAA
SHA-256:	F53D0F2F29EF10E16CD2D607A545C3523DFC9F4E0B04E0B4258740357C525253
SHA-512:	80CF3D16AE5B568994B001EE74AE7927A4F04D30D556E4DB4F7EF99C45DFBC56A76BE080BCC6A6913EA44F2AEC2F7195B8720526217F699E48A86DAFE0754B34
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 13%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\|g..............0..<...........Z... ...`....@.. ....................................`..................................Y..O....`..l............................................................................ ............... ..H............text....:... ...<.................. ..`.rsrc...l....`.......>..............@..@.reloc...............X..............@..B.................Y......H.......PB...7......4....y...............................................0............}.....r...p(....}.....r...p(....}.....s....}......}......}.....(.......( .....{.....r7..pr9..p~5...%-.&~4.....R...s....%.5...(...+(...+~6...%-.&~4.....S...s....%.6...(...+...G...%..(...+s.....%.rK..p.%.rY..p...H...(....rs..p ............%...%...(........0..(..........}.....{....o.....s ...... ....(!...&F...}......(........0..............{.....X..}.....s...}......{....o"....o#...t.......(

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.3207731258802635
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe
File size:	612'864 bytes
MD5:	b5a730ecd9b2cf1543037c62ee0bf39e
SHA1:	d3391a3a3f925010fe724981a0f63afbe9131caa
SHA256:	f53d0f2f29ef10e16cd2d607a545c3523dfc9f4e0b04e0b4258740357c525253
SHA512:	80cf3d16ae5b568994b001ee74ae7927a4f04d30d556e4db4f7ef99c45dfbc56a76be080bcc6a6913ea44f2aec2f7195b8720526217f699e48a86dafe0754b34
SSDEEP:	12288:OTM7WYMV+I4MVKWGq/eWoe0m3rc3DcURo4VRbn1kyYh:ISGRgZqJzo3k4v1JY
TLSH:	1DD46A161396D4C5E0D716BC28E3FBB781140E485A21D6C247EDBEA73AA3A8D790F1C7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....\|g..............0..<...........Z... ...`....@.. ....................................`................................

File Icon


Icon Hash:	13294d96922b2b0f

Static PE Info

General

Entrypoint:	0x495a0a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x677CA6C5 [Tue Jan 7 04:00:05 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x959b8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x96000	0x196c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x98000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x93a10	0x93c00	aa190ecf6379f85e1cf8bd53ba6ab078	False	0.767037793464467	data	7.334520763870806	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x96000	0x196c	0x1a00	6a0546db242875be6932b56bf8d2e6db	False	0.6538461538461539	data	6.004119926899158	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x98000	0xc	0x200	d99a4dd7ecd8abdea6ed4cf23056fc3a	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x960e8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.8129432624113475
RT_ICON	0x96560	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.7136491557223265
RT_GROUP_ICON	0x97618	0x22	data	0.9411764705882353
RT_VERSION	0x9764c	0x31c	data	0.4321608040201005

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-07T06:20:46.003494+0100	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.7	49805	104.250.180.178	7061	TCP
2025-01-07T06:23:45.439164+0100	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.7	57658	104.250.180.178	7061	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 06:20:31.106621027 CET	49805	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:20:31.111522913 CET	7061	49805	104.250.180.178	192.168.2.7
Jan 7, 2025 06:20:31.111593962 CET	49805	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:20:31.217504978 CET	49805	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:20:31.222465038 CET	7061	49805	104.250.180.178	192.168.2.7
Jan 7, 2025 06:20:46.003494024 CET	49805	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:20:46.009639025 CET	7061	49805	104.250.180.178	192.168.2.7
Jan 7, 2025 06:20:48.586002111 CET	57585	53	192.168.2.7	162.159.36.2
Jan 7, 2025 06:20:48.590821028 CET	53	57585	162.159.36.2	192.168.2.7
Jan 7, 2025 06:20:48.590884924 CET	57585	53	192.168.2.7	162.159.36.2
Jan 7, 2025 06:20:48.595798969 CET	53	57585	162.159.36.2	192.168.2.7
Jan 7, 2025 06:20:49.034454107 CET	57585	53	192.168.2.7	162.159.36.2
Jan 7, 2025 06:20:49.039382935 CET	53	57585	162.159.36.2	192.168.2.7
Jan 7, 2025 06:20:49.039438009 CET	57585	53	192.168.2.7	162.159.36.2
Jan 7, 2025 06:20:52.495198965 CET	7061	49805	104.250.180.178	192.168.2.7
Jan 7, 2025 06:20:52.495255947 CET	49805	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:20:56.344614029 CET	49805	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:20:56.345386982 CET	57637	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:20:56.349436045 CET	7061	49805	104.250.180.178	192.168.2.7
Jan 7, 2025 06:20:56.350184917 CET	7061	57637	104.250.180.178	192.168.2.7
Jan 7, 2025 06:20:56.350250006 CET	57637	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:20:56.374290943 CET	57637	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:20:56.379159927 CET	7061	57637	104.250.180.178	192.168.2.7
Jan 7, 2025 06:21:09.616163969 CET	57637	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:21:09.621197939 CET	7061	57637	104.250.180.178	192.168.2.7
Jan 7, 2025 06:21:17.750647068 CET	7061	57637	104.250.180.178	192.168.2.7
Jan 7, 2025 06:21:17.750823975 CET	57637	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:21:18.407162905 CET	57637	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:21:18.408061981 CET	57652	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:21:18.412081957 CET	7061	57637	104.250.180.178	192.168.2.7
Jan 7, 2025 06:21:18.412938118 CET	7061	57652	104.250.180.178	192.168.2.7
Jan 7, 2025 06:21:18.413013935 CET	57652	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:21:18.438853979 CET	57652	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:21:18.444267035 CET	7061	57652	104.250.180.178	192.168.2.7
Jan 7, 2025 06:21:33.001236916 CET	57652	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:21:33.007663012 CET	7061	57652	104.250.180.178	192.168.2.7
Jan 7, 2025 06:21:39.795825005 CET	7061	57652	104.250.180.178	192.168.2.7
Jan 7, 2025 06:21:39.796022892 CET	57652	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:21:39.796673059 CET	57652	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:21:39.799133062 CET	57653	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:21:39.801481009 CET	7061	57652	104.250.180.178	192.168.2.7
Jan 7, 2025 06:21:39.803965092 CET	7061	57653	104.250.180.178	192.168.2.7
Jan 7, 2025 06:21:39.804122925 CET	57653	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:21:39.885720015 CET	57653	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:21:39.890598059 CET	7061	57653	104.250.180.178	192.168.2.7
Jan 7, 2025 06:21:50.266752005 CET	57653	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:21:50.272842884 CET	7061	57653	104.250.180.178	192.168.2.7
Jan 7, 2025 06:21:50.626277924 CET	57653	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:21:50.631119013 CET	7061	57653	104.250.180.178	192.168.2.7
Jan 7, 2025 06:21:55.469801903 CET	57653	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:21:55.474756002 CET	7061	57653	104.250.180.178	192.168.2.7
Jan 7, 2025 06:21:59.426512957 CET	57653	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:21:59.431294918 CET	7061	57653	104.250.180.178	192.168.2.7
Jan 7, 2025 06:22:01.152638912 CET	7061	57653	104.250.180.178	192.168.2.7
Jan 7, 2025 06:22:01.152718067 CET	57653	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:06.048007011 CET	57653	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:06.052946091 CET	7061	57653	104.250.180.178	192.168.2.7
Jan 7, 2025 06:22:06.056209087 CET	57654	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:06.060970068 CET	7061	57654	104.250.180.178	192.168.2.7
Jan 7, 2025 06:22:06.061059952 CET	57654	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:06.109143972 CET	57654	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:06.113919020 CET	7061	57654	104.250.180.178	192.168.2.7
Jan 7, 2025 06:22:06.313941002 CET	57654	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:06.318862915 CET	7061	57654	104.250.180.178	192.168.2.7
Jan 7, 2025 06:22:06.454344988 CET	57654	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:06.459323883 CET	7061	57654	104.250.180.178	192.168.2.7
Jan 7, 2025 06:22:11.032386065 CET	57654	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:11.038249016 CET	7061	57654	104.250.180.178	192.168.2.7
Jan 7, 2025 06:22:16.969983101 CET	57654	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:16.975064039 CET	7061	57654	104.250.180.178	192.168.2.7
Jan 7, 2025 06:22:16.985647917 CET	57654	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:16.990468979 CET	7061	57654	104.250.180.178	192.168.2.7
Jan 7, 2025 06:22:27.438884020 CET	7061	57654	104.250.180.178	192.168.2.7
Jan 7, 2025 06:22:27.446480989 CET	57654	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:32.204286098 CET	57654	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:32.205467939 CET	57655	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:32.209105968 CET	7061	57654	104.250.180.178	192.168.2.7
Jan 7, 2025 06:22:32.210299015 CET	7061	57655	104.250.180.178	192.168.2.7
Jan 7, 2025 06:22:32.210392952 CET	57655	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:32.296858072 CET	57655	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:32.301728964 CET	7061	57655	104.250.180.178	192.168.2.7
Jan 7, 2025 06:22:32.704411030 CET	57655	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:32.709281921 CET	7061	57655	104.250.180.178	192.168.2.7
Jan 7, 2025 06:22:32.720002890 CET	57655	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:32.724849939 CET	7061	57655	104.250.180.178	192.168.2.7
Jan 7, 2025 06:22:32.735829115 CET	57655	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:32.740618944 CET	7061	57655	104.250.180.178	192.168.2.7
Jan 7, 2025 06:22:32.766944885 CET	57655	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:32.771716118 CET	7061	57655	104.250.180.178	192.168.2.7
Jan 7, 2025 06:22:32.782532930 CET	57655	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:32.787333965 CET	7061	57655	104.250.180.178	192.168.2.7
Jan 7, 2025 06:22:37.001285076 CET	57655	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:37.006248951 CET	7061	57655	104.250.180.178	192.168.2.7
Jan 7, 2025 06:22:37.766949892 CET	57655	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:37.771850109 CET	7061	57655	104.250.180.178	192.168.2.7
Jan 7, 2025 06:22:44.470019102 CET	57655	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:44.475773096 CET	7061	57655	104.250.180.178	192.168.2.7
Jan 7, 2025 06:22:45.298147917 CET	57655	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:45.303160906 CET	7061	57655	104.250.180.178	192.168.2.7
Jan 7, 2025 06:22:53.579458952 CET	7061	57655	104.250.180.178	192.168.2.7
Jan 7, 2025 06:22:53.579649925 CET	57655	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:58.423209906 CET	57655	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:58.428101063 CET	7061	57655	104.250.180.178	192.168.2.7
Jan 7, 2025 06:22:58.428227901 CET	57656	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:58.433032036 CET	7061	57656	104.250.180.178	192.168.2.7
Jan 7, 2025 06:22:58.433099031 CET	57656	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:58.489490032 CET	57656	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:58.494355917 CET	7061	57656	104.250.180.178	192.168.2.7
Jan 7, 2025 06:22:58.626442909 CET	57656	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:58.631273031 CET	7061	57656	104.250.180.178	192.168.2.7
Jan 7, 2025 06:22:58.704319954 CET	57656	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:58.709196091 CET	7061	57656	104.250.180.178	192.168.2.7
Jan 7, 2025 06:22:58.751373053 CET	57656	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:22:58.756149054 CET	7061	57656	104.250.180.178	192.168.2.7
Jan 7, 2025 06:23:03.751235962 CET	57656	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:23:03.756141901 CET	7061	57656	104.250.180.178	192.168.2.7
Jan 7, 2025 06:23:04.845541954 CET	57656	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:23:04.850402117 CET	7061	57656	104.250.180.178	192.168.2.7
Jan 7, 2025 06:23:19.722521067 CET	57656	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:23:19.727478981 CET	7061	57656	104.250.180.178	192.168.2.7
Jan 7, 2025 06:23:19.778207064 CET	7061	57656	104.250.180.178	192.168.2.7
Jan 7, 2025 06:23:19.782599926 CET	57656	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:23:19.786524057 CET	57656	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:23:19.790502071 CET	57657	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:23:19.791284084 CET	7061	57656	104.250.180.178	192.168.2.7
Jan 7, 2025 06:23:19.795346022 CET	7061	57657	104.250.180.178	192.168.2.7
Jan 7, 2025 06:23:19.801578045 CET	57657	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:23:19.910527945 CET	57657	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:23:19.915697098 CET	7061	57657	104.250.180.178	192.168.2.7
Jan 7, 2025 06:23:25.189064026 CET	57657	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:23:25.193933010 CET	7061	57657	104.250.180.178	192.168.2.7
Jan 7, 2025 06:23:25.204417944 CET	57657	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:23:25.209255934 CET	7061	57657	104.250.180.178	192.168.2.7
Jan 7, 2025 06:23:30.188946962 CET	57657	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:23:30.193797112 CET	7061	57657	104.250.180.178	192.168.2.7
Jan 7, 2025 06:23:31.688931942 CET	57657	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:23:31.693727970 CET	7061	57657	104.250.180.178	192.168.2.7
Jan 7, 2025 06:23:41.185573101 CET	7061	57657	104.250.180.178	192.168.2.7
Jan 7, 2025 06:23:41.185667992 CET	57657	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:23:45.329433918 CET	57657	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:23:45.331899881 CET	57658	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:23:45.334338903 CET	7061	57657	104.250.180.178	192.168.2.7
Jan 7, 2025 06:23:45.336692095 CET	7061	57658	104.250.180.178	192.168.2.7
Jan 7, 2025 06:23:45.336767912 CET	57658	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:23:45.364332914 CET	57658	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:23:45.369116068 CET	7061	57658	104.250.180.178	192.168.2.7
Jan 7, 2025 06:23:45.392153025 CET	57658	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:23:45.396941900 CET	7061	57658	104.250.180.178	192.168.2.7
Jan 7, 2025 06:23:45.439163923 CET	57658	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:23:45.443974018 CET	7061	57658	104.250.180.178	192.168.2.7
Jan 7, 2025 06:23:50.657800913 CET	57658	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:23:50.662638903 CET	7061	57658	104.250.180.178	192.168.2.7
Jan 7, 2025 06:23:50.673401117 CET	57658	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:23:50.678157091 CET	7061	57658	104.250.180.178	192.168.2.7
Jan 7, 2025 06:23:50.751535892 CET	57658	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:23:50.756328106 CET	7061	57658	104.250.180.178	192.168.2.7
Jan 7, 2025 06:23:56.082530975 CET	57658	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:23:56.087322950 CET	7061	57658	104.250.180.178	192.168.2.7
Jan 7, 2025 06:24:06.706356049 CET	7061	57658	104.250.180.178	192.168.2.7
Jan 7, 2025 06:24:06.706404924 CET	57658	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:24:06.706698895 CET	57658	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:24:06.708106995 CET	57659	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:24:06.711493969 CET	7061	57658	104.250.180.178	192.168.2.7
Jan 7, 2025 06:24:06.712963104 CET	7061	57659	104.250.180.178	192.168.2.7
Jan 7, 2025 06:24:06.713028908 CET	57659	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:24:06.753001928 CET	57659	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:24:06.759185076 CET	7061	57659	104.250.180.178	192.168.2.7
Jan 7, 2025 06:24:11.423355103 CET	57659	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:24:11.428168058 CET	7061	57659	104.250.180.178	192.168.2.7
Jan 7, 2025 06:24:14.860805988 CET	57659	7061	192.168.2.7	104.250.180.178
Jan 7, 2025 06:24:14.865863085 CET	7061	57659	104.250.180.178	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 06:20:48.585562944 CET	53	52228	162.159.36.2	192.168.2.7
Jan 7, 2025 06:20:49.051173925 CET	53	49799	1.1.1.1	192.168.2.7

Target ID:	0
Start time:	00:20:05
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe"
Imagebase:	0xde0000
File size:	612'864 bytes
MD5 hash:	B5A730ECD9B2CF1543037C62EE0BF39E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1266915236.00000000041C7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1266915236.0000000004189000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1273463780.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1266441228.0000000003181000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1266441228.0000000003181000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:20:06
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe"
Imagebase:	0xec0000
File size:	612'864 bytes
MD5 hash:	B5A730ECD9B2CF1543037C62EE0BF39E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000005.00000002.3713364376.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000005.00000002.3713364376.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	00:20:09
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe'
Imagebase:	0x8c0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	00:20:09
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	00:20:13
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe'
Imagebase:	0x8c0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	00:20:13
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	00:20:17
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Imagebase:	0x8c0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	00:20:17
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	00:20:22
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Imagebase:	0x8c0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	00:20:22
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exePID: 7280, Parent PID: 4056COMMON

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	8.4%
Total number of Nodes:	214
Total number of Limit Nodes:	7

Executed Functions

Function 056FC570 Relevance: 7.0, Strings: 5, Instructions: 719COMMON

Download Yara Rule

Strings

,q, xrefs: 056FCB87
Hq, xrefs: 056FCE70
(oq, xrefs: 056FCE03
(oq, xrefs: 056FCDF9
,q, xrefs: 056FCB97

Memory Dump Source

Source File: 00000000.00000002.1272214309.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56f0000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID: (oq$(oq$,q$,q$Hq
API String ID: 0-962059274
Opcode ID: 50480a76759dc05411e82c6a3020b2ba0d273f36005b232631d1cc027b70e7c8
Instruction ID: 9b11a56393ad08381519c6d55fc78cb5ceab791d2e4abd9a1cea4b8674d8985f
Opcode Fuzzy Hash: 50480a76759dc05411e82c6a3020b2ba0d273f36005b232631d1cc027b70e7c8
Instruction Fuzzy Hash: 46527235F08119DFEB18DF69D494A6EBBB2BF88310B158169E916DB360DB31EC41CB90

Function 05707DF8 Relevance: 4.3, Strings: 2, Instructions: 1815
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

'Aq, xrefs: 05707E33
$Aq, xrefs: 05707E7F

Memory Dump Source

Source File: 00000000.00000002.1272251899.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5700000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID: 'Aq$$Aq
API String ID: 0-3116551248
Opcode ID: b4a040ea08787ae52bd217b9ca2b7ddea878e1363ea4595c4dd822860b85ff85
Instruction ID: 360d31841bdcb0585371e9a93e9c7f400fcbe4934fe79b691f04629a80145f71
Opcode Fuzzy Hash: b4a040ea08787ae52bd217b9ca2b7ddea878e1363ea4595c4dd822860b85ff85
Instruction Fuzzy Hash: 1D13A534A11259CFCB29EF24C898A99B7B6FF89300F5151E9D509AB361DB31AEC5CF40

Function 05707DEA Relevance: 4.3, Strings: 2, Instructions: 1806
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

'Aq, xrefs: 05707E33
$Aq, xrefs: 05707E7F

Memory Dump Source

Source File: 00000000.00000002.1272251899.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5700000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID: 'Aq$$Aq
API String ID: 0-3116551248
Opcode ID: 2f24bf26a995c4df73450e48165a9b48c7e7c11ec2adaf60a9c59fe4227ce838
Instruction ID: c10a5057dd0330cdf66df06c005289448eeca1f186907c6f5bb24afad01a3c3e
Opcode Fuzzy Hash: 2f24bf26a995c4df73450e48165a9b48c7e7c11ec2adaf60a9c59fe4227ce838
Instruction Fuzzy Hash: 8113A534A11259CFCB29DF24C898AA9B7B6FF89300F5151E9D509AB361DB31AEC5CF40

Function 016B7018 Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

Ppq, xrefs: 016B728A

Memory Dump Source

Source File: 00000000.00000002.1265900294.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID: Ppq
API String ID: 0-1927884935
Opcode ID: 3b7226af52ca45ea2b686b379069ab3b4b6aad7aa9bba822a6b549c9b97ce81e
Instruction ID: f79365e56863819881a983a6a7fbbd870a6fba5b4723d16bb27614b9d7d2cbba
Opcode Fuzzy Hash: 3b7226af52ca45ea2b686b379069ab3b4b6aad7aa9bba822a6b549c9b97ce81e
Instruction Fuzzy Hash: 27A1B474E002198FDB15DFA9D994ADEBBF2FF88300F148169E819AB354DB346982CF50

Function 016B3E0C Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

Ppq, xrefs: 016B728A

Memory Dump Source

Source File: 00000000.00000002.1265900294.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID: Ppq
API String ID: 0-1927884935
Opcode ID: d5d8c852741da37b99d8dfc27956d3dea8bd777eb0fac275b1c0d554c1a57c33
Instruction ID: d448b2d3ef446209acb4382a5489824bdc1a8b6432258b4feb26761f2434b2fa
Opcode Fuzzy Hash: d5d8c852741da37b99d8dfc27956d3dea8bd777eb0fac275b1c0d554c1a57c33
Instruction Fuzzy Hash: B8A1A474E002199FDB14DFA9D894ADEBBF2FF88300F148169E819AB354DB346986CF50

Function 016BBB40 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 016BBDA6

Memory Dump Source

Source File: 00000000.00000002.1265900294.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 260331fd5cc19480327922508db05674800087563647caca8a09bc1d7db77671
Instruction ID: 18c1b67af3a7884efb2cbb40f1dcae2d176aedb0293dfe2bbbccfcc81b83fd18
Opcode Fuzzy Hash: 260331fd5cc19480327922508db05674800087563647caca8a09bc1d7db77671
Instruction Fuzzy Hash: F3813771A00B058FE724DF29D88179ABBF1FF88204F00892DD586D7B50DB75E98ACB95

Function 05702593 Relevance: 1.7, APIs: 1, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 057027C2

Memory Dump Source

Source File: 00000000.00000002.1272251899.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5700000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4cf373066ab0aa980499eaec2f074e4f86b2bce777c77ab0455ba3f05cff68b7
Instruction ID: fe3acc77d220c66a4c1709a8009a6b8ece5a25cdc8465aaf148b0eaf912136db
Opcode Fuzzy Hash: 4cf373066ab0aa980499eaec2f074e4f86b2bce777c77ab0455ba3f05cff68b7
Instruction Fuzzy Hash: 415144BAC00349DFDB15CFA8D844ADDBBF1BF49310F24915AE818AB2A1CB359841DF90

Function 057025B3 Relevance: 1.6, APIs: 1, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 057027C2

Memory Dump Source

Source File: 00000000.00000002.1272251899.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5700000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 14faf58fc9d2214e81b3c0a814ed0aaf9e6e3c21c4d347343181aa7c6349c90c
Instruction ID: 37c0cc4e3e147383d7493de5af6bb218188430bce063162465ded3fe120b55ea
Opcode Fuzzy Hash: 14faf58fc9d2214e81b3c0a814ed0aaf9e6e3c21c4d347343181aa7c6349c90c
Instruction Fuzzy Hash: EC51EDB6C04349DFDB15CFA9D884ADDBBF1BF48300F25916AE809AB292D7749845CF90

Function 057025D3 Relevance: 1.6, APIs: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 057027C2

Memory Dump Source

Source File: 00000000.00000002.1272251899.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5700000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 21add6d0caf83f3d2b0a6bd304cbe766cf71ae672473f6312e609ea181e4a3c4
Instruction ID: 4afd8a524b50df110f05761a6bfdb7ca1b701da7df1ec613ca82bf4b816211fb
Opcode Fuzzy Hash: 21add6d0caf83f3d2b0a6bd304cbe766cf71ae672473f6312e609ea181e4a3c4
Instruction Fuzzy Hash: 8A51BDB6D00309DFDB14CFA9C884ADDBBF1BF48310F65912AE819AB291D7759885CF90

Function 05700A18 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 057027C2

Memory Dump Source

Source File: 00000000.00000002.1272251899.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5700000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0589aeaaf44911bb1a716cea1a29230edf0ad59a49e62fe43aba19c1b9e7e041
Instruction ID: aa2131fa7fba6a713cdf860c90b6f2e66415ee357ab794a4321bb53edea162d8
Opcode Fuzzy Hash: 0589aeaaf44911bb1a716cea1a29230edf0ad59a49e62fe43aba19c1b9e7e041
Instruction Fuzzy Hash: B351ACB5D00309DFDB14CF9AC884ADEBBF5BF48310F64912AE819AB251D775A885CF90

Function 057025D1 Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 057027C2

Memory Dump Source

Source File: 00000000.00000002.1272251899.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5700000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 462005539c2a6a08c0839eb8c6c8efe8a512195fd2d937d8b9e319e3d071eaa1
Instruction ID: 48f05a82162c3dce68059f1102bcaffaec7d05a7f165e508e758bb0e8623b074
Opcode Fuzzy Hash: 462005539c2a6a08c0839eb8c6c8efe8a512195fd2d937d8b9e319e3d071eaa1
Instruction Fuzzy Hash: 3F5113BAD04349DFDB14CF99C884ADDBBF1BF48310F24912AE819AB291D7759845CF90

Function 057026A4 Relevance: 1.6, APIs: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 057027C2

Memory Dump Source

Source File: 00000000.00000002.1272251899.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5700000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b94a965c55a6bfe9eb70ad82248e2db5a16e68ea33f11a2d946a161390c1082a
Instruction ID: 02e2cdac39f3999328f5c9eeae6bec29a7ec58fc5075b4791169774efc31f443
Opcode Fuzzy Hash: b94a965c55a6bfe9eb70ad82248e2db5a16e68ea33f11a2d946a161390c1082a
Instruction Fuzzy Hash: F841F1B9C00349DFDB14CF99D884ADDBBF1BF48310F24912AE819AB291DB75A845CF94

Function 05700B6C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05704D41

Memory Dump Source

Source File: 00000000.00000002.1272251899.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5700000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 9bce3237d7aef33ba56ee840a39bfd81270ac0424af6e97fc35941d006456c8a
Instruction ID: ef4cd613b6ac3fa10dca44e1412ab4ff71b15021ed350628fc42635e167e34f9
Opcode Fuzzy Hash: 9bce3237d7aef33ba56ee840a39bfd81270ac0424af6e97fc35941d006456c8a
Instruction Fuzzy Hash: 59413AB4900319DFDB14CF99C448BAABBF6FB88314F24C459D619AB361D774A841CFA0

Function 016B4514 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 016B59C9

Memory Dump Source

Source File: 00000000.00000002.1265900294.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: dfec90e5ae4e0d8b3385a9834772ddd672d548e132d7e012619a1a4774fc2c4a
Instruction ID: 81dbdaa0b14e0fe1ac472ad95c187387c9d8cb8203a86678133e299b9e2c3b6d
Opcode Fuzzy Hash: dfec90e5ae4e0d8b3385a9834772ddd672d548e132d7e012619a1a4774fc2c4a
Instruction Fuzzy Hash: 6241F271C0071DCBDB24DFA9C8847CDBBB5BF49314F20806AD409AB251DB756986CF90

Function 016B590C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 016B59C9

Memory Dump Source

Source File: 00000000.00000002.1265900294.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a57a020b3a16b8f24e77bd9e6625fa715b8fd8a81e8e822b67fad49d547d9541
Instruction ID: 38216444dc3cd71ffe961061247c1ad4361ad1cb10678a955c11ab4117b6ca5a
Opcode Fuzzy Hash: a57a020b3a16b8f24e77bd9e6625fa715b8fd8a81e8e822b67fad49d547d9541
Instruction Fuzzy Hash: 3A41D0B5C00719CFEB24DFA9C8847DDBBB1BF48314F20816AD409AB251DB756986CF50

Function 016BD6E0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,016BDFE6,?,?,?,?,?), ref: 016BE0A7

Memory Dump Source

Source File: 00000000.00000002.1265900294.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ccf7c8051be7f847b0a0f81b8083fb98b59ada5a85d0744ea8e07e3f27a5760d
Instruction ID: 47dd50b98145b084d84ee2a1e17f34e8d58212ccfd1032d4addeb6bcb1ad1d2f
Opcode Fuzzy Hash: ccf7c8051be7f847b0a0f81b8083fb98b59ada5a85d0744ea8e07e3f27a5760d
Instruction Fuzzy Hash: 5D21E5B5D003089FDB10CF9AD884AEEBBF5FB48310F54841AE914A3350D375A954CFA5

Function 016BE018 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,016BDFE6,?,?,?,?,?), ref: 016BE0A7

Memory Dump Source

Source File: 00000000.00000002.1265900294.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1d0490e9fa775d40ff42c41a46ee2aed0b0c1fed0a1252f34a40de5331713817
Instruction ID: 3c5a9569aad865214aa162bc530c6651cd35213a402508408a557edbefd3a264
Opcode Fuzzy Hash: 1d0490e9fa775d40ff42c41a46ee2aed0b0c1fed0a1252f34a40de5331713817
Instruction Fuzzy Hash: 3A2112B58003499FDB10CFA9D984ADEFBF4FB48320F14841AE918A7390C339AA54CF65

Function 016BBDD8 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 016BBDA6

Memory Dump Source

Source File: 00000000.00000002.1265900294.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ef92e7dfecccc78fd513ff5c053397fb94c4f6512713864800f26f7748163610
Instruction ID: 39769ea0d67f1ac8a1fcd4a399713e36a0856655a16137d47694204233445969
Opcode Fuzzy Hash: ef92e7dfecccc78fd513ff5c053397fb94c4f6512713864800f26f7748163610
Instruction Fuzzy Hash: 2711E9B6A002058FE711EB5ADC417EAB7F5DFC4311F14806AD604E3351D7389886CB71

Function 016BBD40 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 016BBDA6

Memory Dump Source

Source File: 00000000.00000002.1265900294.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c1a86c4478b571fc4b6326cc5c7b810b29e4dc4153009c540dc12489fdc46bf5
Instruction ID: ffd04b62c18c77bc36f617ea5f19254bb9f9a6424feb71ab7b547d5f44737c6f
Opcode Fuzzy Hash: c1a86c4478b571fc4b6326cc5c7b810b29e4dc4153009c540dc12489fdc46bf5
Instruction Fuzzy Hash: 801102B6C002498FDB20DF9AC844ADEFBF4EF88320F10841AD918A7240C379A545CFA1

Function 056FBDE8 Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

d8q, xrefs: 056FC1E8

Memory Dump Source

Source File: 00000000.00000002.1272214309.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56f0000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID: d8q
API String ID: 0-2239850164
Opcode ID: 23bc2407f49025d12d10eb4cbac54e449c85a852d360f22a74b3d6669c81efa6
Instruction ID: 91edfa19e874e54fee15891c6bc9375936d5296767fbefab1086bf5118a43430
Opcode Fuzzy Hash: 23bc2407f49025d12d10eb4cbac54e449c85a852d360f22a74b3d6669c81efa6
Instruction Fuzzy Hash: 8B618E31F041189FEB14DF68D959AAE7BB6FF88751F144069EA02AB7A0DB30DC41CB91

Function 056FF39E Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

D, xrefs: 056FF3A3

Memory Dump Source

Source File: 00000000.00000002.1272214309.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56f0000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 28532aaac33516984c05df4ae5e721a0534f7154e08df768e7539a3eae88a191
Instruction ID: 6f93acbcb1839f6fe55c2636f840d40dc3d0a6ccf054536fd5b3264f9f7e5833
Opcode Fuzzy Hash: 28532aaac33516984c05df4ae5e721a0534f7154e08df768e7539a3eae88a191
Instruction Fuzzy Hash: DC51E475A00619DFCB69CF28C484A9DB7B1BF49310F118295EA09AB365CB30ED82CF90

Function 056FB9F1 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

Hq, xrefs: 056FBA94

Memory Dump Source

Source File: 00000000.00000002.1272214309.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56f0000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID: Hq
API String ID: 0-1594803414
Opcode ID: 09a96d1abf87718aa26f2048d5776dec6102133a87090118e90456bf2da422c4
Instruction ID: 341db9685b6013b95fc5938e3b18891f0b519f197c73d8c58c2e1cf06c9e9da7
Opcode Fuzzy Hash: 09a96d1abf87718aa26f2048d5776dec6102133a87090118e90456bf2da422c4
Instruction Fuzzy Hash: 5721F330A04204AFFB459B74DC56BAE7B76EB84340F14C469EA06DB290DF349E06D7A5

Function 056FBA00 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

Hq, xrefs: 056FBA94

Memory Dump Source

Source File: 00000000.00000002.1272214309.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56f0000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID: Hq
API String ID: 0-1594803414
Opcode ID: 99214dc1655ff6c3f62301328b40dd6c1053545973590cbecbd5295d3322b070
Instruction ID: 07857107fc12e83f5fb2fb819c7783163f52a7a45641fdf2e2958410b8a4d258
Opcode Fuzzy Hash: 99214dc1655ff6c3f62301328b40dd6c1053545973590cbecbd5295d3322b070
Instruction Fuzzy Hash: 8521A130A04204AFFB449B74DC56BAE7B77EB84240F14C469E606DB290DE345E05D7A5

Function 056FC6AF Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1272214309.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56f0000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf023e4fcfb1867eb11c9e5f7f4e409f8482ae3d9a84fa16357fe94b6cf98b58
Instruction ID: 2c4fe27548ddb9bded880e3049a947c012a89798cc6df14e75eae3b45da6bbaf
Opcode Fuzzy Hash: cf023e4fcfb1867eb11c9e5f7f4e409f8482ae3d9a84fa16357fe94b6cf98b58
Instruction Fuzzy Hash: D4413734A04219DFEB159F64E859AAEBBB7FF88341F148029F90297794DB349C52CB90

Function 0163D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1265670904.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_163d000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672651c8d0601cc9a92f4cdc1ccf7735126d5a5560b481f76e2579b6a422cb40
Instruction ID: 1ae1ef9898474d735b870a78792a632e16e1fed85f998c56b2b0566c80e0714d
Opcode Fuzzy Hash: 672651c8d0601cc9a92f4cdc1ccf7735126d5a5560b481f76e2579b6a422cb40
Instruction Fuzzy Hash: 2A21CFB2604240EFDB15DF54D9C0B26BF66FBC8328F64C569E9090A296C336D456CAA2

Function 0163D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1265670904.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_163d000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77b837649014baa8886fa4110121bb7d0f2f21f14f7a0eaa0624323421216254
Instruction ID: 3f0c75c73eb6918f853b6b0b31094caaf52f5b21e3a665058777a22f98b955bd
Opcode Fuzzy Hash: 77b837649014baa8886fa4110121bb7d0f2f21f14f7a0eaa0624323421216254
Instruction Fuzzy Hash: FE21F171604204DFDB15DF54D9C0B5ABB65FBD8324F60C169E90A0B357C336E856CBA2

Function 0164D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1265726072.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_164d000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee7af6b978a29a436e010bcf22790feb58e28e995e835b9025cd1fb21badb2ad
Instruction ID: 363932589aa7fac6891f685cf6832bfcef87411ed30cd89dc1f4a9a6c94e5206
Opcode Fuzzy Hash: ee7af6b978a29a436e010bcf22790feb58e28e995e835b9025cd1fb21badb2ad
Instruction Fuzzy Hash: D721F271A04200EFDB15DF94D9C4B26BBA5FB94324F20C6ADEA494B396C336D847CA61

Function 0164D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1265726072.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_164d000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 270fc7c807cfcb4bcfb54a57d141a6ffef8d376b5e2e1b60bc0a3e5b6c542147
Instruction ID: 98d9830518701a9c69aa1b96e79df67415273a5b9907080dce381d684ad0107b
Opcode Fuzzy Hash: 270fc7c807cfcb4bcfb54a57d141a6ffef8d376b5e2e1b60bc0a3e5b6c542147
Instruction Fuzzy Hash: 3721F275A04300DFDB15DF94D9C4B16BB65EB94B14F20C5ADD84A4B386C33AD847CA62

Function 056FC210 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1272214309.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56f0000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58381fe489c80487ceae0649a10a533585ae47d905264d9f2a5b6edb33890b8f
Instruction ID: 1cf0fad2cb30e9c9677f0197b14a1de3b789471c15298ee9c6d16799d2a11405
Opcode Fuzzy Hash: 58381fe489c80487ceae0649a10a533585ae47d905264d9f2a5b6edb33890b8f
Instruction Fuzzy Hash: 18215E35A082098FEB24DFA8C488A6E7BF1FF49210F0540A6E945DB361D730DC41CB61

Function 056FBDDA Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1272214309.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56f0000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d220014eb08d694c22e59ebef2c4c7cda2ef6abc50c03aecb500cd8ad190aab
Instruction ID: d153a876da9c6988ece9905276ad1bc5bf7475cced18b01ddb574fb49f6d8640
Opcode Fuzzy Hash: 9d220014eb08d694c22e59ebef2c4c7cda2ef6abc50c03aecb500cd8ad190aab
Instruction Fuzzy Hash: FC210331E041089FDB04DFA4D988AEEBBB2EB88311F144069EA05AB3A0CB319D55CB65

Function 0163D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1265670904.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_163d000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: 7f288e6d8e9a9af046c0aa29870d05936ec1d67b23db34e739b56fc914ea8ee3
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: AB11B176504280DFCB16CF54D9C4B16BF72FB84324F24C6A9D8490B697C336D456CBA1

Function 0163D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1265670904.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_163d000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: 51ae4b0cd909fe24c7b5fdfd27f5a4a7fabe4be39deaf8b5fd9be9d9e5e29895
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: D611DCB6504280DFCB06CF54D9C0B56BF72FB84324F24C2A9D8490B257C33AE45ACBA2

Function 0164D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1265726072.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_164d000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: 7f684a1958e63487303f224c4642d12b49b6f3dbba5afc02f81cc982fbe9d429
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: DF11BE75904280CFCB16CF54D9C4B15BB62FB44714F24C6ADD8494B796C33AD40ACB61

Function 0164D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1265726072.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_164d000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: 9598c7b8b52cf0bfd92c681aeff0a8343b1656b251fce5f40f707d7410a27752
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: C011BB75904280DFCB06DF54C9C4B16BBA2FB84324F24C6ADD9494B396C33AD40ACB61

Function 0163D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1265670904.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_163d000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ebf5abc3d944eb63e50adab62d0f2874c988426d584c9f4fcc7615923a2b2b
Instruction ID: d070ecfa57f30f992baea14381ecf0842d90c1a3e927799184d03c6e4892d831
Opcode Fuzzy Hash: 66ebf5abc3d944eb63e50adab62d0f2874c988426d584c9f4fcc7615923a2b2b
Instruction Fuzzy Hash: 56012B314043809AF7225E65CCC4B76BFA8DF81275F44C51AED180F3C2C3799841CAB1

Function 0163D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1265670904.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_163d000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df5f9c9b565bfa991ea94b140c0929449b61594a3ba4ea799d50755441f578f9
Instruction ID: 908ef6e075a67b5389833e6d668e5f67b0377bc2995a7aecaf793dfb5aead6a1
Opcode Fuzzy Hash: df5f9c9b565bfa991ea94b140c0929449b61594a3ba4ea799d50755441f578f9
Instruction Fuzzy Hash: 63F062714043849EE7119E1ADC88B66FFA8EB81634F18C55AED084A3C6C3799844CBB1

Function 056FC1FF Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1272214309.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56f0000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01d116de0cde10dcf7e317c35f0a00659cffe11c706291086ef0e8276b155652
Instruction ID: 0052500b1ebd761f33109bce10f019caccf1f225a3780e4d4424c6fb03d49e21
Opcode Fuzzy Hash: 01d116de0cde10dcf7e317c35f0a00659cffe11c706291086ef0e8276b155652
Instruction Fuzzy Hash: EEE09232A49209ABFF3159E5DD8A7DBBBA8E755261F004035EE0187241D734D41FC2A0

Non-executed Functions

Function 05700E08 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1272251899.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5700000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e51b3d9b021ff07ef176c9fb6b1eeda5b1f194dfc10951763b559d2185a7f01f
Instruction ID: ef4cc642b1d0ea61206cc45942c70f6d0a717d8f7f2ead37a9187ce8e14b9f69
Opcode Fuzzy Hash: e51b3d9b021ff07ef176c9fb6b1eeda5b1f194dfc10951763b559d2185a7f01f
Instruction Fuzzy Hash: F312A6B04197458BE718EF25E94C1893BB6BB4A32CF90420AD2711F2E9DBF415CADF64

Function 056FA819 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1272214309.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56f0000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9a9130f04eab7ac5cae9420100add952c660d92b8587bc55d5e0d4e4cfcfa44
Instruction ID: 2a13de832ac3ee8a76bc207f4b48e6b5b7beaa78a136099a2a79d811d019a178
Opcode Fuzzy Hash: f9a9130f04eab7ac5cae9420100add952c660d92b8587bc55d5e0d4e4cfcfa44
Instruction Fuzzy Hash: 12D1E735C2075ACACB10EF65D990A99F7B1FF95300F60C79AE0497B214EB706AC9CB91

Function 056FA820 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1272214309.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56f0000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 144e760831453e0084d1e695d9b03859396aa4a22b58b7541ae5357d928cd7ea
Instruction ID: 76dc3926350ae17a51dc4ca12642803140b0ec9de8833ddeaf9993f15cdcec16
Opcode Fuzzy Hash: 144e760831453e0084d1e695d9b03859396aa4a22b58b7541ae5357d928cd7ea
Instruction Fuzzy Hash: 4ED1E735C2075ACACB10EF65D990A99F7B1FF95300F60C79AE0497B214EB706AC9CB91

Function 05700040 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1272251899.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5700000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f288bdf7dca2868e438de894ab744bd43b86e3de8471a88bc41a2bf430781606
Instruction ID: 8a09c108961d6ed81e44be07f706ad8269612e549e52923344b0fe7c6423b6a0
Opcode Fuzzy Hash: f288bdf7dca2868e438de894ab744bd43b86e3de8471a88bc41a2bf430781606
Instruction Fuzzy Hash: 21A15032E10209CFCF15DFA4C8849EEB7F2FF85310B154569E806AB265DB75D956CB40

Function 05700E02 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1272251899.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5700000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd0b703fb46aace8d087568b2c77891b401fec00666396887f84d0ac48b40a1
Instruction ID: 371ce81ce95c13f12fde17cf522147f3e98458f1ef7afee151f4c887a96b6cbe
Opcode Fuzzy Hash: 3cd0b703fb46aace8d087568b2c77891b401fec00666396887f84d0ac48b40a1
Instruction Fuzzy Hash: 9EC10AB18197468BD718EF25ED4C1897BB6BB8A32CF50430AD1612B2D9DBF414CACF64

Function 056F22A0 Relevance: 7.6, Strings: 6, Instructions: 102COMMON

Download Yara Rule

Strings

4'q, xrefs: 056F2409
4'q, xrefs: 056F242C
4'q, xrefs: 056F237D
4'q, xrefs: 056F23A0
4'q, xrefs: 056F23C3
4'q, xrefs: 056F23E6

Memory Dump Source

Source File: 00000000.00000002.1272214309.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56f0000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$4'q$4'q
API String ID: 0-1794337482
Opcode ID: ea03d5c1f38706cd931f7ed5ae1f85c857be13f587a39a15f4afba0a27982d49
Instruction ID: ee1ff5310062499b8156d872d142ff2d9daf4665509b005375ae93da58d8b828
Opcode Fuzzy Hash: ea03d5c1f38706cd931f7ed5ae1f85c857be13f587a39a15f4afba0a27982d49
Instruction Fuzzy Hash: 2241DB70A0520A8FCB0CEF65F8956AE77B3BB89304B50456AC0059F268EF746D85CFA1

Function 056F22B0 Relevance: 7.6, Strings: 6, Instructions: 95COMMON

Download Yara Rule

Strings

4'q, xrefs: 056F2409
4'q, xrefs: 056F242C
4'q, xrefs: 056F237D
4'q, xrefs: 056F23A0
4'q, xrefs: 056F23C3
4'q, xrefs: 056F23E6

Memory Dump Source

Source File: 00000000.00000002.1272214309.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56f0000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$4'q$4'q
API String ID: 0-1794337482
Opcode ID: e82b8c9115dc05c8d432742d31c9f91195fbd3e75bbe0507f4322c4b93a59902
Instruction ID: 736fb9808acaa6e798743773446e5858f3e60ac38bc122b93848c94f23e142b5
Opcode Fuzzy Hash: e82b8c9115dc05c8d432742d31c9f91195fbd3e75bbe0507f4322c4b93a59902
Instruction Fuzzy Hash: 8741D870E0520A8FCB0CEF65F8945AE77B3BB89304B90456AC0059F268EF746D85CFA1

Analysis Process: Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exePID: 7464, Parent PID: 7280COMMON

Execution Graph

Execution Coverage:	12.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	260
Total number of Limit Nodes:	23

Executed Functions

Function 0657E278 Relevance: 1.9, APIs: 1, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3734412871.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6570000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda2b67beb0c91cf72eec591ec124c131d309c05f5547370088d19b5dd7cb29e
Instruction ID: 5856a677b8f75bfbfcb7f0299cf6bbdefec1545789c629edc623c0ce96e74104
Opcode Fuzzy Hash: cda2b67beb0c91cf72eec591ec124c131d309c05f5547370088d19b5dd7cb29e
Instruction Fuzzy Hash: C6F13B30E003098FEB54DFA9D849B9DBBF1FF88304F158598E815AB2A5DB74A945CF81

Function 018EE4AA Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 018EE52E
GetCurrentThread.KERNEL32 ref: 018EE56B
GetCurrentProcess.KERNEL32 ref: 018EE5A8
GetCurrentThreadId.KERNEL32 ref: 018EE601

Memory Dump Source

Source File: 00000005.00000002.3718022366.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_18e0000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 932b6f62e00374bbe07eb4e7a4e953bb21008faf109755cec46f433628ae3544
Instruction ID: f78aa218d775af0b5933f4f5b21aa62873c50f0cd6cb41ea954200e054af8f67
Opcode Fuzzy Hash: 932b6f62e00374bbe07eb4e7a4e953bb21008faf109755cec46f433628ae3544
Instruction Fuzzy Hash: 405157B09003498FDB14DFA9D548BAEBFF1EF88314F248119E519A73A0D7349945CF66

Function 018EE4B0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 018EE52E
GetCurrentThread.KERNEL32 ref: 018EE56B
GetCurrentProcess.KERNEL32 ref: 018EE5A8
GetCurrentThreadId.KERNEL32 ref: 018EE601

Memory Dump Source

Source File: 00000005.00000002.3718022366.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_18e0000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 62c9690c08dee6a073cbcf3d18a40d961d420aa62873c7cc4012f370ef5bc2bd
Instruction ID: 0f7bbbf7caacb2caa41d1d4394ad6e49e8eb6288b2c4bf24857a0e3007c71fdd
Opcode Fuzzy Hash: 62c9690c08dee6a073cbcf3d18a40d961d420aa62873c7cc4012f370ef5bc2bd
Instruction Fuzzy Hash: A65168B09003098FDB14DFAAD548BAEBBF1EF88314F248019E519A7360E734A945CF66

Function 06576B38 Relevance: 1.7, APIs: 1, Instructions: 208COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06576D9E

Memory Dump Source

Source File: 00000005.00000002.3734412871.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6570000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f54ba2f26ab7deebfd4c005cff70547e72348e1c590ca04f827387262cced036
Instruction ID: 5020e82ed5b19a9c1b3b4d9e8c149eef2d132a123a718908b09c96c523fb659b
Opcode Fuzzy Hash: f54ba2f26ab7deebfd4c005cff70547e72348e1c590ca04f827387262cced036
Instruction Fuzzy Hash: 34813570A00B059FDBA4DF2AE45475ABBF5FF88204F00892DD48AD7A50DB75E84ACF91

Function 063543B8 Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3733593948.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6350000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1307c6ffee295f9652a3e5eccdf37be95892db477a81424957fafeacd288a5da
Instruction ID: 52d8a614b86e64a1b3ce8082dd28b1d23c0bda1fb648922d5b70bb54d105ff17
Opcode Fuzzy Hash: 1307c6ffee295f9652a3e5eccdf37be95892db477a81424957fafeacd288a5da
Instruction Fuzzy Hash: 9E414672D043959FCB14DFA9D800AAEBBF5EF89320F15856AD804E7241DB349885CBE1

Function 06579145 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06579262

Memory Dump Source

Source File: 00000005.00000002.3734412871.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6570000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0ed4d219121035b7e91c8429a678721af2b956b989ef9db3c58864138560caff
Instruction ID: 02fa40450f611316a88168cf146e9268bf809e336beee99845c0e9d3f360c48e
Opcode Fuzzy Hash: 0ed4d219121035b7e91c8429a678721af2b956b989ef9db3c58864138560caff
Instruction Fuzzy Hash: B851BEB1D00309EFDB14DF9AD884ADEBBB5FF48310F24812AE819AB210D7759845CF90

Function 06579150 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06579262

Memory Dump Source

Source File: 00000005.00000002.3734412871.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6570000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c9a944544946c06d3a38f9e06ea93ecda8b5f9cbea4307b10d711c8d295d98f7
Instruction ID: aad048042fd96bb585147eadce3e74326143cb4a4e1cf94ddacbe06542f80e31
Opcode Fuzzy Hash: c9a944544946c06d3a38f9e06ea93ecda8b5f9cbea4307b10d711c8d295d98f7
Instruction Fuzzy Hash: E741AEB1D00349DFDB14DF9AD884ADEBBB5FF48310F24822AE819AB210D7759945CF90

Function 0657739C Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0657B7D1

Memory Dump Source

Source File: 00000005.00000002.3734412871.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6570000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: f6cbcfdfd837c6e8f99103738c0808a6babacc36dcabc2f3b531a6bac8234721
Instruction ID: bc42a03a768083e767ea4225077584c32a223742359526bd804ddf0c121673a8
Opcode Fuzzy Hash: f6cbcfdfd837c6e8f99103738c0808a6babacc36dcabc2f3b531a6bac8234721
Instruction Fuzzy Hash: AD4129B4D00309CFDB54CF99D888AAABBF5FB88314F24C459D519AB321D775A841CFA0

Function 018EE084 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,018EE6BE,?,?,?,?,?), ref: 018EE77F

Memory Dump Source

Source File: 00000005.00000002.3718022366.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_18e0000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b4ea9eb4e48d542cbd379c621680d4b01170088b94c2ada9f9381cd3e2ec27de
Instruction ID: 0e3da157784bae53182d052b5dfd4fd67a0eb1f010a85102095c5544d0245ece
Opcode Fuzzy Hash: b4ea9eb4e48d542cbd379c621680d4b01170088b94c2ada9f9381cd3e2ec27de
Instruction Fuzzy Hash: D221E3B5D003599FDB10CF9AD884AEEBBF8EB48310F14801AE918A7350D375AA45CFA4

Function 018EE6F0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,018EE6BE,?,?,?,?,?), ref: 018EE77F

Memory Dump Source

Source File: 00000005.00000002.3718022366.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_18e0000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fc96c6e71fd758577d1d9d75bc1c51da5a9ffa646b0559de216dd56719416452
Instruction ID: 517de9671286dda4bef837de742f659e1aa9c08e2a44970f051d96e74fb322c3
Opcode Fuzzy Hash: fc96c6e71fd758577d1d9d75bc1c51da5a9ffa646b0559de216dd56719416452
Instruction Fuzzy Hash: 102107B5D003489FDB10CF99D884ADEBFF4EB48310F14801AE918A3210D374A944CFA1

Function 018E9391 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 018E9413

Memory Dump Source

Source File: 00000005.00000002.3718022366.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_18e0000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 70c1294221d49164ca301423070b6e6ee6a358a1b13247f3351db6dcf7f6d310
Instruction ID: ccbfebc9a42ddfda97905a8fca7f644c4ca788219d73b54d8186838ca13879ae
Opcode Fuzzy Hash: 70c1294221d49164ca301423070b6e6ee6a358a1b13247f3351db6dcf7f6d310
Instruction Fuzzy Hash: A9213475D002099FDB24DFAAD848BDEBBF5FB88314F10842AE418A7250CB74A945CFA1

Function 018E9398 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 018E9413

Memory Dump Source

Source File: 00000005.00000002.3718022366.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_18e0000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: bf26b350e7a39fc2f88a0ba741b63530e1ef92dbe79b3f3411b2cc9266aac356
Instruction ID: 2557568c9c0db61de8bce690c7d77f5e075aaf32c783e05bddaf3e05f6b51ed9
Opcode Fuzzy Hash: bf26b350e7a39fc2f88a0ba741b63530e1ef92dbe79b3f3411b2cc9266aac356
Instruction Fuzzy Hash: 30212775D002098FDB24DF9AC844BDEFBF5FB88314F10842AD419A7250CB74A945CFA0

Function 0657E838 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,0657E45A,00000000,00000000,0434BAF8,032D8304), ref: 0657E8A8

Memory Dump Source

Source File: 00000005.00000002.3734412871.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6570000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 3023003243bf1587115a28f551aad9dcf9d2d495b6e3eb051e93b2d1449ae56e
Instruction ID: b03c9e18c3b7ecc29eb485611935ddea848a9eb9614b3a1743d75e3aa41edc04
Opcode Fuzzy Hash: 3023003243bf1587115a28f551aad9dcf9d2d495b6e3eb051e93b2d1449ae56e
Instruction Fuzzy Hash: 9D1117B5C002499FDB10DF9AD845BDEBBF8EB48320F10846AE958A3250C378A545CFA5

Function 0635448B Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0635440A), ref: 063544F7

Memory Dump Source

Source File: 00000005.00000002.3733593948.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6350000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 08c0643c9bf0aee7671a0f198517cdfa4d11641937d9e20f8e19903fadb4f6da
Instruction ID: 7f0816c86a4effdb9011335ebd07a564b11fe4fe21d37a4fd63a95746cd107d8
Opcode Fuzzy Hash: 08c0643c9bf0aee7671a0f198517cdfa4d11641937d9e20f8e19903fadb4f6da
Instruction Fuzzy Hash: 841103B6C0025A9BDB14DF9AD845BDEFBF4EB48320F11852AD818A7240D778A945CFE1

Function 0657CE98 Relevance: 1.6, APIs: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,0657E45A,00000000,00000000,0434BAF8,032D8304), ref: 0657E8A8

Memory Dump Source

Source File: 00000005.00000002.3734412871.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6570000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 2a88112716f0e64958cf0171568e287cff44ff8544c8d1463428b2d3782e7cd0
Instruction ID: d7becaba9a6ae61823158ee53f5a0bcca96536d2b810c3733c5e2d2fa3144e2c
Opcode Fuzzy Hash: 2a88112716f0e64958cf0171568e287cff44ff8544c8d1463428b2d3782e7cd0
Instruction Fuzzy Hash: 611117B5C003499FDB10CF9AD845BDEBBF4FB48310F10846AE918A3251C378A945CFA5

Function 06353CFC Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0635440A), ref: 063544F7

Memory Dump Source

Source File: 00000005.00000002.3733593948.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6350000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 34a7e0b285644a7db8fc32d8f85fa9e976f97347f5ff0591bb596113c0fe1dc5
Instruction ID: b641c213aa536e18b1dd1c2eb1d7b8d3f4070601a6b994fd32b264355d3944db
Opcode Fuzzy Hash: 34a7e0b285644a7db8fc32d8f85fa9e976f97347f5ff0591bb596113c0fe1dc5
Instruction Fuzzy Hash: 861133B1C002599FCB10DF9AD444BAEFBF4EF08320F11812AE818A7241D378A945CFE5

Function 06576D38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06576D9E

Memory Dump Source

Source File: 00000005.00000002.3734412871.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6570000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 90d7aa1d92685b077be3fddefaad2422574a1205853fabfccaa8a7908801d411
Instruction ID: 89a4436632b37a37f15dac755703c6342d27b9cbb404bcc4ccef117d97be1274
Opcode Fuzzy Hash: 90d7aa1d92685b077be3fddefaad2422574a1205853fabfccaa8a7908801d411
Instruction Fuzzy Hash: 6311E3B5C007498FDB10DF9AD444BDEFBF4EB88314F14841AD419A7210C375A545CFA5

Function 0183D53C Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3717511640.000000000183D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0183D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_183d000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d46db1b1f820dc803207758c35d8962d7b630e4cf3e6d0013a41259d2ddd35d
Instruction ID: 293d1ca5c926b9a115d2104267436f343a639dede4e7c52cfdbde42b0c7e099e
Opcode Fuzzy Hash: 5d46db1b1f820dc803207758c35d8962d7b630e4cf3e6d0013a41259d2ddd35d
Instruction Fuzzy Hash: 6D212571604204DFDB05DF54D9C0B26BF66FBC4328F68C669E8098B286C336D656CBE2

Function 0184D0FC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3717664648.000000000184D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0184D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_184d000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e6ccc6717c6f84c428411e1a3b459571efbb5446085bb97320a848f9d151a0
Instruction ID: 82f41ed14380b379767295e0878da39f6d8d7493ae3623c7cf8cee7c3808d1d2
Opcode Fuzzy Hash: 37e6ccc6717c6f84c428411e1a3b459571efbb5446085bb97320a848f9d151a0
Instruction Fuzzy Hash: 67212571604608DFDB05DF54D9C4B26FB65EB98314F20C66DDC098B342CB36D946CA61

Function 0184D01C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3717664648.000000000184D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0184D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_184d000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 635051e1fb5338bac3ebb9e6e40164ce77120f6b89e3d563092028a9267b543f
Instruction ID: 071b5447c92812bb77dcb7648c4cf36fc098e8f0561ce601df3bcf9a6b751b61
Opcode Fuzzy Hash: 635051e1fb5338bac3ebb9e6e40164ce77120f6b89e3d563092028a9267b543f
Instruction Fuzzy Hash: D4214671604308DFDB24DF64D9C0B16BF61EBA4358F20C66DD9098B342CB3AC947CA62

Function 0183D537 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3717511640.000000000183D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0183D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_183d000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: 17973b5ffe92de102adff41f2ac6cb27168637026002df1c643b2e4e9ca8dd4a
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: 8511B176504240CFCB06DF54D9C4B56BF72FB84324F28C6A9E8498B257C336D556CBA1

Function 0184D0F7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3717664648.000000000184D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0184D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_184d000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: 48ab85a0d4547a1c57dc5730842f4d73315b4fccb07b4ee66e39c6e6d2d6f506
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: 8611BB75504684CFDB06CF54D9C4B15FBA2FB84324F24C6AADC498B296C33AD54ACB61

Function 0184D017 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3717664648.000000000184D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0184D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_184d000_Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e9cca0ddad5a86085491794687953ae07ced3ba403328ac5bf8e948dc3c1e61
Instruction ID: e4bd20453414e6423cb4ebd4f4c2c3cd60060645586a00d7e58e5bf746f27a6c
Opcode Fuzzy Hash: 2e9cca0ddad5a86085491794687953ae07ced3ba403328ac5bf8e948dc3c1e61
Instruction Fuzzy Hash: 7A11EF75504284CFCB16CF54C5C0B15BFA1FB84318F24C6ADD8498B652C33AD84BCB92

Analysis Process: powershell.exePID: 7900, Parent PID: 7464COMMON

Execution Graph

Execution Coverage:	7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 0420B470 Relevance: .3, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 960b3325eee7a8cc59f9b8face377a331e1474ac1a25e64bd710c326a8ca43ed
Instruction ID: b2ce1cc4946f704eb04137d3f9483ad418d45d5545fe61a28d283e39f98c7102
Opcode Fuzzy Hash: 960b3325eee7a8cc59f9b8face377a331e1474ac1a25e64bd710c326a8ca43ed
Instruction Fuzzy Hash: BC914371F007149BDB19EFB988116AE7BE3EF84700B448A1DE506AB385DF74AE058BC5

Function 0420B490 Relevance: .3, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525f6a224a2db42407179736828903d5cf20c8d98c7d5c7492e614611e095b45
Instruction ID: 52732f3fc22c56b9dbe1205947d298e6c419177850698663ea083505d5b3078d
Opcode Fuzzy Hash: 525f6a224a2db42407179736828903d5cf20c8d98c7d5c7492e614611e095b45
Instruction Fuzzy Hash: 14913171F007149BDB19EFB984117AE7AE3EF84700B448A1DE506AB385DF74AE058BC5

Function 07172308 Relevance: 3.2, Strings: 2, Instructions: 652COMMON

Download Yara Rule

Strings

4'q, xrefs: 0717260D
4'q, xrefs: 07172619

Memory Dump Source

Source File: 00000009.00000002.1334362167.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7170000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 649aee9115dd2e1312c0465bae581180f37ff85a1f4857f73e32d6dbe7e0269e
Instruction ID: f12c28298c3f18e628003a5953f7c19d233737179703537615b293c94daeb0b0
Opcode Fuzzy Hash: 649aee9115dd2e1312c0465bae581180f37ff85a1f4857f73e32d6dbe7e0269e
Instruction Fuzzy Hash: 4A2229B1B00206DFDB259B69C8417AA7BF2BF89211F14806AE905DB3D1DB31DD46CBA1

Function 082E6821 Relevance: 1.6, APIs: 1, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE(EFCC06FE), ref: 082E688A

Memory Dump Source

Source File: 00000009.00000002.1337014271.00000000082E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_82e0000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: da834487c4383817e49eff249b10248d5af284d680a9a6c5038f1dc6b39b5626
Instruction ID: 9ddf8bc70708d2278c70e96614dfb872db9a2b4007e4395e04bb534b0e52d8f7
Opcode Fuzzy Hash: da834487c4383817e49eff249b10248d5af284d680a9a6c5038f1dc6b39b5626
Instruction Fuzzy Hash: 431128B5D103098FDB20DF9AC945BDEFBF8EB88324F548419E418A3250DB75A944CFA5

Function 082E6828 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE(EFCC06FE), ref: 082E688A

Memory Dump Source

Source File: 00000009.00000002.1337014271.00000000082E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_82e0000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: bf48791dfc0cfc3067c61b5f4e72cec1b4435ecac59a483a2aa6394cbc7ad9dc
Instruction ID: 39a2b254442c9b5f210ffdc05f451641a596baeb52797955e7f53fac5230b6cd
Opcode Fuzzy Hash: bf48791dfc0cfc3067c61b5f4e72cec1b4435ecac59a483a2aa6394cbc7ad9dc
Instruction Fuzzy Hash: A91136B5D103098FDB20DF9AC984B9EFBF8EB48324F548429D418A3310D775A944CFA4

Function 04206FE0 Relevance: 1.4, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(q, xrefs: 04207105

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: ce94ea021c55d177fb2057bc6b18ac1243c15144468d56fd0696fd0d3ca8d3c4
Instruction ID: d32a5eff9a3aa80d7963ed15df46b7c80379012908c56a0ad780c4b5ffe6e0b4
Opcode Fuzzy Hash: ce94ea021c55d177fb2057bc6b18ac1243c15144468d56fd0696fd0d3ca8d3c4
Instruction Fuzzy Hash: 38414C34B142058FDB15DFA4C468AAEBBF2AF8D311F148059E406EB392DB75ED01CB61

Function 0420AF98 Relevance: 1.3, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(&q, xrefs: 0420AFBA

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID: (&q
API String ID: 0-583763264
Opcode ID: e3add755e4bbe53e27097f003fafd91831371fbde43e4e572a3f9d9ae30d8538
Instruction ID: eb885f7a9b8db0f2b584cd2c7f272b04546ac2e0baeccde2b17f6d544f2f2cb1
Opcode Fuzzy Hash: e3add755e4bbe53e27097f003fafd91831371fbde43e4e572a3f9d9ae30d8538
Instruction Fuzzy Hash: F921A171E043498FDB24DBAAD40479EBBF6EF89320F14846AD419E7340CA79A9058BA5

Function 0420E7B8 Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aa98fb0f922f9842ffa0273b3b915b545cb09fad96224d29709b5b150dff19b
Instruction ID: bfbb181ffa1e8bb664e5566fe7a22af8b748f9909396b4efc1bcfc4ed683c8cb
Opcode Fuzzy Hash: 2aa98fb0f922f9842ffa0273b3b915b545cb09fad96224d29709b5b150dff19b
Instruction Fuzzy Hash: 73914E34B102198FDB24DF79D45066DBBE6AF88710F198469E806EB3A5DF70EC42CB91

Function 042029F0 Relevance: .2, Instructions: 211
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0288274eb7f42e4cf28e7f8f10ad0f298afce9209076adc1d9126ed3a294e05e
Instruction ID: 37ceaeb3677643b8aa5bfd560c8b851dd463fb92d6c90fba1547dce65b6d74f5
Opcode Fuzzy Hash: 0288274eb7f42e4cf28e7f8f10ad0f298afce9209076adc1d9126ed3a294e05e
Instruction Fuzzy Hash: 96915D74A00605CFCB15CF58C498AAAFBF5FF49310B25859AE815AB3A5C735FC91CBA0

Function 07173CE8 Relevance: .2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.1334362167.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7170000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f48fcdc4c8a02aab0c02e10ea9104f367f975cd2a073c979b40aeff3ff3c37d4
Instruction ID: 3484afdbf0b39c98ae11c907b6e79066dcd933667a74a96dac0778e61c0568f5
Opcode Fuzzy Hash: f48fcdc4c8a02aab0c02e10ea9104f367f975cd2a073c979b40aeff3ff3c37d4
Instruction Fuzzy Hash: 655167B1B10251CFD72A9B68C810AAABBB29FC5210F1480AAD911EF7D1DF31DD05D7A2

Function 04207740 Relevance: .2, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5274e32157eac8acae88e94fafa6933b5558f584cece9aa19ce9f32aaf295249
Instruction ID: 754366837722ef24305dd1a91c102668cfb8f8b872e9f01461b2cffc1c313551
Opcode Fuzzy Hash: 5274e32157eac8acae88e94fafa6933b5558f584cece9aa19ce9f32aaf295249
Instruction Fuzzy Hash: AB51D0303142068FD714DB69D844A6A7BEAFFC9250F1585A9E409CB392EB35FC02DBA0

Function 0420BAC0 Relevance: .2, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c940b65d2206ae8a6b93581c4f9182888e6d1bda634357cf60978cb13a72ca46
Instruction ID: b4f1b03e377f8afd9cece307d04f74bcc3bbce0a22f09e55a0dee2e343b1de87
Opcode Fuzzy Hash: c940b65d2206ae8a6b93581c4f9182888e6d1bda634357cf60978cb13a72ca46
Instruction Fuzzy Hash: AC613771E10249DFDB24DFA9C584B9DBBF2EF88310F148129E819AB355EB34AD41CB50

Function 0420BAB0 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d89175f6d90ab847f22176ca50fbc2b26967d982fea06ea3f6d05e76b7c053f4
Instruction ID: 263650f9f6a8d337607ebcaba63ef62517e29cb924ca73229606ac1bf9492b32
Opcode Fuzzy Hash: d89175f6d90ab847f22176ca50fbc2b26967d982fea06ea3f6d05e76b7c053f4
Instruction Fuzzy Hash: 5D513571E112489FDB24DFA9C584B9DBFF2EF88310F188129E819AB355EB34A845CB51

Function 0420E419 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87128f2cdb63b1adfeac52260f0107e21bf9d9c0a13ec67a6760a085a0cb3296
Instruction ID: 3e3513e5a8279ed674af0617dbe7cc68bbe4fd99120c8b2d0a7b2eb7307269f9
Opcode Fuzzy Hash: 87128f2cdb63b1adfeac52260f0107e21bf9d9c0a13ec67a6760a085a0cb3296
Instruction Fuzzy Hash: 9D516374B103058FDB20DF78D594E6ABBE6EF88204756C858E549CF392EB34EC028B51

Function 0420E428 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d196968c5f5628e3d8aed60308796c1c9269362e96d0226fbd0305c1a02d3371
Instruction ID: dc2b11b8302062d12d1172c70b7c433e3695cbe79584bbdfafbd72942d36e76a
Opcode Fuzzy Hash: d196968c5f5628e3d8aed60308796c1c9269362e96d0226fbd0305c1a02d3371
Instruction Fuzzy Hash: 6A412174B103058FDB20DF78D594E6ABBE6EF88204756C868E509DF356EB34EC028B51

Function 0420E5B9 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd0d5d78d3805553b13e9806006ff090f1718dc679f548e121e09bf13f43363b
Instruction ID: 2eec9fe246268f829042dd626b972d76762812d829628277c2a2b267e7898fcb
Opcode Fuzzy Hash: fd0d5d78d3805553b13e9806006ff090f1718dc679f548e121e09bf13f43363b
Instruction Fuzzy Hash: B0418D30E042099FCB25DF78D594A9EBBF2EF49304F1485A8D446AB391DB30BD46CB91

Function 04202B00 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2437991cbdc1530d60168323c1de188d600fdb5ec28bcf0dd02988b223d99b15
Instruction ID: 624b9c9cb9203d53d09994518086a3677fb1cb5676246f1b193273c7bfc80686
Opcode Fuzzy Hash: 2437991cbdc1530d60168323c1de188d600fdb5ec28bcf0dd02988b223d99b15
Instruction Fuzzy Hash: 36414874A10205CFCB15CF58C498AAAFBB5FF48310B15859AD815AB3A5C736FC91CBA0

Function 0420C388 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6296690f19d4f4423236d33371f6aedda7d838f67ace838d66d8e6cd46f1c70
Instruction ID: 83e02224dcdec0432b33ddb83963025e2ab0eae9071869034f615a93f9642607
Opcode Fuzzy Hash: c6296690f19d4f4423236d33371f6aedda7d838f67ace838d66d8e6cd46f1c70
Instruction Fuzzy Hash: D5319C353002059FD715EB79E844B9ABBA3EFC4211F048229E60ACF395DF70B846CB92

Function 04206FD1 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a4f884905d9e187fca3207c7b17d4a6c50f35ed89ac0fc71955c27d0fe25b9d
Instruction ID: 10b42b9d148f20f6b2b2735940ecb1ba21d72c5cb357031297ad7671edfd3d00
Opcode Fuzzy Hash: 0a4f884905d9e187fca3207c7b17d4a6c50f35ed89ac0fc71955c27d0fe25b9d
Instruction Fuzzy Hash: D4313034B141158FDB15CFA4C564AAABBF2EF8D310F1481A8E841EB392DB75EC01CB60

Function 0420AE60 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f180072daa1753d852a679026e1de14c0916395deb47ddfc286a49f5768b5e4
Instruction ID: 33824cdbe9b5b4992c2c058147f2b8955c1b4739e3516aa6d56dbbe0ff7d92d7
Opcode Fuzzy Hash: 3f180072daa1753d852a679026e1de14c0916395deb47ddfc286a49f5768b5e4
Instruction Fuzzy Hash: E1316D70F112099BDB15DFB9D494BAE7BF7AF88300F148029E505E7391EB74AC418B91

Function 0420AD28 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cabb612e940da74574481e844be32d5ddd22decc124f27e083db1bf8d0bd8781
Instruction ID: e8b8f43b5c4c2ab246467ec5443cc15be43411a5cc322a2753ba3f8887c1fa65
Opcode Fuzzy Hash: cabb612e940da74574481e844be32d5ddd22decc124f27e083db1bf8d0bd8781
Instruction Fuzzy Hash: FE3192B4F002489FDB01DBA4D855BFE7BB7EF85300F118469E510AB396CA38ED418B61

Function 0420E049 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09c113243a643707d8a36d4d06a478869cc4c4da7362f8e06acd0ceb09a3b16
Instruction ID: 19b26a0d601cf9f7dde38ca244c7c066cfc178f34d0872d3b3e858e87f6aeb06
Opcode Fuzzy Hash: b09c113243a643707d8a36d4d06a478869cc4c4da7362f8e06acd0ceb09a3b16
Instruction Fuzzy Hash: 08315670A002148FCB14DF68D458AAEBBF2FF89314F148869E406AB391DF30AC81CB91

Function 0420AE70 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6564616115d8beb2a67ee2d38c629f26548988fc379471673624acdd7ffac9a
Instruction ID: d91740935fb28357a9a40bda3a520a546fb75a43aaafb315fe7ae802a9c62c4f
Opcode Fuzzy Hash: e6564616115d8beb2a67ee2d38c629f26548988fc379471673624acdd7ffac9a
Instruction Fuzzy Hash: 53314B70F112099FDB15DFB9C4947AEBAF7AF88340F548029E505EB391EB74AC418B51

Function 0420E640 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 360639ba2725b43c430f84c640fa538200996cc504079e81588e9077d9854d79
Instruction ID: 71cfe97b9fbb2955299c30564ae05ee8366f6c58c0b42f6635ec2b8add25ae3d
Opcode Fuzzy Hash: 360639ba2725b43c430f84c640fa538200996cc504079e81588e9077d9854d79
Instruction Fuzzy Hash: F9318934E002159FCB25DF78D594AAEBBF2FF48200F148A28E406AB391DB30BD45CB91

Function 042093F0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4127b893bc5af082297986d50d991fe4689415bb1450ede2725a0d720d14481f
Instruction ID: 04da19d62831a3cc61bfb8851d124c5d7d18b7c2ffca3664c00f32434d2d36d0
Opcode Fuzzy Hash: 4127b893bc5af082297986d50d991fe4689415bb1450ede2725a0d720d14481f
Instruction Fuzzy Hash: 5B31ABB4A117489EDB60DF6AC4887CAFFF6EF88320F28C41AD40E97246D7746481CB61

Function 0420E058 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adc20f13e9e7a9360b29aea6a6803aefeb51b54d877763f0a0114836e3857acd
Instruction ID: fc8bae7b913555a71f742f47c702703ed37c5e04e650615dffa8fe11eed89305
Opcode Fuzzy Hash: adc20f13e9e7a9360b29aea6a6803aefeb51b54d877763f0a0114836e3857acd
Instruction Fuzzy Hash: 7A310770B002159FCB14DF69D558AAEBBF2BF88310F158569E406EB391DF74AC81CB91

Function 0420AD38 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca8ba7784a056fa96d011bc8dfab774fa1217186d601920b02c9c639d58df33c
Instruction ID: 4b35ecf967b3fd85cbf2d2e839d72442e8c084a12a0392a4c3207e0c3b4557bb
Opcode Fuzzy Hash: ca8ba7784a056fa96d011bc8dfab774fa1217186d601920b02c9c639d58df33c
Instruction Fuzzy Hash: 40314FB4F002099FEB04EBA4D855BFE7BB6EF85300F508468A511AB396DA39ED418B50

Function 007BF3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1321514282.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7bd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 688912a2a2c3f1285120e05dec39b9210dcc1999c6ec0a002414e7c5630ceef7
Instruction ID: 642582e8c084ed23c0eba4c951cf9c7f80fd45908e88eb1fa0523b80f1cdd494
Opcode Fuzzy Hash: 688912a2a2c3f1285120e05dec39b9210dcc1999c6ec0a002414e7c5630ceef7
Instruction Fuzzy Hash: 47210072604340EFDB05DF50DDC0B26BBA1FB88714F20C5A9E9090A256C33AC856CBA2

Function 007BF02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1321514282.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7bd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7083442335f0878f24af7951cb9c6f6427ef084e06055e6196c548802078a7c4
Instruction ID: e8ab8e074914525facc01c30b158b60b6bf54bdf3245383413931aec377b11ec
Opcode Fuzzy Hash: 7083442335f0878f24af7951cb9c6f6427ef084e06055e6196c548802078a7c4
Instruction Fuzzy Hash: 72213475604204DFDB14EF24DDC0B66BBA1EB84724F20C5BDD8094B2A3C33AD846CB62

Function 04209400 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66cf9f1e88475b190d373e803fe72ad780be27bf44f97aa0eeab8fee784e59ab
Instruction ID: ba07194ba91db981d8097c65dea43bfa829ca35e5269d6bdae0376721f1b3de2
Opcode Fuzzy Hash: 66cf9f1e88475b190d373e803fe72ad780be27bf44f97aa0eeab8fee784e59ab
Instruction Fuzzy Hash: 1D217CB0A157448FDB60CF6AC08839AFFF6EF89310F28C41ED41E97286D6746481CB61

Function 0420767C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40deaf97cfd7cda0e820ffd0de7b0f2edd152db5bf0897042a9b1f1e68487c84
Instruction ID: 9f886f3f9bed2608fe81bda7d9d6be07666e662d89ddbe3020e82bbf67ce0c91
Opcode Fuzzy Hash: 40deaf97cfd7cda0e820ffd0de7b0f2edd152db5bf0897042a9b1f1e68487c84
Instruction Fuzzy Hash: B2112B35B00119CFCB14DBA8E844AED77F6FBCC265B1480A5E909DB352DB34ED128B90

Function 007BF3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1321514282.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7bd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86abae72bb8b1cff9036b38b87f2b2ab2493ab898db39df918bf320120c6b226
Instruction ID: d97fc46be4c9d5bd36f1a39898ff2529c53e1710f16464d7348bcfda560c69ae
Opcode Fuzzy Hash: 86abae72bb8b1cff9036b38b87f2b2ab2493ab898db39df918bf320120c6b226
Instruction Fuzzy Hash: E921AC76504280DFCB06CF50D9C4B56BF72FB88314F24C5A9E8494A656C33AD86ACB91

Function 0420C344 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b6f8c726b07a160a76d3d3d36a32c350d7cea38ccea544555ecc0c56503169e
Instruction ID: 5df8d6bce588b529bf8434d2076d4ab8536490eca79eb4d042af48c94a52d7a6
Opcode Fuzzy Hash: 7b6f8c726b07a160a76d3d3d36a32c350d7cea38ccea544555ecc0c56503169e
Instruction Fuzzy Hash: 92115B2564E3D50FD31397386870A967FB29F83214F0A40EBC4C5CF2E3D5155809C362

Function 0420DF19 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93892112869c33595a03259cff531b87ebce29bd1ee742681d45cff6fc2c4a88
Instruction ID: 0b96d2af2cc933edc10a9cd229a656d9778accb65a6ba072c6d9a8720d055c03
Opcode Fuzzy Hash: 93892112869c33595a03259cff531b87ebce29bd1ee742681d45cff6fc2c4a88
Instruction Fuzzy Hash: 55114C30219780CFC725CF79C044896BBF6EF8A21532488ADD08A8BBA1CB31EC05CB54

Function 042079C2 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: add38059a899a7ae4d84ddb8610668d22252a05a4f330a8837e196ce1c0ec4f5
Instruction ID: 41b559709d0b2d576f0f2c89cd95d248f958bfb946f04f2454a6986254b96fd3
Opcode Fuzzy Hash: add38059a899a7ae4d84ddb8610668d22252a05a4f330a8837e196ce1c0ec4f5
Instruction Fuzzy Hash: A70124317083889FD712DB799851A7F7FE9DF8A26070045ADE44DCB292EA31BC06C7A1

Function 007BF027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1321514282.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7bd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020411f76a1def23680c170f620a6ef38196b77a797ef2394590ff05fb243f34
Instruction ID: 3657e1d265d6c46fd6f3e5694c3d334f333e1da1b39af9846791e934125d0d5d
Opcode Fuzzy Hash: 020411f76a1def23680c170f620a6ef38196b77a797ef2394590ff05fb243f34
Instruction Fuzzy Hash: C311DD79504284CFCB15DF24D9C0B55FFA1FB84724F28C6AED8494B666C33AD84ACB61

Function 0420BCE0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0751c6f33cae01115c22f7f9e08001eeeddd37c00ca3dd141583605af2cb0da
Instruction ID: 1116bed5a7ff7ab752e8d60b20a17571dd5be316f0a6b4029e691c136b1e9bd1
Opcode Fuzzy Hash: d0751c6f33cae01115c22f7f9e08001eeeddd37c00ca3dd141583605af2cb0da
Instruction Fuzzy Hash: EA0192317083459FD728DB75D498A9ABFF6AF46210F1488EEE08AC76A2CB31F845D701

Function 0420DCD9 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aa2ae08cf277f287aef46404928ee74435d2301876af193d9154738862a4c24
Instruction ID: 821e77d5ea48f8365a21a4b56cca8b640409d617569c6933e3c12e6cad83891b
Opcode Fuzzy Hash: 1aa2ae08cf277f287aef46404928ee74435d2301876af193d9154738862a4c24
Instruction Fuzzy Hash: 9F01F936B3A1849BC715DBB4D4544ECBFF3EF89210B1884A9D44697393D9616C02C7A1

Function 0420DE98 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac5114063685ec58437087f9a9a713077bb86d6a2b72e07a4340c56bd26cd9c4
Instruction ID: 9bf96b1b05f2cef8ec62131ee2b6a62134d867fb8ee7ee16355cc94d4a50be69
Opcode Fuzzy Hash: ac5114063685ec58437087f9a9a713077bb86d6a2b72e07a4340c56bd26cd9c4
Instruction Fuzzy Hash: 6101B535701218CFCB119FB4E8086AEBBF7FB89315F104069E60AD3341DB31A911CB91

Function 0420DF28 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05494d6cd33b6ec913eb6d018b474796e6c0be3e09ec484e4cb82a5f16763eae
Instruction ID: 624e48c17969da52786127c39a38985a9409dd92a05e1fe57257eb3876e00794
Opcode Fuzzy Hash: 05494d6cd33b6ec913eb6d018b474796e6c0be3e09ec484e4cb82a5f16763eae
Instruction Fuzzy Hash: 0711F774204750CFC728DF79D084896B7F6EF8A21572489ADD04A87BA0CB32E845CB54

Function 0420BF10 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fec56866fe3b1d440e82dff0fbec358b0a32162cb7021483a0beeb2e6a8ba4e
Instruction ID: fc4bd0affa36507be7be2ff646ad3a98103c804341d4d322b7a93d545a69d4d1
Opcode Fuzzy Hash: 1fec56866fe3b1d440e82dff0fbec358b0a32162cb7021483a0beeb2e6a8ba4e
Instruction Fuzzy Hash: BAF0AF327193E52FD7118A7A9C54977BFEDDF8662171844BBF885C73A2CAA0DD008760

Function 007BD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1321514282.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7bd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6873f74ce251c41fd2aff09f0f76a77738b603f7a419cce75dd3bc5b304cc521
Instruction ID: a6fdc0ad2389b075fb8ab7a24335338709d67301e5a626a2171528cec0dd2b81
Opcode Fuzzy Hash: 6873f74ce251c41fd2aff09f0f76a77738b603f7a419cce75dd3bc5b304cc521
Instruction Fuzzy Hash: 5801F231508300EAE7306A21CD84BA6BF98DF41325F18C02AEC484B282D27D9C46CAB2

Function 04207958 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91644dc5d8feac6629e0ef375926645b3d39d63b8733cd65462f8eee31465621
Instruction ID: 9da103e0ccbca03b0295a90d0dc27d4d94fa462e1f39322d303f32ace6e0e91d
Opcode Fuzzy Hash: 91644dc5d8feac6629e0ef375926645b3d39d63b8733cd65462f8eee31465621
Instruction Fuzzy Hash: C0F028307092809FD712977598519AF7FF5DF8A161700066EE089C7392CE246C46C761

Function 0420C4C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11be745352850b61619509d9ae82e5cfc0968abdd239c0827b420754c1cee101
Instruction ID: 64e8bb60c7b33af76b15453c26b5e97d02d1acc9752a6a3114f6af7ebd0daff5
Opcode Fuzzy Hash: 11be745352850b61619509d9ae82e5cfc0968abdd239c0827b420754c1cee101
Instruction Fuzzy Hash: 08F042311053846FC311BB35D84595ABFABEFC3254754897ED1498F212DE31BC0AC790

Function 0420DC88 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca2e2db1dc70a8943a2cb543b18516704d2ffe9b300bf6ce997c15d799373406
Instruction ID: d9082802e62b8f8b7a145c6c3f551564a787e3f26aa5ca09c2baeffde1dd6868
Opcode Fuzzy Hash: ca2e2db1dc70a8943a2cb543b18516704d2ffe9b300bf6ce997c15d799373406
Instruction Fuzzy Hash: 47F0E93672A2546BC71657ADAC008EE7FEFDDC7275304445BE149CB242DA50B94583F3

Function 042090D8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 635e402392a2414014587b2f6dbafe068d84097294d91728a85e59f4285b5aef
Instruction ID: f4c1cffe164ce9d756f974fa02749e6ab623a45bcabef2905bbc99cb127baeb8
Opcode Fuzzy Hash: 635e402392a2414014587b2f6dbafe068d84097294d91728a85e59f4285b5aef
Instruction Fuzzy Hash: 18F04C756082409BD311AF39D0187EB7FA6DFC2318F24819AD6865B386CE357906C7E1

Function 0420CB52 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4260a6649d20147a520a4d331e4ebfd5b8df59e0e94df87917fb4f314650373
Instruction ID: 2151849cc987bb3899b119af87b92a56601ee4ebb3624a72ce58196fd0daa34f
Opcode Fuzzy Hash: d4260a6649d20147a520a4d331e4ebfd5b8df59e0e94df87917fb4f314650373
Instruction Fuzzy Hash: D2F0B43120D3801FC366A73A5C9456EBFABDEC316036D45AFD0CADB152CE28690683A6

Function 007BD9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1321514282.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7bd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82198a4adcfbfe2a9c116e4aac626d726a4152fe1797ee1013aaab18cf61e191
Instruction ID: aa58e7baf2c455cd8594949030f44f573e8da60277d390f4e3494306ac7dc9c8
Opcode Fuzzy Hash: 82198a4adcfbfe2a9c116e4aac626d726a4152fe1797ee1013aaab18cf61e191
Instruction Fuzzy Hash: 6FF0F976600604AF9720CF0AD985C63FBADEBD5770719C56AE84A8B612C671FC41CEA0

Function 007BD01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1321514282.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7bd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a8f4c3e2e987fb8c1e8a075990aa1a1e0bfb9a9b429f18ed2bf68b216ee46fb
Instruction ID: 5cfdb3c1f74cb25001efe9a101b37837fc261daca3379f4cb9cb092fb9241e7a
Opcode Fuzzy Hash: 5a8f4c3e2e987fb8c1e8a075990aa1a1e0bfb9a9b429f18ed2bf68b216ee46fb
Instruction Fuzzy Hash: 0EF0C271404340AEE7209A15C988BA2FF98EB41334F18C15AED484A282C2799C44CAB1

Function 0420DE38 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5374efb5306780f8100e8e1f478dd26af26905d5d8584d5e199f318ef1c3aa7b
Instruction ID: af89a0c6473f5efc35a3a0e466ff896310f28a146cd24da82da774edb4d28a96
Opcode Fuzzy Hash: 5374efb5306780f8100e8e1f478dd26af26905d5d8584d5e199f318ef1c3aa7b
Instruction Fuzzy Hash: D8F082343152414FC3108F6DD454CA6BFFADFCA61531900E9E585CB772DA61EC01CB90

Function 04209158 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 709594578f428e6fbdf38fa2486f03c0e111b577cbcc777a4d56cd4b73db37bb
Instruction ID: 785c70565cff0fa9f32e1fdd740872733e20ab01127bcb8637e0613aa0ee89e8
Opcode Fuzzy Hash: 709594578f428e6fbdf38fa2486f03c0e111b577cbcc777a4d56cd4b73db37bb
Instruction Fuzzy Hash: BAF0B4705053444FD3208B78D4AC396BFE6EB01310F54449DD28AD7242DB356981C7A1

Function 04207968 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50f55391822acf37fdf9b7e6a8e51ddb7ba3e8253e9adaa7bd3a679f67e03da6
Instruction ID: 0db0d67862560f83fe5e7b1a46a9bff608e697b2e62d3139432ecec97760a63d
Opcode Fuzzy Hash: 50f55391822acf37fdf9b7e6a8e51ddb7ba3e8253e9adaa7bd3a679f67e03da6
Instruction Fuzzy Hash: 8EF0A731700614DFD710AA59D844A6F77EAEFC8661B00052DE50DD7341DF74BD4687A5

Function 04208969 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b4e41ac849dbe7b457b6c151dfdbd427ad49d10428fd2749e3c3c3a513b0b42
Instruction ID: da656c9cce3fc84f87dc5e8dd6186647baaeed5003bfbefb0095a016184f2fee
Opcode Fuzzy Hash: 7b4e41ac849dbe7b457b6c151dfdbd427ad49d10428fd2749e3c3c3a513b0b42
Instruction Fuzzy Hash: 0FF0273530A3945BC7062775681C3AE3E579FC6714F08419AE71587282CF2A1E05C3E6

Function 007BD998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1321514282.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7bd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6d1e3344caaaa224eeaf4a1da574844357aeeb5360717e23feceb427367117a
Instruction ID: cb38c43ac8511e258b9f6a2144bf7303d8ae9745350812f88b687cf7af147bc6
Opcode Fuzzy Hash: c6d1e3344caaaa224eeaf4a1da574844357aeeb5360717e23feceb427367117a
Instruction Fuzzy Hash: EAF0F975504A80AFD725CF06CD85D63BBB9EB89720B198499E85A8B712C635FC42CFA0

Function 0420C4D0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecc461016e17839be2c874b9fccb98020cb573ff71e9cf5fbc8e53ac875dfc06
Instruction ID: 9c76ee9191182253d09e8b0d02d9c4beecf98b36c0ca229ec18cf02128a09c41
Opcode Fuzzy Hash: ecc461016e17839be2c874b9fccb98020cb573ff71e9cf5fbc8e53ac875dfc06
Instruction Fuzzy Hash: FFF0E231200200ABC310AA25D844AAAB7ABEFC12547408A3DD10D8B711DE31BD0987D0

Function 0420E7A8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15b1e5c85886dfc7e0b520988f1ec4eebac160fea1ff8e92219554ee814bb975
Instruction ID: b3139bcc8939c9b861ad08d4509d1f08ddf5a168bae79bdce54f3e8eb65faa4e
Opcode Fuzzy Hash: 15b1e5c85886dfc7e0b520988f1ec4eebac160fea1ff8e92219554ee814bb975
Instruction Fuzzy Hash: C2E06831B10358669B2049B89C819CAFFDDEB9D258F20047AE982B3642D761640283A0

Function 04207697 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31e8752978f6f9b0e6ac2b2d781b34e0e5f30102fbc7ad23f0a9453ae1b2cb87
Instruction ID: 7b506767069af54b5c61164ad157f958b3ab3e10a43e0ea47f5c3f3ee2f6c985
Opcode Fuzzy Hash: 31e8752978f6f9b0e6ac2b2d781b34e0e5f30102fbc7ad23f0a9453ae1b2cb87
Instruction Fuzzy Hash: ADF0E5397105198FCB10DBACD840AAA77E6FBCC6517158154F80ACB352DF34EC028B90

Function 042090E8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d359eddd44abec6ffad97628432d5f00c7fbced25cfe2906168697935dcfdb
Instruction ID: cb41a461e7558e879a69b82c498f4a48854660850f817eb978a2733cdb28a7ec
Opcode Fuzzy Hash: 40d359eddd44abec6ffad97628432d5f00c7fbced25cfe2906168697935dcfdb
Instruction Fuzzy Hash: 06F027757046048BE304AB69D0197AB7BE6CFC0314F10816AD60A47389CE3A7941CBE0

Function 0420DE48 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9745a48c1720f81345601e2ad502b7df6584c662798bc5620bdeed2048ac1df
Instruction ID: 9f0e3800f0d23122cc35c86fb8e7b10e19c9fbcbb82d946f586d5a5fdb5ea2b0
Opcode Fuzzy Hash: a9745a48c1720f81345601e2ad502b7df6584c662798bc5620bdeed2048ac1df
Instruction Fuzzy Hash: FFE01A357212118F83109F5DD498C66B7FAEFCEB6531940A9F649CB771DA61EC01CB90

Function 0420C33F Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e3dda50719ab45fb52ef4c8f69c94b239c83eb8a05382f47d5b2bb56ef5337
Instruction ID: 5fc7855f87694de6ba6be3c00d86e792841c33aca1775e56f5fc32f60819fbec
Opcode Fuzzy Hash: 90e3dda50719ab45fb52ef4c8f69c94b239c83eb8a05382f47d5b2bb56ef5337
Instruction Fuzzy Hash: 4FE022323192000FD324837A9490AABBBD69FC6360F18813ED60AC73D2D961A802C310

Function 0420AF88 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1daa45d28d84a0fb6b1c6627725e908c18dfe9528a507b793c58701ba7573048
Instruction ID: 2c4131aa7a893857f464a614d2c5e3bab9861646c86af73efa165a141ed8b824
Opcode Fuzzy Hash: 1daa45d28d84a0fb6b1c6627725e908c18dfe9528a507b793c58701ba7573048
Instruction Fuzzy Hash: 95E0DF2232D3D617CB26823D6814496BFAB8AD362432C80FEF0C1CB283DC42984283A1

Function 0420E92E Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 159db365aa4cc8fbeb82eb020cb19c329f167798290097d4fa6b49eee915fbb6
Instruction ID: a49238d2dd354ed2d81b1774880e4001ff30a38b4e37667b22aca5cea22bde9c
Opcode Fuzzy Hash: 159db365aa4cc8fbeb82eb020cb19c329f167798290097d4fa6b49eee915fbb6
Instruction Fuzzy Hash: 30F05B79A121189FCB00CF98E585999BBB2FF48715B168155F909AB351CB31AD41CB40

Function 0420CB68 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1475a5efa5078098e7344d1f4e977588189db2056d9673839a7ce6360a94c494
Instruction ID: c785537ea2b71fc9844b2cabc8eb4ec931c83f1706d70a32b3468fa2f857cc3b
Opcode Fuzzy Hash: 1475a5efa5078098e7344d1f4e977588189db2056d9673839a7ce6360a94c494
Instruction Fuzzy Hash: 7DE04831204300578154B75E9C4056EBA8BDFC52A0768492DD55E97240DE757D4547A6

Function 04209549 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c301c4f8300f6f3b5adb6646b3dc25789b4650e148c767557d01ebf00c299ff
Instruction ID: 7f708c5e1573ae867ff88b9d9a5966bd7682ecabbf8706eaecaf5ff778dcb078
Opcode Fuzzy Hash: 1c301c4f8300f6f3b5adb6646b3dc25789b4650e148c767557d01ebf00c299ff
Instruction Fuzzy Hash: 81D012227621521757A871BA18406B799DE8EC45E87058035AA06C36C3ED40EC4543E5

Function 04209168 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: defb43969b3e4c4d57f9163e60597c2c4516a5c58204dcfac7b1e23e43530def
Instruction ID: a6aa2765a1b3e7d29bb8ac8f58785e6876802ff21d0cc24c404311e8b3809ff2
Opcode Fuzzy Hash: defb43969b3e4c4d57f9163e60597c2c4516a5c58204dcfac7b1e23e43530def
Instruction Fuzzy Hash: 15F06D70A013048BD3609F78D49C39ABBEAEB44310F004469E20EC7380DF39A9808B90

Function 04208978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbc78bf96685f2311c790b79682704766c2d117e22a65b03019249bb97c647d1
Instruction ID: 0266d2fb1ddb0214e8e8b1a4b27b382a6f1dfc06d520a24205b40f6fedd8a776
Opcode Fuzzy Hash: bbc78bf96685f2311c790b79682704766c2d117e22a65b03019249bb97c647d1
Instruction Fuzzy Hash: 1DE026353052189BCB083B78A40C3AE7A97EBC4725F04412AE71A83381CF3A2A0183DA

Function 04209550 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76cc2057b13a88f429ce8206532d7fb7d6c4a82f55cf024b02a290b8a2051e54
Instruction ID: 01f76353248e1a7d336cb831567bef404c709ec98db6cec8941070acb1959117
Opcode Fuzzy Hash: 76cc2057b13a88f429ce8206532d7fb7d6c4a82f55cf024b02a290b8a2051e54
Instruction Fuzzy Hash: 30D05E227311621B17A8B2BA18006BB99DE8FC45E870580369A0AC32C3EC40EC0543E9

Function 0420C580 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 532493d450c61c20feee3c42aba9ee2efd99110de5736af39cfb022231311dbe
Instruction ID: a795fc77f45bb19ac887cb715a27fd50f5ef0b8ed697ede99b7670ddaab120f3
Opcode Fuzzy Hash: 532493d450c61c20feee3c42aba9ee2efd99110de5736af39cfb022231311dbe
Instruction Fuzzy Hash: CBE086313091542B8300637DA8155597FEBDFC6651304407AF609C3242CD16FC0483E6

Function 04208739 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a78c0c6c96db5cd89fd668e107e6f29905c26736d2ebed68cb8ce1d2722660b
Instruction ID: b7a50d48c700c6b8910fd4523e0b438a62956b733ce09c5e22e2b1c17cfae7c7
Opcode Fuzzy Hash: 6a78c0c6c96db5cd89fd668e107e6f29905c26736d2ebed68cb8ce1d2722660b
Instruction Fuzzy Hash: E5E01A3591914A9BDB19AB74E85A4EABF76EA15306B0001A9E78292191EE202646CBC2

Function 0420DC98 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d7f4e7732181f67600abacf9038cb586f3529868046c816c9ecea6a3a33bf69
Instruction ID: 1737addd7b0d74de85c1986e96439ce906130b51cde89c77cbb80cc9f5e15f34
Opcode Fuzzy Hash: 7d7f4e7732181f67600abacf9038cb586f3529868046c816c9ecea6a3a33bf69
Instruction Fuzzy Hash: 51E0C236711614578312B76EA80089F77EBDFC96B5344842EE109CB340DE64FD0647E7

Function 0420DCE8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: c7276e462e4719bb28bb448a748108784272603cf9fe3eb5a300fddc99173166
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: FDE08631B30014978B089999D4544EDF7AADBCC220F04C07AD90AA7381DA726915C6E1

Function 04208800 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 089dc2b811eacc708695e3815c5a5253019ddcf6849bbab7c4a08c364f5928a0
Instruction ID: 117aee24608064cfa5324be0f52a880afc90f9320782d3f0e6ea21c13f127bc9
Opcode Fuzzy Hash: 089dc2b811eacc708695e3815c5a5253019ddcf6849bbab7c4a08c364f5928a0
Instruction Fuzzy Hash: 2EE0D834A1824E8BC714DFB4D40656ABFF6EF05208F104158EE86A3341EA306951CBC1

Function 0420F460 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fbd314b66d818aaee74389655fc526bb9300e90d91a739c201f26503d18876f
Instruction ID: 2d536c544a0d5577f5be2b8e0ad1dc9d2b39433a1b5940685ff87dc96cbae54d
Opcode Fuzzy Hash: 3fbd314b66d818aaee74389655fc526bb9300e90d91a739c201f26503d18876f
Instruction Fuzzy Hash: 83E01A75E5424AAF8790DFBCC8415AAFFF0AF49204B5489AED948D7212E6329612CBC1

Function 0420C590 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 381b50bf6f1cbf88919201fee8c84c56179f326204302e48c2a2e59a7cd1951f
Instruction ID: fe0d59b38f2046d4e4b08ae3df020cd8a51bf4eec4edc2dd7cc2ecf2401441ce
Opcode Fuzzy Hash: 381b50bf6f1cbf88919201fee8c84c56179f326204302e48c2a2e59a7cd1951f
Instruction Fuzzy Hash: 94D0C7353051146B4244776DB41955D77EBDFCA661745003AF70EC3341DE62BC0587D6

Function 0420F470 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 773d7bd298caabf33e881828b04db4ac8607c74f483f19bf61ce883cc2279034
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 0CD067B0E142099F8790EFADC94156EFBF4EB48204F64C5AA8919E7341F7729A12CBD1

Function 04208748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b79bcbadf0020451022a0e923655a576ed0ce5214399a0ac7f5e186f07135ad2
Instruction ID: b9d239edaf1db93eacca82a56489d5f67b554eb64c742b6bf73bf4c83cffa2d3
Opcode Fuzzy Hash: b79bcbadf0020451022a0e923655a576ed0ce5214399a0ac7f5e186f07135ad2
Instruction Fuzzy Hash: 6DD0123091510D8BCB08AB74E41A4BD7B75FB10306F404169EB0752190EB302746CAC2

Function 04208810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2fa4e962d2b36634271f51ebc9b2c2262f4f30cae797d64e34c72a43200a0cb
Instruction ID: 0418be6deeb18b2e075d82e8eced5e95f273b64059af288bf4a6e4267ef8a37b
Opcode Fuzzy Hash: b2fa4e962d2b36634271f51ebc9b2c2262f4f30cae797d64e34c72a43200a0cb
Instruction Fuzzy Hash: C1D01234A1420E8B8B04EFA4D44646EBBF6AB44305F008155EE4593340EA306901CFC1

Function 04207932 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf63ccd126ed7df5b763c201e08229aee32414822330a3a52d608692f917074b
Instruction ID: f753a53762af76559200db6fd4c94307f063aa81e66c654f32e8e6050d7f36dc
Opcode Fuzzy Hash: bf63ccd126ed7df5b763c201e08229aee32414822330a3a52d608692f917074b
Instruction Fuzzy Hash: 8BD0A93000D3C88FC3070BB454390507FB4DF8322030A08CAE8894F1B3E922A84ADB21

Function 0420EA57 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd7c884dd2a055f54d2700c729b07e3644964781ea2127c578e0629bcab1823e
Instruction ID: 56f1e2d7b21b97fa78c3aa1608e46f91235232774bdf1052403b75806e859feb
Opcode Fuzzy Hash: dd7c884dd2a055f54d2700c729b07e3644964781ea2127c578e0629bcab1823e
Instruction Fuzzy Hash: 58D09239B41218CFCB04CBA8E895A9CF3B2FF84315F1180A5E6159B251CB32A952CB40

Function 04207EA0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92e0d9c4a4de5d145862140b2d13ae7a5f0e30cd0feecbbfdb15aad23246c439
Instruction ID: 0698eac260b52c0a86b0f5c8bfbf8a328c5ebde7dbe1074a646ec5ec11889181
Opcode Fuzzy Hash: 92e0d9c4a4de5d145862140b2d13ae7a5f0e30cd0feecbbfdb15aad23246c439
Instruction Fuzzy Hash: 26C0011591D3C04FFB8687364C771667FF1DE8B62470A9AE2D9828B572C8288817E262

Function 04207940 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b063d472ac9f430ea8649c5506dc7b78d6f648b3c75e95916bdbda7c1455d04
Instruction ID: c625c1a183fb21ffb407240cc7c433608a93f30fc24c3d1316f37c2f79525672
Opcode Fuzzy Hash: 6b063d472ac9f430ea8649c5506dc7b78d6f648b3c75e95916bdbda7c1455d04
Instruction Fuzzy Hash: A0B0923004470CCFC2486FB9A4099187729AF4421538104A9F91E1A2968E36E888CA44

Non-executed Functions

Function 07171BE0 Relevance: 10.4, Strings: 8, Instructions: 450COMMON

Download Yara Rule

Strings

4'q, xrefs: 07171F95
4'q, xrefs: 07171C92
$q, xrefs: 07172166
4'q, xrefs: 07171C86
tPq, xrefs: 07171FDF
tPq, xrefs: 07171FEB
4'q, xrefs: 07171F89
$q, xrefs: 07172172

Memory Dump Source

Source File: 00000009.00000002.1334362167.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7170000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$tPq$tPq$$q$$q
API String ID: 0-4018001354
Opcode ID: 2ce36763c722e7ddc2d5e4fcaff787d0f2f64ba30efd6fb9536ccd287c84f3f1
Instruction ID: ef80d89a4b0817bed2fbcadbe15410e5876edf27026a19e261bf61e211473e4d
Opcode Fuzzy Hash: 2ce36763c722e7ddc2d5e4fcaff787d0f2f64ba30efd6fb9536ccd287c84f3f1
Instruction Fuzzy Hash: 0EE16EB1B0430A9FC7369B6998016A7BBB2BFC6311F18846BD905DB2D1DB31DC46C7A1

Function 07173678 Relevance: 6.4, Strings: 5, Instructions: 190COMMON

Download Yara Rule

Strings

4'q, xrefs: 07173722
$q, xrefs: 07173836
$q, xrefs: 071737FF
$q, xrefs: 0717382A
4'q, xrefs: 0717372E

Memory Dump Source

Source File: 00000009.00000002.1334362167.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7170000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q$$q
API String ID: 0-170447905
Opcode ID: 1674926a78d996dec3d55d04ecc6c01e3876169d0293062527fe5123608e5fc7
Instruction ID: e1d0f4a19c3bf930565dc9b1ce967fb1e2de6e117f2eccca68462d4ba7cd7590
Opcode Fuzzy Hash: 1674926a78d996dec3d55d04ecc6c01e3876169d0293062527fe5123608e5fc7
Instruction Fuzzy Hash: 72517BF27043869FC72A87699812367BBB2AFC6221F24817BD425CB3D1DB31C845D791

Function 07173928 Relevance: 6.4, Strings: 5, Instructions: 121COMMON

Download Yara Rule

Strings

tPq, xrefs: 071739B1
$q, xrefs: 0717393A
tPq, xrefs: 071739A5
$q, xrefs: 0717396C
$q, xrefs: 07173960

Memory Dump Source

Source File: 00000009.00000002.1334362167.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7170000_powershell.jbxd

Similarity

API ID:
String ID: tPq$tPq$$q$$q$$q
API String ID: 0-4232885863
Opcode ID: fc08363d2111c6303da5e80a774c77373ffcef362e2211dfb58498fc5163d362
Instruction ID: 0360e13aca7c09fbdcbbb05332b5bbaf32942c7a88178a2d95b338adce952ebf
Opcode Fuzzy Hash: fc08363d2111c6303da5e80a774c77373ffcef362e2211dfb58498fc5163d362
Instruction Fuzzy Hash: CB415B723083968FD7268B69E801666BBB1AF86720B19806FE854CB3D1DB31DC41C351

Function 04207A21 Relevance: 5.2, Strings: 4, Instructions: 243COMMON

Download Yara Rule

Strings

`q, xrefs: 04207BA2
`q, xrefs: 04207B23
`q, xrefs: 04207CC2
`q, xrefs: 04207C44

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID: `q$`q$`q$`q
API String ID: 0-10485352
Opcode ID: 78496866ef769ed4646c7b4ddb27a24e28aeb36e43830d650bc2e0607440d242
Instruction ID: 12571733ef73e7c1ee38b655a687944735f23a3b9e6d063e15c9e8aabd6970d2
Opcode Fuzzy Hash: 78496866ef769ed4646c7b4ddb27a24e28aeb36e43830d650bc2e0607440d242
Instruction Fuzzy Hash: CBB1A474E002099FDB55DFA9D980A9DFBF2FF88300F148629E819AB355DB30A945CF91

Function 04207210 Relevance: 5.2, Strings: 4, Instructions: 234COMMON

Download Yara Rule

Strings

`q, xrefs: 04207BA2
`q, xrefs: 04207B23
`q, xrefs: 04207CC2
`q, xrefs: 04207C44

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID: `q$`q$`q$`q
API String ID: 0-10485352
Opcode ID: 24a2c20743094b9e5f0796726b2b6fc4088ac51e1b4f311bf111fa08f8f92fc5
Instruction ID: 04301464e3bc4f566404467ccf0950f018bcf94a7b84c8ffa63d6babe1be0d08
Opcode Fuzzy Hash: 24a2c20743094b9e5f0796726b2b6fc4088ac51e1b4f311bf111fa08f8f92fc5
Instruction Fuzzy Hash: C3B18274E00219DFDB54DFA9D980A9DFBF2BF88300F148629E819AB355DB30A945CF91

Function 04207A30 Relevance: 5.2, Strings: 4, Instructions: 234COMMON

Download Yara Rule

Strings

`q, xrefs: 04207BA2
`q, xrefs: 04207B23
`q, xrefs: 04207CC2
`q, xrefs: 04207C44

Memory Dump Source

Source File: 00000009.00000002.1322945879.0000000004200000.00000040.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4200000_powershell.jbxd

Similarity

API ID:
String ID: `q$`q$`q$`q
API String ID: 0-10485352
Opcode ID: b4171df60143020e365ae40100106471c207bd40ce66581c14e7c0ee6d24a6a5
Instruction ID: 5a8c62be462139f00b6c6d41702bfd3637d4d7ea77929a88226a6dc1f9ceb130
Opcode Fuzzy Hash: b4171df60143020e365ae40100106471c207bd40ce66581c14e7c0ee6d24a6a5
Instruction Fuzzy Hash: 5DB18374E002199FDB54DFA9D980A9DFBF2FF88300F148629E819AB355DB30A945CF91

Function 07173110 Relevance: 5.2, Strings: 4, Instructions: 233COMMON

Download Yara Rule

Strings

4'q, xrefs: 071731C0
tPq, xrefs: 07173324
tPq, xrefs: 07173330
4'q, xrefs: 071731B6

Memory Dump Source

Source File: 00000009.00000002.1334362167.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7170000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$tPq$tPq
API String ID: 0-1392854178
Opcode ID: efc0daf74dcbc9f7f3cde1738b7e54823c12fa8f3857fb200c163c7e3d9f9163
Instruction ID: 7c103d1139585c8e7a8d87002f62158859634558e96c43a24988987f8536a59d
Opcode Fuzzy Hash: efc0daf74dcbc9f7f3cde1738b7e54823c12fa8f3857fb200c163c7e3d9f9163
Instruction Fuzzy Hash: 41716CB1B043868FD7268B6988117A7BBB2AFC6211F18C07BD525CB2D1DB31D941D7A1

Function 07175798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$q, xrefs: 071757F4
$q, xrefs: 07175800
$q, xrefs: 071757C6
$q, xrefs: 071757AA

Memory Dump Source

Source File: 00000009.00000002.1334362167.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7170000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: cf7706ca671a8ed0a2710391ffc8a3eee248f688b0f7663aca15023e9139808b
Instruction ID: eb62051cb1c5f348247b7890759bc80cb1a31f90d81504e3d5c11a815783839c
Opcode Fuzzy Hash: cf7706ca671a8ed0a2710391ffc8a3eee248f688b0f7663aca15023e9139808b
Instruction Fuzzy Hash: 80216EB27103069BE739566B9812727B7A7ABC0311F64842EE909CB3C1DF75C852C360

Function 07170308 Relevance: 5.0, Strings: 4, Instructions: 47COMMON

Download Yara Rule

Strings

$q, xrefs: 0717035E
4'q, xrefs: 07170373
$q, xrefs: 07170352
4'q, xrefs: 0717037F

Memory Dump Source

Source File: 00000009.00000002.1334362167.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7170000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q
API String ID: 0-3199993180
Opcode ID: 301e268352883969b5aae91dc807bc946639f614058dfb31a071d054a1b68538
Instruction ID: ab7890d932c650eb344396a724531deca3626cbf627fef5ae9384b610ea71f7f
Opcode Fuzzy Hash: 301e268352883969b5aae91dc807bc946639f614058dfb31a071d054a1b68538
Instruction Fuzzy Hash: 2C01A26071E7929FC72B52652C202566F725FC761072E41D7E481EB2D3CA284D05C3A7

Analysis Process: powershell.exePID: 8184, Parent PID: 7464COMMON

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 04B9B490 Relevance: 6.5, Strings: 5, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

KUxn^, xrefs: 04B9B770, 04B9B775
[Uxn^, xrefs: 04B9B738, 04B9B73D
\xn^, xrefs: 04B9B4DC
kUxn^, xrefs: 04B9B700, 04B9B705
{Uxn^, xrefs: 04B9B6C8, 04B9B6CD

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID: KUxn^$[Uxn^$kUxn^${Uxn^$\xn^
API String ID: 0-2085801606
Opcode ID: bd7910372a30d27feebc18fb40f6aee0df4303fa36dba359554df3f5bbd91dc7
Instruction ID: b41e468c38d1d1a381132f711821116eee5794ffc06a8fb708af4a1b4d19e5fa
Opcode Fuzzy Hash: bd7910372a30d27feebc18fb40f6aee0df4303fa36dba359554df3f5bbd91dc7
Instruction Fuzzy Hash: 73917175F007149BEB19DFB988106AE7BE2EF84710B00892DD506AF388DF74AE058BD5

Function 04B9B4A0 Relevance: 6.5, Strings: 5, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

KUxn^, xrefs: 04B9B770, 04B9B775
[Uxn^, xrefs: 04B9B738, 04B9B73D
\xn^, xrefs: 04B9B4DC
kUxn^, xrefs: 04B9B700, 04B9B705
{Uxn^, xrefs: 04B9B6C8, 04B9B6CD

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID: KUxn^$[Uxn^$kUxn^${Uxn^$\xn^
API String ID: 0-2085801606
Opcode ID: cfa6bf8204daa28824ce499fbedc0913e8cec1e266ba3a07f6a1fe61ab58577e
Instruction ID: dd92a3dd561b97c9d10a393fb73de85f35b8f7132b07454ee344f51381aa1411
Opcode Fuzzy Hash: cfa6bf8204daa28824ce499fbedc0913e8cec1e266ba3a07f6a1fe61ab58577e
Instruction Fuzzy Hash: 61915075F007149BEB19EFB988106AE7BE2EF84710B00892DD516AF348DF74AE058BD5

Function 07B62308 Relevance: 3.2, Strings: 2, Instructions: 650COMMON

Download Yara Rule

Strings

4'q, xrefs: 07B62619
4'q, xrefs: 07B6260D

Memory Dump Source

Source File: 0000000D.00000002.1375056639.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7b60000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 55fcb5c7376596e42944ebc826a72374019da083864553fee2ad0d5216f7f53a
Instruction ID: 2e01592e0eced181a71e1b6aeb554036eb6c4b391d726d02e91bc097726f101f
Opcode Fuzzy Hash: 55fcb5c7376596e42944ebc826a72374019da083864553fee2ad0d5216f7f53a
Instruction Fuzzy Hash: 4F2209B1B003059FFB259B6984497EABBE1FF85211F1480FADA05CB291DB39DC45CBA1

Function 08CD7794 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 08CD77FA

Memory Dump Source

Source File: 0000000D.00000002.1377645912.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8cd0000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: e48cfa6b5e603b4cdf0645f6aca89039542d6b575629a5468bba17d9ee7339c1
Instruction ID: 926f5511f11473f8295ab3c778417402a79ef0e7b71a4f62baee3eb4f0b4fc74
Opcode Fuzzy Hash: e48cfa6b5e603b4cdf0645f6aca89039542d6b575629a5468bba17d9ee7339c1
Instruction Fuzzy Hash: C51125B5D003488FDB20DF9AD985B9EFBF4EB48224F24841AD558A7210C774A945CFA5

Function 08CD7798 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 08CD77FA

Memory Dump Source

Source File: 0000000D.00000002.1377645912.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8cd0000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: 82ede440c6a9df45e4007de61fa125313d9f4f8db480414f40e8e9fd4880e4b6
Instruction ID: 4b0af9b61f41156c769d9812ff8294f18440b6db2637faa318ba84c672ddac43
Opcode Fuzzy Hash: 82ede440c6a9df45e4007de61fa125313d9f4f8db480414f40e8e9fd4880e4b6
Instruction Fuzzy Hash: DB1125B5D003488FDB20DF9AC845B9EFBF8EB48224F14841AD518A7210C775A945CFA4

Function 04B96FC8 Relevance: 1.4, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(q, xrefs: 04B970ED

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: eb6d4af5b03ff2e0f8c4f6be663542c9421ae0cc1c3cd26be5ec51a47ef5d1f7
Instruction ID: 6e69e1c36c27cfe2f6862289f51a503db5c71dae5e8114ed5b391ffa6ad379ba
Opcode Fuzzy Hash: eb6d4af5b03ff2e0f8c4f6be663542c9421ae0cc1c3cd26be5ec51a47ef5d1f7
Instruction Fuzzy Hash: 8C410A34B102049FDB14DBA4C558AADBBF1EF8D711F1444A9E406EB391DA35AD02CB61

Function 04B9AFA8 Relevance: 1.3, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(&q, xrefs: 04B9AFCA

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID: (&q
API String ID: 0-583763264
Opcode ID: 4926a805575c3dbf066e3398d4f27f9cee5364b1e0a1273a4c4a76e4eea8f68d
Instruction ID: 9f22d9438d529aaa728b314f20e953de922ea6d28bcd2b1a2d668b1809f58fbd
Opcode Fuzzy Hash: 4926a805575c3dbf066e3398d4f27f9cee5364b1e0a1273a4c4a76e4eea8f68d
Instruction Fuzzy Hash: 3F21B275E043588FDB24DFAAE400B9EBBF5EF89320F14846AD418E7340CA75A9058BA5

Function 04B9E968 Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1ff58e720b850a8d6c67f5513a1cad123f1700c38a0cf56e328667140a445af
Instruction ID: 65d16fa9e4e38085cf34fc58b94facad800be5dd625c886e692d62a9f4d5e5e8
Opcode Fuzzy Hash: c1ff58e720b850a8d6c67f5513a1cad123f1700c38a0cf56e328667140a445af
Instruction Fuzzy Hash: 14914D34B102148FDB14DF69D59066DBBF6AF89711B1485B9E806EB3A4DF30EC42CB90

Function 04B929F0 Relevance: .2, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a11f6977e2f172372f9c0033e7c65675d9e1d73d56da8014e6b2e112951fc5d6
Instruction ID: ccf1248ee9d722408f4cd2060e986bd8925029c58968fa513c02bb29bfcc7514
Opcode Fuzzy Hash: a11f6977e2f172372f9c0033e7c65675d9e1d73d56da8014e6b2e112951fc5d6
Instruction Fuzzy Hash: 60915074A006059FCB19CF58C494AAEFBF1FF89310B2489A9D915AB355C735FC51CB90

Function 04B9BAC0 Relevance: .2, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d216d28404124356b20f6309695201e90d4682c3b8437f4f6471f3bc59c3f84
Instruction ID: 611ae2c7378b773f1374c6c91bfb73af6d6e5e75985500fabe85b2e9aa0617b9
Opcode Fuzzy Hash: 2d216d28404124356b20f6309695201e90d4682c3b8437f4f6471f3bc59c3f84
Instruction Fuzzy Hash: 7C612875E04248DFDB15DFA9D484A9DBBF1FF88310F148169E819AB364DB30AC46CBA0

Function 04B9BAD0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0896a41591cad0afcb52f2839995d9dfbd8554a974c12f3a898b57468919f6f0
Instruction ID: 35d57de3b657fb3d7e4d620ba8281599bf8d8c02c2c97c2a6b6a427659bba72c
Opcode Fuzzy Hash: 0896a41591cad0afcb52f2839995d9dfbd8554a974c12f3a898b57468919f6f0
Instruction Fuzzy Hash: A0611471E00249DFDB14DFA9D584A9DFBF1FF88310F14816AE819AB254EB30AC45CBA0

Function 04B97728 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a698150b86b353cedde7569bfafb307d29f0ef72a539b57fc100d8f95c9d31
Instruction ID: b728287b1336f1379ed9b4c215494ffc047f4b30227fc483b09135262fcafd9a
Opcode Fuzzy Hash: a1a698150b86b353cedde7569bfafb307d29f0ef72a539b57fc100d8f95c9d31
Instruction Fuzzy Hash: 74515935720204DFDB14DB69D894A6A77EAFFC8254B1484B9E509CB391EF35EC02CBA0

Function 04B9E551 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80e7715fd185974a0820e9a5278a17c9f48fe8085c1209b5317589ada82d7b3e
Instruction ID: 4a4818a172419b414a3337597aa06b567f8d9ea8a6dbee1783a796918a1fea9e
Opcode Fuzzy Hash: 80e7715fd185974a0820e9a5278a17c9f48fe8085c1209b5317589ada82d7b3e
Instruction Fuzzy Hash: 00415B34B003058FDB20DF78D494E6ABBE6EF8821575585A9E849CF355EB30EC02CBA1

Function 04B9E560 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92ff8346310ddf3f071f06cc9c99c9e50909624d4d4b6792e87e6edebedd9d35
Instruction ID: e493a0bfee5335bd3a5a44d6110c64e266d8a292f8533b1e1c3afba51f32d45e
Opcode Fuzzy Hash: 92ff8346310ddf3f071f06cc9c99c9e50909624d4d4b6792e87e6edebedd9d35
Instruction Fuzzy Hash: 77413C34B102058FDB20DF78D594E6AB7E6EF8821575585A8E849CF359EB34EC02CBA1

Function 04B9DE99 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fb7e81a1aedbf13c2ab938c7a027c28269165b155eeb62339b0a96ac49fd06b
Instruction ID: f156c5052c46923e12b317fa964f047e13606e5c14cb55d06f3e60b978c0c75e
Opcode Fuzzy Hash: 5fb7e81a1aedbf13c2ab938c7a027c28269165b155eeb62339b0a96ac49fd06b
Instruction Fuzzy Hash: B3310331B006058FDF248F6AD455BEDBBFADB99350F2880B9D401DB256DA30AC02CB60

Function 04B975F9 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a92d0ec3aa035bd1ff83b1dc0193ab4dbfcce16a0d3a0ac38961646c3d30cb6
Instruction ID: 74107094065e1dc5119d32d3566f7bdc5f1c8c5dcd0541307d975eb6b4aad477
Opcode Fuzzy Hash: 7a92d0ec3aa035bd1ff83b1dc0193ab4dbfcce16a0d3a0ac38961646c3d30cb6
Instruction Fuzzy Hash: 8B314A35710215CFDB14EFA8D854AAE7BE2EF89655B1440A8E50ADB3A5DF34EC02CB90

Function 04B9C398 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39eb407e4a56e21e3f75ec2ddf12b5d207158fb6953ac1fedc729f9a7d7cf0f5
Instruction ID: 171f95f0699daeed6f5a5b12629f5af2a63427e65f316ec4520e1efa41c02695
Opcode Fuzzy Hash: 39eb407e4a56e21e3f75ec2ddf12b5d207158fb6953ac1fedc729f9a7d7cf0f5
Instruction Fuzzy Hash: 1831AB393003019FD715EB78E854B9ABBE6EFD4255F008239D609CB355DF70AC0A8BA1

Function 04B9AE70 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21057a4c810c0dcc1d55df56d5d5598e7c1751bf85330c095edeeec8f850b5e5
Instruction ID: 8468c76c72a66fc461de2b7fc877d09f030beadeaa2614c83fbc64f53d4dd548
Opcode Fuzzy Hash: 21057a4c810c0dcc1d55df56d5d5598e7c1751bf85330c095edeeec8f850b5e5
Instruction Fuzzy Hash: D431AE70E006499FDF19DF79C4947AEBBF6EF88250F148069E405EB354EB34AC418BA0

Function 04B96FB9 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c16c714c75f3af8638f2207c569813a8a7f6178c132626878bd9687bf232a8f7
Instruction ID: 19ad9637c06de8e81e0b9ba5deec71c35fb3ff3f4dfac199f61c0361700849fa
Opcode Fuzzy Hash: c16c714c75f3af8638f2207c569813a8a7f6178c132626878bd9687bf232a8f7
Instruction Fuzzy Hash: A3310934A10205DFDB14DBA4C558AAEBBF1EF8D715F1441A8E406EB351DB31EC02CB50

Function 04B9E7E1 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76f5418e9026f9516f02ac09e3d9e509c60c488e9f6b984c2abe52b69e1dc88f
Instruction ID: 42fe44892d2808cf000e8a36109919523be7a83d75b622a775a60c34f8b812da
Opcode Fuzzy Hash: 76f5418e9026f9516f02ac09e3d9e509c60c488e9f6b984c2abe52b69e1dc88f
Instruction Fuzzy Hash: A2317E34A003159FCB24DFA9E594A9EBBF1FF48205F108568D416AB394DB30BD05CBA1

Function 04B9AD38 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b77915a9764def22fc74c304d5d0331f94925fee45b00b4d863d6ed38cdae46e
Instruction ID: fc33346d18ee2960a81d3640fa3595e86a669ca166d3289fc49a30c90727cdaf
Opcode Fuzzy Hash: b77915a9764def22fc74c304d5d0331f94925fee45b00b4d863d6ed38cdae46e
Instruction Fuzzy Hash: 873194B8E003449FEB05DB64D854AAF7BB2FF89300F1584A9D210AF395DA74ED45CB91

Function 04B9E180 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0569aaff91a9f9ccd52a3af5dfaaa427d853fba509b1384fdd01baa2d133b449
Instruction ID: 1213f6afdff8f47ecc565a5d2c9403a986d5b9dc2fa0794e3d9d2ce040db7a79
Opcode Fuzzy Hash: 0569aaff91a9f9ccd52a3af5dfaaa427d853fba509b1384fdd01baa2d133b449
Instruction Fuzzy Hash: 85313A74A002048FDB18EF69D458A9DBBF6FF89614F148469D406EB3A5DB70AC45CB90

Function 04B92B00 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f88fab8149d84b815da0a3e7bce77d093e057cfb07ff21cb0ce3f9ef905287f8
Instruction ID: 12d5590bab2d46bab7b17be58904c90a914e62979ae66f3636ac7706d0bfef5c
Opcode Fuzzy Hash: f88fab8149d84b815da0a3e7bce77d093e057cfb07ff21cb0ce3f9ef905287f8
Instruction Fuzzy Hash: 53315D74A001059FDB19CF58C4A8EAAF7F1FF44310F6589A9D8169B254C736FC91CB94

Function 04B9AE80 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e408a767bf98e47c799b7e17396786eb58444911db912c41b4b697aa130d406
Instruction ID: 81c0add0f930e141e3604091d2ef4852546a7ef4fa2b6d024d42ad76b1181e42
Opcode Fuzzy Hash: 8e408a767bf98e47c799b7e17396786eb58444911db912c41b4b697aa130d406
Instruction Fuzzy Hash: 74313870A006499FDF19DFA9D494BAEBBF6EF88210F148069E505EB354EB34AC018B65

Function 04B9E7F0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe79ef34c83aa8fe8a880bbaa01333840238451ade5b1cd1810933239a47796c
Instruction ID: 5bf0ad8e1faa48f7ec4460a217f0d8d3d5f44a86029be4763107fa14c1f04525
Opcode Fuzzy Hash: fe79ef34c83aa8fe8a880bbaa01333840238451ade5b1cd1810933239a47796c
Instruction Fuzzy Hash: 25315C34A003159FCB24DF69D494A9EBBF2FF88205F108568D416AB394DB30BD09CBA1

Function 04B99400 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 279d14b92d313edcf328bf08bac015fcbb94313ccc7fad8e291f31b5a338dc13
Instruction ID: ebee5a00841aa34e6e82f07abcf139cae1ce4a80798f309152e7d1e43b9db6f6
Opcode Fuzzy Hash: 279d14b92d313edcf328bf08bac015fcbb94313ccc7fad8e291f31b5a338dc13
Instruction Fuzzy Hash: 0B3190B59053848BDBA1CF6ED08878AFFE6EF85310F28C4ADD4499B305D675A841CB61

Function 04B9E190 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d9e11fbb7691858037e440b79d91f04e3596423e75a40b1b04e35c897ce55fb
Instruction ID: 8700223d428efc1626e24bbcbf02bc167a83caacff005d9862128ba2205bf0de
Opcode Fuzzy Hash: 6d9e11fbb7691858037e440b79d91f04e3596423e75a40b1b04e35c897ce55fb
Instruction Fuzzy Hash: 9B312B34A012048FCB18EF69D458A9EBBF6FF89614F148569D406EB3A5DF70EC45CB90

Function 04B9AD48 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a6e8893cad7d30fa95c91305ef4da98b6a1ae60759ae77850ab035164fb8bb2
Instruction ID: d8e91ed066814946032cbe32738f472c7b0203ebf6c1999e7ee4a4d39378a1c3
Opcode Fuzzy Hash: 5a6e8893cad7d30fa95c91305ef4da98b6a1ae60759ae77850ab035164fb8bb2
Instruction Fuzzy Hash: A63130B8E003099FEB04DFA4D854AAEB7B2FF89300F108469D611AF395DA75ED458B90

Function 0327F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1355441378.000000000327D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0327D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_327d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86ad39a0aec13c139c7d041654e5c94ea090893f259bab7c4e9b911536a6d875
Instruction ID: 0a2e05c2c3113962e0ee0c16546ac2b2c3528d557baa222b464c68652da111b1
Opcode Fuzzy Hash: 86ad39a0aec13c139c7d041654e5c94ea090893f259bab7c4e9b911536a6d875
Instruction Fuzzy Hash: 5521E27661C340EFDB05DF10DAD0B16BB65FB88314F24C5A9EA094A256C336D496CBA1

Function 0327F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1355441378.000000000327D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0327D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_327d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 003a5d1a6ebaa4b2e5488ded76938b0d10f8bc9fd335e62c1ec2aa270924c231
Instruction ID: 49c5b8e0350d43e2f7649041d2cfbb6123b5916134effd55cded99443e73ebb2
Opcode Fuzzy Hash: 003a5d1a6ebaa4b2e5488ded76938b0d10f8bc9fd335e62c1ec2aa270924c231
Instruction Fuzzy Hash: DD210775618340EFDB14DF14DAC4B16BBA5FB84324F24C5ADD8094B34AC376D486CA61

Function 04B99410 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b06706fe46c879faf03817232f59d9d16bcd4abfec9a09a6b353c55e3900cdd
Instruction ID: 9d7c2194c1c50c37f92d7ffc3005ce2870aa3df350d21b91afa819eabf748631
Opcode Fuzzy Hash: 4b06706fe46c879faf03817232f59d9d16bcd4abfec9a09a6b353c55e3900cdd
Instruction Fuzzy Hash: 4B217CB4A057448FEBA0DF6AD08838AFFF6EF88310F28C06ED45D97345D67468818B61

Function 0327F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1355441378.000000000327D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0327D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_327d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86abae72bb8b1cff9036b38b87f2b2ab2493ab898db39df918bf320120c6b226
Instruction ID: a583829984d1b14828c4baae1c34a09bb05ee9dd78b85bcb1f56ed572e9b550c
Opcode Fuzzy Hash: 86abae72bb8b1cff9036b38b87f2b2ab2493ab898db39df918bf320120c6b226
Instruction Fuzzy Hash: 1B218E76508240EFCF06CF14D6D4B15BF72FB48314F28C5A9D9494A656C33AD456CB91

Function 0327F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1355441378.000000000327D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0327D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_327d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020411f76a1def23680c170f620a6ef38196b77a797ef2394590ff05fb243f34
Instruction ID: 44c531b79db2601a71131b7977be3f5802ac2015a43e088a2056ceccca1849b2
Opcode Fuzzy Hash: 020411f76a1def23680c170f620a6ef38196b77a797ef2394590ff05fb243f34
Instruction Fuzzy Hash: 69118B7A508280DFCB15CF14D6C4B15BFA1FB84324F28C6AAD8494B756C33AD49ACB61

Function 04B9BCF0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4c4f5e3246dab67fbf26c81f3d0e1e92d2673bd361e6476156eb0bfc36ea303
Instruction ID: 8f2719a9e98e7d2534caf16dd532c2781a282a25c1a94d35d5ee869f3f2a6eb5
Opcode Fuzzy Hash: a4c4f5e3246dab67fbf26c81f3d0e1e92d2673bd361e6476156eb0bfc36ea303
Instruction Fuzzy Hash: 0A11A1316083448FDB24DB75E594A6A7BE1FF46210F5884EEE08EC76A2DA30FC45D700

Function 04B9E768 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 264c109ae4259c55b4d8d24ce5d192655d774b7c20a5b69a58cbee1ae26413c5
Instruction ID: 1b33a911cae4dcfb2307253deb079d93ee76994ff91e055d769d14fbbf4e7d47
Opcode Fuzzy Hash: 264c109ae4259c55b4d8d24ce5d192655d774b7c20a5b69a58cbee1ae26413c5
Instruction Fuzzy Hash: FB110974204750CFC728DF79D0808A6B7F6EF8A21572489ADD04A87BA0CB36FC45CB54

Function 04B9E058 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb4ad0101bd875de75c7ec56b10db892020b9a48f25874b5c78566448b6e181
Instruction ID: eca1e24c9b649604245d911e8cfb91d0e90130abbb43f72475ca4192c6d85ee9
Opcode Fuzzy Hash: 5cb4ad0101bd875de75c7ec56b10db892020b9a48f25874b5c78566448b6e181
Instruction Fuzzy Hash: 910180357002149FCB159B74E8086AEFBF6FB88359B14816DE51AD3252DB329911CB91

Function 04B9DE48 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0daf91ce91c32bc6ca64dc28c84457903006fe8ca761a4b5455ec01e8b869315
Instruction ID: 38ad8134289117efa35d43f462dd2188c30fe99d4f8f4e7214800997f68d2b17
Opcode Fuzzy Hash: 0daf91ce91c32bc6ca64dc28c84457903006fe8ca761a4b5455ec01e8b869315
Instruction Fuzzy Hash: 45F08B3A704F459B8F22561BA8009EFBBEECFDA6F130844F7E008CB105DA106C0582F6

Function 0327D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1355441378.000000000327D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0327D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_327d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62fbcaf86cf37f6d25c8fe3e6a7d9693f042a4ec2b3dfbb2b62f32c9f2b7867f
Instruction ID: ca4b536635e86a63236a2a7391dd84bc0669615fc7ee54c5177c9f6847ca55a3
Opcode Fuzzy Hash: 62fbcaf86cf37f6d25c8fe3e6a7d9693f042a4ec2b3dfbb2b62f32c9f2b7867f
Instruction Fuzzy Hash: FF01407204E3C09FD7128B258895B52BFB8EF43224F1D81DBD8888F1A3C2695845C772

Function 0327D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1355441378.000000000327D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0327D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_327d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c86a1c62b123729ab87afec39b8113cb7be51b1c7a973a49ee227d290bf869
Instruction ID: 9d9440890fc528e349472b08ab5bbbf4f3fab6b32c76579f425eca759d8b0c80
Opcode Fuzzy Hash: f0c86a1c62b123729ab87afec39b8113cb7be51b1c7a973a49ee227d290bf869
Instruction Fuzzy Hash: B701F231518340AEE720CA21CC84B67FF98EF41325F0CC05AEC480B282C6789886CBB2

Function 07B63E00 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1375056639.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7b60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f65b789617d24b6fd53319e3e346b5275652abfcdc1fe49e94fa7524e59e660a
Instruction ID: 60a3b646b94db37110af4d58f5884bf7e2c013279798880b90e9788e55f66776
Opcode Fuzzy Hash: f65b789617d24b6fd53319e3e346b5275652abfcdc1fe49e94fa7524e59e660a
Instruction Fuzzy Hash: 6101CBFAA08295ABE35616785802392BFE1FFC6A60B0405EECA414F713D61A8D06C3B1

Function 04B990E8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fd9e5a3090fcc084c182d58100515acb560c0f0404f691883363865c6cab657
Instruction ID: 32a61aa376a20917215bd48352b8cf1cfeed4aa35bef23c9cabc925a7611deee
Opcode Fuzzy Hash: 2fd9e5a3090fcc084c182d58100515acb560c0f0404f691883363865c6cab657
Instruction Fuzzy Hash: 18012BB66083409BE7559B39D45839A7FA1EBC2310F1880FEC5554F396CE396C06C7E5

Function 04B9BF20 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91b97f456b8e0fc0f1c1c235c725f0ded3842e0173ee1e76e0f6eff33a8e2541
Instruction ID: a7d6117de3e888231fde5be12dea5673290bd65d8a338d67e16d88a426b11709
Opcode Fuzzy Hash: 91b97f456b8e0fc0f1c1c235c725f0ded3842e0173ee1e76e0f6eff33a8e2541
Instruction Fuzzy Hash: F4F0A4363193915FDB114A795C509BB7FE9EB8669070940BBF544CB3A2D6B0DC058B60

Function 04B9F579 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 154f64f1657c8d366d234708252f25f04178f58192dddc958e32ea746a097710
Instruction ID: b02e7461725454beb9a16edf8e2175fba405b89c51a14ac49fee8edaad240242
Opcode Fuzzy Hash: 154f64f1657c8d366d234708252f25f04178f58192dddc958e32ea746a097710
Instruction Fuzzy Hash: 0E111B71D0078ADBCB54DFE4C9445AEFBB1FF89310F14472AE011EA645EBB029968B84

Function 04B97940 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77d64bb513e8a49e1fb91c1de3d4fefef1d793d84b83f1f614cdff717c1e0a8a
Instruction ID: e6c3d588183e84963501f50fc282e1a208bbc8bad703a3ea61d15116fba2babe
Opcode Fuzzy Hash: 77d64bb513e8a49e1fb91c1de3d4fefef1d793d84b83f1f614cdff717c1e0a8a
Instruction Fuzzy Hash: 7AF0F0327053049FDB20DB69E880EAF7BE5FB88221B00056EE04AC7351DF30AC45CBA4

Function 0327D993 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1355441378.000000000327D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0327D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_327d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f2c505deb7470033fa48da06c38781ae1e855494353cdff6c3b0fd169e9aad6
Instruction ID: 868d9c06aa328fe48c9d38cc8cfbc1e51cbe97b67f793980bd27c46b665b305c
Opcode Fuzzy Hash: 2f2c505deb7470033fa48da06c38781ae1e855494353cdff6c3b0fd169e9aad6
Instruction Fuzzy Hash: FCF0E776600640AFD720CF0AD985C23FBA9EFD4670319C55AE84A4B712C671E842CAA0

Function 04B97664 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 179787cf05ed074ee67252d6fc345a9dd828abd8c8818f64e02c09885cb73706
Instruction ID: 3e4e01d64faa94cb3a85788252151dede7257ae018261c4015f698d02a7b2f02
Opcode Fuzzy Hash: 179787cf05ed074ee67252d6fc345a9dd828abd8c8818f64e02c09885cb73706
Instruction Fuzzy Hash: 7CF04F39B00118CFCF14DFA8E8409DD77F2EBC8225B0540A4E509DB710DB31ED028B90

Function 04B9DFF8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 253f32d7e215a3c1122880b21f9c5450dcc7c3efb2482d0e28f3814d804c20e2
Instruction ID: 91e5f522fdf2d987fd770ec6a0d1de1365d53f42b4cd0240f699366e87599068
Opcode Fuzzy Hash: 253f32d7e215a3c1122880b21f9c5450dcc7c3efb2482d0e28f3814d804c20e2
Instruction Fuzzy Hash: 8DF05E347082409FC7108B29D894D66BBF5EFCA71531914E9E584CB776DA62EC12CB94

Function 0327D984 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1355441378.000000000327D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0327D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_327d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8342a04a56e4db3addeb6e611d1d7dbf8222e2838a381454c30fea57c86bfc72
Instruction ID: 30d9b8680c2f9a5e0ed8348ad30ef1471bfe251b852497cc0efc2348a07f8cc1
Opcode Fuzzy Hash: 8342a04a56e4db3addeb6e611d1d7dbf8222e2838a381454c30fea57c86bfc72
Instruction Fuzzy Hash: D0F0F975110A80AFD725CF06CD85D23BBB9FF95624B198499F85A4B712C671FC42CFA0

Function 04B9F588 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54098f725ef4a57736616146b3a9a037eea534e138ea69f107b780d18fbe643b
Instruction ID: 25846de284b0f098ab8650932455bb283a38739f14f1b8d8a7bb0124e73768f7
Opcode Fuzzy Hash: 54098f725ef4a57736616146b3a9a037eea534e138ea69f107b780d18fbe643b
Instruction Fuzzy Hash: E201E471D1075AEBCB04DFE4C8446EEFBB1FF99300F20472AE015A6604EBB02695CB80

Function 04B99168 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4d3e14afb0751fc2b53219915ff26ada56aec74684d29ddc2c8d1be1df3f744
Instruction ID: 600bd7c0fa1869886e27ca2de7e8f05ad51ac57f22ea4e9bf662bb22509f0470
Opcode Fuzzy Hash: b4d3e14afb0751fc2b53219915ff26ada56aec74684d29ddc2c8d1be1df3f744
Instruction Fuzzy Hash: A4F090755093505FE7A08B79D4AC39ABFE4EB06350F0488AED25AC6292DB35BC808750

Function 04B9E958 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddf5884b913f7116d68b72feef2f5cbb71ea7c51b40ce1ddfeb6b5329e89be4e
Instruction ID: aafde890c107e8f535d1660e107f2d867c87f950b143b37986a70a54787750fc
Opcode Fuzzy Hash: ddf5884b913f7116d68b72feef2f5cbb71ea7c51b40ce1ddfeb6b5329e89be4e
Instruction Fuzzy Hash: 13E0AB32B00304F66F60C1B958904DEBBE8D7A5564F0044BAE94176281C732BD058250

Function 04B97950 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2df98916430b19d274a6b755d2ee7a2358f5cc8f43f420889f7e10d0dfd2bbed
Instruction ID: 7a50ac4022bae80c5e1d2e382bbeda35b2472a6006b3746f46405c3c98d23872
Opcode Fuzzy Hash: 2df98916430b19d274a6b755d2ee7a2358f5cc8f43f420889f7e10d0dfd2bbed
Instruction Fuzzy Hash: 1CF0A7367007149FDB109A55D844A7F77E9EB88271B00052DE109D7350DF70AC4587A4

Function 04B990F8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 147d1fec06c1ca86daa4e706b9071510f76d5c8f7d174313baad833c079d884a
Instruction ID: 9c74185f4941667486e1156c4dc473ddd87bd788f2340ee1b767250f80b43b9a
Opcode Fuzzy Hash: 147d1fec06c1ca86daa4e706b9071510f76d5c8f7d174313baad833c079d884a
Instruction Fuzzy Hash: C7F0E2396142048BE704AB69D01879BBBA6EBC1314F10816ACA194B388CE3A6845CBF1

Function 04B9E008 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fec1c72563bb4507070f2d5e56e435ebae96d53aac6cdfdddbd5fca76ac82df
Instruction ID: f1306dfa38410d52243675f2f89a7cdd2d8a2670d7d521dc37ca68fec00744c4
Opcode Fuzzy Hash: 3fec1c72563bb4507070f2d5e56e435ebae96d53aac6cdfdddbd5fca76ac82df
Instruction Fuzzy Hash: 04E06D353001008F8710CB2DD494C26B7EAEFCE71531900A9E545CB720DA21EC01CB90

Function 04B9AF98 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d5c075dd8d3461f84a88de55b8f90f9016b7f391e21c11d398c092beaeafb02
Instruction ID: 7bfcbf1a13cd167dfb73b42015f434b11eecf3843905f812edfac8823d85d4dc
Opcode Fuzzy Hash: 7d5c075dd8d3461f84a88de55b8f90f9016b7f391e21c11d398c092beaeafb02
Instruction Fuzzy Hash: 5AE0D8627083D1179F29442A6C1026ABBF7C6CB57130D40F7A144CF286EC11AC014350

Function 04B9EADE Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8cb16881697f7c277e5a341a020b8b96b2c1e2a845ed0df31089107c7d47f4
Instruction ID: 8e86fd6f631184e3ed17b2b72af1f2e247313ae967678cef863b4c03c4c8d7b6
Opcode Fuzzy Hash: da8cb16881697f7c277e5a341a020b8b96b2c1e2a845ed0df31089107c7d47f4
Instruction Fuzzy Hash: 3DF06D39A11214DFCB00DB98E585D9DFBB2FB48311B25C559F905A7356CB31EE15CB40

Function 04B99559 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05da41538ea75c443a2b0e3da57acc58e27d2fcae55beb72360b333cb515bc05
Instruction ID: 09f15673230c4505b9b74fb05b03a97bed9d5aa4d0d7034f7b324d6bcb27e79b
Opcode Fuzzy Hash: 05da41538ea75c443a2b0e3da57acc58e27d2fcae55beb72360b333cb515bc05
Instruction Fuzzy Hash: 41E0C2527113A6136ED971BA18007BF79CECED70A974801FE9A48C7306EC08EC0283F0

Function 04B98973 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 468ac60305e621640c4b450f13d087034e02ef5423c7708f0d2e60514c00f65c
Instruction ID: a0c49af1873f1057d1156e306d24e9daf588ebd8301468044a14c621689c4a1b
Opcode Fuzzy Hash: 468ac60305e621640c4b450f13d087034e02ef5423c7708f0d2e60514c00f65c
Instruction Fuzzy Hash: 45E0D83571871097CB0D7B75941C2AEBA96EBC4765F04402EE61A83346CF755C1183D5

Function 04B98739 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65b75743a7b41bc495f6b63b7e12e1a0c4c8af832eee65c605cc62cfffbff5a1
Instruction ID: 32fced8611cfecd44378cafae5b29e72880c7537d974edfa0e5b17f0cc862316
Opcode Fuzzy Hash: 65b75743a7b41bc495f6b63b7e12e1a0c4c8af832eee65c605cc62cfffbff5a1
Instruction Fuzzy Hash: 7DE0D830825349CFCF55BBB6D4494BDFFB0EA13201B0041FDC51395186EA31699ACBC1

Function 04B99178 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e93e3f2e69e4355589a6af8ef5d5aea5dc3d9e6e1f336d4548c0c8eaaa4a421b
Instruction ID: b5ea0f8d8223824dcc8469c940ff8a4cb3867f377864cd32599b9038bf93fe75
Opcode Fuzzy Hash: e93e3f2e69e4355589a6af8ef5d5aea5dc3d9e6e1f336d4548c0c8eaaa4a421b
Instruction Fuzzy Hash: 1AF06D709003049BD7A4DF79D49C39ABBE5FB44350F00486DD21EC7341DB35A8808B90

Function 04B98978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b24de100469454c469400f9eb8e4d216779c58c69f685795283efd81ca3992b
Instruction ID: d32b2c788656d26bf7a7e34934dc9571e0a81801a1a3b1169f625edd345061e7
Opcode Fuzzy Hash: 1b24de100469454c469400f9eb8e4d216779c58c69f685795283efd81ca3992b
Instruction Fuzzy Hash: 8EE0263931831097CB0C3B78A41C2AEBA96EBC4724F04402ED71A83346CF785C1183D5

Function 04B99560 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af1956e959097faba2a6a7bdfd12c5e35a563170278dac8a4e800de66d9414aa
Instruction ID: d8049ccb04a8fb5ebe126b4def42a2673bfec543219192ba48b5a0d1403ffbce
Opcode Fuzzy Hash: af1956e959097faba2a6a7bdfd12c5e35a563170278dac8a4e800de66d9414aa
Instruction Fuzzy Hash: ECD05E52311266176ED871BA280077BB5CECBC64A574500FE9A08C3341EC44EC0243F1

Function 04B9DEA8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: c6c0230bed67414c8619995c36069a83019f4f575299ba74e572e00ace983bc4
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: 16E08635B00014978B08996ED4115D9F7AADBCC220F1480BAD90AA7340DA326D1686E1

Function 04B9DE58 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ce88ddb1c066e39080e1063a8dd29dd72a4384cdb7518969b3bbcdc8e401e73
Instruction ID: 9d64381f0c9bd14edad71377c957e48a2d87d8abbbe2ab11da782ed0222ec3dd
Opcode Fuzzy Hash: 4ce88ddb1c066e39080e1063a8dd29dd72a4384cdb7518969b3bbcdc8e401e73
Instruction Fuzzy Hash: 2CE0C236700B14478B16A61EA80089FB7EFDFC95F9304843EE019CB310DE64EC0647E6

Function 04B98800 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bd34fea1924575d99a7f6404a3320a53e7efe981ec6d652e9856571464ab2e4
Instruction ID: f5870ccf8e287677d394e7d04cbe6110ed473dec12a0e68f1bb6237557ed37c9
Opcode Fuzzy Hash: 9bd34fea1924575d99a7f6404a3320a53e7efe981ec6d652e9856571464ab2e4
Instruction Fuzzy Hash: E2E09A30E2834A8B8B25ABA4D48696EFFF0EB16305B04C4B9DD459B346EA306C51CB90

Function 04B9F618 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c87b5019f24a9404f198b127bb85690b07c0ca634e3af0d542ce13fe9200ebf
Instruction ID: 9c0f61f2dda629748c2c156472e09531e9bf55d83f807baf99e44b7f5df1c282
Opcode Fuzzy Hash: 8c87b5019f24a9404f198b127bb85690b07c0ca634e3af0d542ce13fe9200ebf
Instruction Fuzzy Hash: FDE01A70E0424A8FCB80DF7C88415A9FFF0EB4D250B5485BEC559D7215E3325A11CF81

Function 04B9F628 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 4776ab766ca51a99127e2570fa6965b6bdb067b5693fd2c6543fdcf45e3a938e
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 36D06270D042099F8780DFADC94156DFBF4EB48210F5085BA8919D7311F7315A52CBD1

Function 04B98748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb849ed33b4d456aacbf0cdb858005a6ebfc998fdcd0e4b6132fb7997cb691a6
Instruction ID: 224ac66c9fbacac1cdbc799128ba6cb5b1f3a5a49d952f582f7645cf995fcc0e
Opcode Fuzzy Hash: bb849ed33b4d456aacbf0cdb858005a6ebfc998fdcd0e4b6132fb7997cb691a6
Instruction Fuzzy Hash: ACD017308142098FCB48BBA4E81A4BDBB74FA10301F4181ADD91752196EE312AAACAC0

Function 04B98810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8819efcdb05c1d8d922ddd2130dfbba589dbcf671ebae71123453ddc83c78ee4
Instruction ID: 9c831e8e96e6b85be625b70592a08e03b7b9faf4fdf491b7c99a2b3f3ae3b04e
Opcode Fuzzy Hash: 8819efcdb05c1d8d922ddd2130dfbba589dbcf671ebae71123453ddc83c78ee4
Instruction Fuzzy Hash: F1D01734A1830A8F8B48EFA8E44686EFBF4EB45300F00816DDA0A93395EA306C51CBC1

Function 04B9EC07 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d16aabf0a810544f2c010d7f83f0d97432e05508b26a8a1cc46143c4b5d571
Instruction ID: e280b2cc366fdb7ff9cb13d174147f5252eefa8adfdfa4c479dd7ab3107ef70e
Opcode Fuzzy Hash: 64d16aabf0a810544f2c010d7f83f0d97432e05508b26a8a1cc46143c4b5d571
Instruction Fuzzy Hash: 27D09239B00218CFDB04DB98E894A9CF371FB84326F2084A5E919AB251DB32ED12CB40

Function 04B9791A Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7f4fb6414bc2756ffe68e04f0c217949e6afe2b359b9c65bcbbd25094e2e555
Instruction ID: bc3bfe7676d90d378c51ee03c35716e90daab524d76170068427f00eb070abf8
Opcode Fuzzy Hash: d7f4fb6414bc2756ffe68e04f0c217949e6afe2b359b9c65bcbbd25094e2e555
Instruction Fuzzy Hash: FDD0C9345493889FCB159F7CE485E083FA0AB02324B01059EE88A8B267CE36D895CF04

Function 04B97E90 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbd091bea2c95c8cf1273ab759c1dc8a3590baf85df2b57ef4d46ff976a8f816
Instruction ID: 57b3ca7896873152c082f834549db3525c493eafee02c7b40898b11934f40b09
Opcode Fuzzy Hash: bbd091bea2c95c8cf1273ab759c1dc8a3590baf85df2b57ef4d46ff976a8f816
Instruction Fuzzy Hash: E1C02B3561C0404FEF08CB358C69717BB725742204F08804CC181C3980CD244406CE08

Function 04B97928 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3626ab14cfb342c82b1aae8821a7ca2023128f2e3ff4df862c9414d1d444a675
Instruction ID: f33c0fdb58b1e60ebf4875a89846c8a43b4965f7a79d3896220bfeb1a392b9a6
Opcode Fuzzy Hash: 3626ab14cfb342c82b1aae8821a7ca2023128f2e3ff4df862c9414d1d444a675
Instruction Fuzzy Hash: EEB0923004570C8FC2486FB9A4089187729EB4032538104AAE90E0B3A68E36E885CA44

Non-executed Functions

Function 04B9ED68 Relevance: 11.4, Strings: 9, Instructions: 180COMMON

Download Yara Rule

Strings

$q, xrefs: 04B9EEEB
,kAq, xrefs: 04B9EEC3
$q, xrefs: 04B9EE60
$q, xrefs: 04B9EED1
,q, xrefs: 04B9EDBD
$q, xrefs: 04B9EF05
0oEp, xrefs: 04B9EEF7
$q, xrefs: 04B9EF1F
$q, xrefs: 04B9EEB7

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID: ,kAq$,q$0oEp$$q$$q$$q$$q$$q$$q
API String ID: 0-1341813306
Opcode ID: 243e70ea02c4c0fe23c094bcbf0cbc20baa61896527e29621d8c82391e4947d9
Instruction ID: 1977b3fa33930ff0bd411a8d2864131470a06e28ee9777ffc6e06b44fc6173bf
Opcode Fuzzy Hash: 243e70ea02c4c0fe23c094bcbf0cbc20baa61896527e29621d8c82391e4947d9
Instruction Fuzzy Hash: E25171307041158FEF29EB7AA85472C7BD6FF8961132508FAE15ACB7A1EE11EC0187D2

Function 07B61BE0 Relevance: 10.5, Strings: 8, Instructions: 482COMMON

Download Yara Rule

Strings

$q, xrefs: 07B62166
4'q, xrefs: 07B61F89
$q, xrefs: 07B62172
tPq, xrefs: 07B61FDF
tPq, xrefs: 07B61FEB
4'q, xrefs: 07B61C92
4'q, xrefs: 07B61F95
4'q, xrefs: 07B61C86

Memory Dump Source

Source File: 0000000D.00000002.1375056639.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7b60000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$tPq$tPq$$q$$q
API String ID: 0-4018001354
Opcode ID: 925b4892d46657f2aee619fc7b3c5315e28eb731e6044109abe842e31438ef31
Instruction ID: 28f0b8c6bcba440a3eb71857caa4a59b2833a03e3a8d9aaa7c3f82dae2470f33
Opcode Fuzzy Hash: 925b4892d46657f2aee619fc7b3c5315e28eb731e6044109abe842e31438ef31
Instruction Fuzzy Hash: 58F149F1B0430E8FE7259B6D94086ABBBA2EFC5211F1884EBD7058B251DB39D841C7A1

Function 04B9EF98 Relevance: 10.5, Strings: 8, Instructions: 453COMMON

Download Yara Rule

Strings

0oEp, xrefs: 04B9F3B5
$q, xrefs: 04B9F2C0
0oEp, xrefs: 04B9F3F3
,kAq, xrefs: 04B9F303
0oEp, xrefs: 04B9F3E7
`Qq, xrefs: 04B9F4AC
$q, xrefs: 04B9F4D6
$q, xrefs: 04B9F31C

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID: ,kAq$0oEp$0oEp$0oEp$`Qq$$q$$q$$q
API String ID: 0-484348198
Opcode ID: 6876b11ac729a94dfdde889220b9e08159a53744e420e71950d61e7bf6e574e1
Instruction ID: 6d0ad5cef6a156d71e75a5f359c2a856fd23f28668fd84d6d702cea4ff89ffb5
Opcode Fuzzy Hash: 6876b11ac729a94dfdde889220b9e08159a53744e420e71950d61e7bf6e574e1
Instruction Fuzzy Hash: 3DE19530B102108FEF249B7A941463E77D6AFC9621B2944FAD906DF7A5EE70EC4287D1

Function 07B63678 Relevance: 6.4, Strings: 5, Instructions: 187COMMON

Download Yara Rule

Strings

4'q, xrefs: 07B63722
$q, xrefs: 07B6382A
$q, xrefs: 07B637FF
$q, xrefs: 07B63836
4'q, xrefs: 07B6372E

Memory Dump Source

Source File: 0000000D.00000002.1375056639.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7b60000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q$$q
API String ID: 0-170447905
Opcode ID: 3ca169fc202c2ebccbfb8800fd6efae699ba0cc1fd634d70701d18b4f26a3e0c
Instruction ID: d6fdae9b9f9c975bb403e9b233de1daa049997e36fb60f1c0e8c7c9b3a2caf54
Opcode Fuzzy Hash: 3ca169fc202c2ebccbfb8800fd6efae699ba0cc1fd634d70701d18b4f26a3e0c
Instruction Fuzzy Hash: D75158F1B043069FE7248B6988197B6BBF2EFC6611F2880AAD645C7351DA39C841C7A1

Function 07B63F28 Relevance: 5.4, Strings: 4, Instructions: 394COMMON

Download Yara Rule

Strings

4'q, xrefs: 07B64180
4'q, xrefs: 07B64026
4'q, xrefs: 07B6418A
4'q, xrefs: 07B64030

Memory Dump Source

Source File: 0000000D.00000002.1375056639.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7b60000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q
API String ID: 0-4210068417
Opcode ID: 815dd12766bec8ed4d9033a9eef9789e65998273f72dcf5a8ade9a1c7548c485
Instruction ID: 5b5a0c98cbf2f2fb80b47b9474f8f305639a66c822e4518ac816467212592264
Opcode Fuzzy Hash: 815dd12766bec8ed4d9033a9eef9789e65998273f72dcf5a8ade9a1c7548c485
Instruction Fuzzy Hash: 5AD179F17043968FEB159B69881476BBFA2EFC2211F1480BAD705CB391DB39CA45C7A1

Function 04B97A09 Relevance: 5.2, Strings: 4, Instructions: 239COMMON

Download Yara Rule

Strings

`q, xrefs: 04B97C2C
`q, xrefs: 04B97CAA
`q, xrefs: 04B97B8A
`q, xrefs: 04B97B0B

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID: `q$`q$`q$`q
API String ID: 0-10485352
Opcode ID: b8f7ec2a2eb144b1708e8eed01e430cf4c763b5689ae80d2bfb3694485ed641c
Instruction ID: 2df1c4cd23032f274a61bb5aac1692562fb974f415fd38cd54ca7b52d35c2b6b
Opcode Fuzzy Hash: b8f7ec2a2eb144b1708e8eed01e430cf4c763b5689ae80d2bfb3694485ed641c
Instruction Fuzzy Hash: 5EB19078E013199FDB54DFA9D880A9DFBF2FF88200F108629D819AB314DB70A9458F91

Function 04B97A18 Relevance: 5.2, Strings: 4, Instructions: 234COMMON

Download Yara Rule

Strings

`q, xrefs: 04B97C2C
`q, xrefs: 04B97CAA
`q, xrefs: 04B97B8A
`q, xrefs: 04B97B0B

Memory Dump Source

Source File: 0000000D.00000002.1356853808.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4b90000_powershell.jbxd

Similarity

API ID:
String ID: `q$`q$`q$`q
API String ID: 0-10485352
Opcode ID: 9ef558e142a53913934db9bb44a10821cc57fb846e89ebaadc45c7538c72ede3
Instruction ID: 321f13463599be5bc6f30a07ed1674658a8f6126c62b5fea7b98436c2b874ded
Opcode Fuzzy Hash: 9ef558e142a53913934db9bb44a10821cc57fb846e89ebaadc45c7538c72ede3
Instruction Fuzzy Hash: 35B18078E013199FDB54DFA9D980A9DFBF2FF88300F108629D819AB314DB70A9458F91

Function 07B65778 Relevance: 5.1, Strings: 4, Instructions: 112COMMON

Download Yara Rule

Strings

$q, xrefs: 07B657AA
$q, xrefs: 07B657C6
$q, xrefs: 07B65800
$q, xrefs: 07B657F4

Memory Dump Source

Source File: 0000000D.00000002.1375056639.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7b60000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: 321ac810b89734e20048934d92ad2ff706407d8407d876aac8717f1bce60c19d
Instruction ID: fb5aebf9a7c54b4f0fe3ad711ad61341cfc5eee88e838b295a0d1fffb0a35321
Opcode Fuzzy Hash: 321ac810b89734e20048934d92ad2ff706407d8407d876aac8717f1bce60c19d
Instruction Fuzzy Hash: 00316CF1305345AFF7355A3598187667F969FC2610F2940ABEB44CB2C2E92ED935C321

Function 07B65798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$q, xrefs: 07B657AA
$q, xrefs: 07B657C6
$q, xrefs: 07B65800
$q, xrefs: 07B657F4

Memory Dump Source

Source File: 0000000D.00000002.1375056639.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7b60000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: ec7d1ec9315131465d802d364b6e7d4fafcff9de2817dd6727045b17c0cc6502
Instruction ID: 79d479518d0223e1c0b2b0d5ce0fb389c28ab42076a5908524eebdc6a7d18e08
Opcode Fuzzy Hash: ec7d1ec9315131465d802d364b6e7d4fafcff9de2817dd6727045b17c0cc6502
Instruction Fuzzy Hash: A4213AF27103069BF734562A9819737B796EFC0711F24407AAB0587781DD79C8318360

Function 07B60308 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

$q, xrefs: 07B6035E
4'q, xrefs: 07B60373
$q, xrefs: 07B60352
4'q, xrefs: 07B6037F

Memory Dump Source

Source File: 0000000D.00000002.1375056639.0000000007B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7b60000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q
API String ID: 0-3199993180
Opcode ID: 1a38cec01c101ce775f0fd9d1f8f7b6734cdcb702254792b2b4676c85542a697
Instruction ID: 4a87efddcaef1cfd137646fef62a0abdcdcacfe706ffaf90a78af03701f7407c
Opcode Fuzzy Hash: 1a38cec01c101ce775f0fd9d1f8f7b6734cdcb702254792b2b4676c85542a697
Instruction Fuzzy Hash: D301476071D3824FE727622528202552FB2AFCB14171E81E7C580CF393C9184D0AC3A7

Analysis Process: powershell.exePID: 5084, Parent PID: 7464COMMON

Execution Graph

Execution Coverage:	5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 07603CE8 Relevance: 5.6, Strings: 4, Instructions: 589
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'q, xrefs: 07604026
4'q, xrefs: 0760418A
4'q, xrefs: 07604030
4'q, xrefs: 07604180

Memory Dump Source

Source File: 0000000F.00000002.1424617584.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7600000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q
API String ID: 0-4210068417
Opcode ID: 3cd510650b7ebe4847cbe67f9c038b4b55715a67c06ddc1ce042e9588cbeda53
Instruction ID: 9d3a70dd45f3317d11065eaf9ff790d13d58602915caa3f47dd366f53a47b310
Opcode Fuzzy Hash: 3cd510650b7ebe4847cbe67f9c038b4b55715a67c06ddc1ce042e9588cbeda53
Instruction Fuzzy Hash: 0B1227B1B042558FD7298B7998107ABBFA2AFC2211F1484AAD606CB7D1DF31DC46C7E1

Function 08767280 Relevance: 1.6, APIs: 1, Instructions: 52
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 087672EA

Memory Dump Source

Source File: 0000000F.00000002.1428996461.0000000008760000.00000040.00000800.00020000.00000000.sdmp, Offset: 08760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8760000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: dcd2878e2187e25ddf2623ea0a53aaabae8a1d0b80caa94f7cf9b0a692a1764f
Instruction ID: ee1835a7261005b03e2189b5c444f0e93275f9a857caf39b1bbd56273d56a3fe
Opcode Fuzzy Hash: dcd2878e2187e25ddf2623ea0a53aaabae8a1d0b80caa94f7cf9b0a692a1764f
Instruction Fuzzy Hash: A91123B5C003488FDB20DFAAC885BDEBBF4AF49364F24855AD418A7210C774A945CFA1

Function 08767288 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 087672EA

Memory Dump Source

Source File: 0000000F.00000002.1428996461.0000000008760000.00000040.00000800.00020000.00000000.sdmp, Offset: 08760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_8760000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: 8c4a6cff816c39d76efee1a3b268fd119b478328f7cd98ccb3a15bf799a03dd6
Instruction ID: 79484b82b89b68c128d1a1e2e1671022f9f2cb6e64e4942992686f9aa5e74992
Opcode Fuzzy Hash: 8c4a6cff816c39d76efee1a3b268fd119b478328f7cd98ccb3a15bf799a03dd6
Instruction Fuzzy Hash: 6A1125B5D003498FDB20DF9AC844B9EFBF8EB48264F24841AE418A3210C774A944CFA5

Function 07602700 Relevance: .3, Instructions: 328
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.1424617584.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28acb730a5e8d1d40c0a89aa735ea3ee4ae400c10d850d29b9d86df7114ac40
Instruction ID: fa92a52003bfbbe70002024554001190f2b89d1e9a8d363f727117f57606fc5f
Opcode Fuzzy Hash: f28acb730a5e8d1d40c0a89aa735ea3ee4ae400c10d850d29b9d86df7114ac40
Instruction Fuzzy Hash: 01B128B1B002058FDB298B7988587ABBBE5BF89211F1480BAD506CB7D1DB31DC45CBE1

Function 07603CCD Relevance: .1, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.1424617584.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4064dc11773c73e2a3613838cd6ceb941c45050a32f54c61c7c6c0aee2941570
Instruction ID: 3e65da0106fe4337b6c110c8430154e13096d2d8b27e6874a086ca7744d2e65b
Opcode Fuzzy Hash: 4064dc11773c73e2a3613838cd6ceb941c45050a32f54c61c7c6c0aee2941570
Instruction Fuzzy Hash: E84113F1A10202CFCB298F36C5506ABBBA2AF85252F1481AED9029F7D1D731DD45C7E1

Function 076026FE Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1424617584.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62f2aadde8da4dddb8aa2fb70bb0c5f7870d687c8d25ac21c08d21e28b6f6358
Instruction ID: 869f5993a221cbad611f57f58a660dab5a8dde8897595023c45b2601079c0fe7
Opcode Fuzzy Hash: 62f2aadde8da4dddb8aa2fb70bb0c5f7870d687c8d25ac21c08d21e28b6f6358
Instruction Fuzzy Hash: E321A0B5A00206DFDB288F69C49CBA777E4BF45225F148066D80A8B7D0C334D984CBE1

Non-executed Functions

Function 07600FDD Relevance: 17.8, Strings: 14, Instructions: 294COMMON

Download Yara Rule

Strings

`Qq, xrefs: 076010ED
$q, xrefs: 07601229
fq, xrefs: 076010A2
$q, xrefs: 07601065
`Qq, xrefs: 0760115F
tPq, xrefs: 07601127
tPq, xrefs: 07601133
$q, xrefs: 07601253
$q, xrefs: 07601263
`Qq, xrefs: 07601153
$q, xrefs: 07601081
`Qq, xrefs: 07601193
$q, xrefs: 07601239
$q, xrefs: 07601044

Memory Dump Source

Source File: 0000000F.00000002.1424617584.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7600000_powershell.jbxd

Similarity

API ID:
String ID: fq$`Qq$`Qq$`Qq$`Qq$tPq$tPq$$q$$q$$q$$q$$q$$q$$q
API String ID: 0-3648286599
Opcode ID: 97d8ee63239db30da0db98db65858166cbc826867b17b1429e0c8ba9bf993adf
Instruction ID: d703bd93682c41dd7aeb5da33bb631581b73e80ed12fe77b18ff3603edaee40e
Opcode Fuzzy Hash: 97d8ee63239db30da0db98db65858166cbc826867b17b1429e0c8ba9bf993adf
Instruction Fuzzy Hash: 8AB192B0A0024EDFDB2D9F69D8416AF7BA2BB86301F148455E8429B3D1DB31DD52CBE1

Function 07601BE0 Relevance: 10.5, Strings: 8, Instructions: 453COMMON

Download Yara Rule

Strings

$q, xrefs: 07602166
4'q, xrefs: 07601C92
tPq, xrefs: 07601FDF
tPq, xrefs: 07601FEB
4'q, xrefs: 07601F95
4'q, xrefs: 07601F89
$q, xrefs: 07602172
4'q, xrefs: 07601C86

Memory Dump Source

Source File: 0000000F.00000002.1424617584.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7600000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$tPq$tPq$$q$$q
API String ID: 0-4018001354
Opcode ID: 7521e8ddf265a367ea26de7db6eade2a9b3e4aa3143c219612f1bd5a7463f3d7
Instruction ID: 5003d3dce1e6858c4e8bbc8ce9ca5cd24e7b45c01387900e526126f97c990218
Opcode Fuzzy Hash: 7521e8ddf265a367ea26de7db6eade2a9b3e4aa3143c219612f1bd5a7463f3d7
Instruction Fuzzy Hash: 0BE119B1B043098FC72D8B79941566BBBB2AF86311F1880ABD9478B3D1DB31D846C7E1

Function 07603928 Relevance: 10.3, Strings: 8, Instructions: 325COMMON

Download Yara Rule

Strings

4'q, xrefs: 07603B29
4'q, xrefs: 07603B35
tPq, xrefs: 076039A5
$q, xrefs: 0760396C
$q, xrefs: 0760393A
$q, xrefs: 07603960
$q, xrefs: 07603C0E
tPq, xrefs: 076039B1

Memory Dump Source

Source File: 0000000F.00000002.1424617584.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7600000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$tPq$tPq$$q$$q$$q$$q
API String ID: 0-2958727440
Opcode ID: 8da8846e38d8db386e3939dbbceb44261066e2b46dc2905d62544b27bcea9282
Instruction ID: a73050c2ed80decb47e18c8ee5fea9eb23007d170fae19778e9cf0a905471688
Opcode Fuzzy Hash: 8da8846e38d8db386e3939dbbceb44261066e2b46dc2905d62544b27bcea9282
Instruction Fuzzy Hash: 2EA115B27043558FD7299B7A9811767BBA1AFC6212F18806ED846CB3D1DB31CC46C7E1

Function 07604408 Relevance: 6.6, Strings: 5, Instructions: 349COMMON

Download Yara Rule

Strings

4'q, xrefs: 07604725
tPq, xrefs: 07604597
0Uq, xrefs: 07604423
tPq, xrefs: 0760458B
4'q, xrefs: 07604719

Memory Dump Source

Source File: 0000000F.00000002.1424617584.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7600000_powershell.jbxd

Similarity

API ID:
String ID: 0Uq$4'q$4'q$tPq$tPq
API String ID: 0-4125782392
Opcode ID: 49e1734748974afcf8e1efcb7c559ec97aaa049573efe321a6d24ae9e4c3a041
Instruction ID: 71282b4fd8a4c485f2f2b3ff053d3ad5d958e23cb9f4ce447e0f9906f058b048
Opcode Fuzzy Hash: 49e1734748974afcf8e1efcb7c559ec97aaa049573efe321a6d24ae9e4c3a041
Instruction Fuzzy Hash: 92B114B1B042858FD7398B799444667BFA2AFC7221F18806BDA06CB391DE31DC42C7E1

Function 07603678 Relevance: 6.4, Strings: 5, Instructions: 191COMMON

Download Yara Rule

Strings

$q, xrefs: 07603836
4'q, xrefs: 07603722
$q, xrefs: 0760382A
$q, xrefs: 076037FF
4'q, xrefs: 0760372E

Memory Dump Source

Source File: 0000000F.00000002.1424617584.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7600000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q$$q
API String ID: 0-170447905
Opcode ID: ba9897498c936139ca612f913185a8e222d7bc99160f9318dbdbbdaeb8927e43
Instruction ID: 11c0256c28a2cd12a3093febe89ecfe3008a8cde69d8e77413094ee86199f141
Opcode Fuzzy Hash: ba9897498c936139ca612f913185a8e222d7bc99160f9318dbdbbdaeb8927e43
Instruction Fuzzy Hash: 125106B57042069BD729467B9815767BBA2AFC6212F2480AED407CB3D1DA31C846C7E1

Function 07605798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$q, xrefs: 076057F4
$q, xrefs: 07605800
$q, xrefs: 076057AA
$q, xrefs: 076057C6

Memory Dump Source

Source File: 0000000F.00000002.1424617584.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7600000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: 9e55580a8847b64d336bfd58f705fc886026d64abfadc1abc06de9e3fa80e6aa
Instruction ID: d5fb25edb4d4b4472aac0d3607609ceeecdc82d0b5bfa3b6c7356bb9d776550b
Opcode Fuzzy Hash: 9e55580a8847b64d336bfd58f705fc886026d64abfadc1abc06de9e3fa80e6aa
Instruction Fuzzy Hash: EF2107B17103169BE73C5A3A9815F67B796ABC1711F24802AEE078B3C2DD75C85287A1

Function 07600309 Relevance: 5.0, Strings: 4, Instructions: 50COMMON

Download Yara Rule

Strings

4'q, xrefs: 0760037F
4'q, xrefs: 07600373
$q, xrefs: 0760035E
$q, xrefs: 07600352

Memory Dump Source

Source File: 0000000F.00000002.1424617584.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7600000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q
API String ID: 0-3199993180
Opcode ID: e9c70efc306fb9014217a1c11f49d1ceda0b5be20a74ed3cefc859656b1d94d2
Instruction ID: 7cf95fcdefc5f37cc8d03bae4e15dd5e1ab991c297c41be0f94184fa22c62955
Opcode Fuzzy Hash: e9c70efc306fb9014217a1c11f49d1ceda0b5be20a74ed3cefc859656b1d94d2
Instruction Fuzzy Hash: 9E01B1617093838FC32F127568202966F725FC352172E81E7D482DF293C9144D4AC3A7

Analysis Process: powershell.exePID: 2120, Parent PID: 7464COMMON

Execution Graph

Execution Coverage:	5.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 04EBB488 Relevance: 5.3, Strings: 4, Instructions: 256
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

SUFn^, xrefs: 04EBB768, 04EBB76D
cUFn^, xrefs: 04EBB730, 04EBB735
sUFn^, xrefs: 04EBB6F8, 04EBB6FD
\Fn^, xrefs: 04EBB4D4

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID: SUFn^$cUFn^$sUFn^$\Fn^
API String ID: 0-1584278953
Opcode ID: 548dc131bce3674e4c4e6770a2e35402beda621b2fb340b948d8676719cb432c
Instruction ID: d62f90c7e75a07ac57db3294f401c95d1042673949ef7549c8276ea119e5d8bd
Opcode Fuzzy Hash: 548dc131bce3674e4c4e6770a2e35402beda621b2fb340b948d8676719cb432c
Instruction Fuzzy Hash: E4917F74F007149BEB19EFB884116AFBBE2EF84700B10892DD156AB344DF74AE068BD5

Function 04EBB498 Relevance: 5.3, Strings: 4, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

SUFn^, xrefs: 04EBB768, 04EBB76D
cUFn^, xrefs: 04EBB730, 04EBB735
sUFn^, xrefs: 04EBB6F8, 04EBB6FD
\Fn^, xrefs: 04EBB4D4

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID: SUFn^$cUFn^$sUFn^$\Fn^
API String ID: 0-1584278953
Opcode ID: a6b136b9262bee31a2f296f52dea804414a50141b144bd4ecd7c2c8b800b5a0e
Instruction ID: a29be6060f68bf1d3827922db812734ea2480a95925bbaf33b4ff77d09fa6728
Opcode Fuzzy Hash: a6b136b9262bee31a2f296f52dea804414a50141b144bd4ecd7c2c8b800b5a0e
Instruction Fuzzy Hash: 6A919074F007149BEB19EFB888116AFBBE2EF84700B10892DD556AB344DF74AE058BD5

Function 07DF2308 Relevance: 3.1, Strings: 2, Instructions: 646COMMON

Download Yara Rule

Strings

4'q, xrefs: 07DF2619
4'q, xrefs: 07DF260D

Memory Dump Source

Source File: 00000012.00000002.1480347692.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7df0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 1d05007c4a70dbb79a9d2e1d2bc45df1f16315665a775a3334b22b26e211287d
Instruction ID: f308336fadb04a4e623ff07c847706239a81dbbae2f46b772f427cfbc8751546
Opcode Fuzzy Hash: 1d05007c4a70dbb79a9d2e1d2bc45df1f16315665a775a3334b22b26e211287d
Instruction Fuzzy Hash: 452245B1B00206DFDB259B6988417AEFBE1BF89311F05807AEA45CB351DB31ED45CBA1

Function 08F56960 Relevance: 1.6, APIs: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 08F569CA

Memory Dump Source

Source File: 00000012.00000002.1484945440.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_8f50000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: 9b025d8953618fefd2076291a2c267fe3ab148801a64c2e354d390ffb348e906
Instruction ID: c45725b7a0cab6178ceb675d7b9fadba7d95c2a61dc6c915e4bcf7fa71b5bf3e
Opcode Fuzzy Hash: 9b025d8953618fefd2076291a2c267fe3ab148801a64c2e354d390ffb348e906
Instruction Fuzzy Hash: 121116B5D003498FDB20DFAAC485B9EFBF4AB48320F24841DD559A7250C778A945CFA0

Function 08F56968 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 08F569CA

Memory Dump Source

Source File: 00000012.00000002.1484945440.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_8f50000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: 819a62751a9f7ff6a633126d626ec8129143bb4167154f7b9d697d0ab7eec1cf
Instruction ID: f1d36d3ded9d1cf5a19ae63ef3d2a865d919e5ece3845ad7507a15ff792df6aa
Opcode Fuzzy Hash: 819a62751a9f7ff6a633126d626ec8129143bb4167154f7b9d697d0ab7eec1cf
Instruction Fuzzy Hash: 9E1136B5D003098FDB20DFAAC885B9EFBF8EB48320F148419D518A3350C778A944CFA4

Function 04EB6FC8 Relevance: 1.4, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(q, xrefs: 04EB70ED

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: e940ef377f15b682addee5368569f9bd3ee65cfe9cab19cced3c57cd25cc122f
Instruction ID: 9a5f279281a31998e1f98a75cbfdbf903521fddb38237c0465c53fe612d466b4
Opcode Fuzzy Hash: e940ef377f15b682addee5368569f9bd3ee65cfe9cab19cced3c57cd25cc122f
Instruction Fuzzy Hash: CB413A34B046048FDB15DFA4C468AAEBBF1AB8D315F145099E446AB391DA35EC01CBA1

Function 04EBAFA0 Relevance: 1.3, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(&q, xrefs: 04EBAFC2

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID: (&q
API String ID: 0-583763264
Opcode ID: 8b765db410316cc27abce63aeb0e008bd9791fb3c7fbdede6a69fe7b7868cab4
Instruction ID: b91a33908a7a9c321edc538ff5db0808e9cc9f685c2d58ee627261834f124241
Opcode Fuzzy Hash: 8b765db410316cc27abce63aeb0e008bd9791fb3c7fbdede6a69fe7b7868cab4
Instruction Fuzzy Hash: 1521BC75E042488FCB24DFAAD440BEFBFF5EB89320F14846ED459A7340CA34A905CBA5

Function 04EB29F0 Relevance: .2, Instructions: 212
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb70088368210b6359834f4a4fee37e64391a8412e12cd715ac6958c01bcbc93
Instruction ID: 075b531932ac6e56f7372457a48975780b2a843c6656ab551c65af8224ee0584
Opcode Fuzzy Hash: fb70088368210b6359834f4a4fee37e64391a8412e12cd715ac6958c01bcbc93
Instruction Fuzzy Hash: 0B916E74A002058FCB15CF58C498AEAFBB1FF49314B248699D995EB365C735FC51CBA0

Function 04EB7728 Relevance: .2, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef01395d5be9ced9ceec2027f457747831993482516b374ae7d3d0cee2f84f06
Instruction ID: fd4067c2d698d8abd18d298f62e97837b04c38e488a7351d3b03cb1ec2b2851d
Opcode Fuzzy Hash: ef01395d5be9ced9ceec2027f457747831993482516b374ae7d3d0cee2f84f06
Instruction Fuzzy Hash: 2051CC347042109FD715DB78D844AAB7BEAFFC8255B1484A9E88ACB751EB35EC01CBA0

Function 04EBBAC8 Relevance: .2, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 323ce4afc342974a85dd6ac6465a7c48f5ff279e801f8451ffc181c552a496ce
Instruction ID: e950a7a206d601a2ad269c223a1e8afce6fec2acf14981eedcd0fadf3fedc886
Opcode Fuzzy Hash: 323ce4afc342974a85dd6ac6465a7c48f5ff279e801f8451ffc181c552a496ce
Instruction Fuzzy Hash: D8611671E002089FDB15DFA9D584BDEBBF1EF88314F148169E419AB355EB74AC41CB90

Function 04EBBAB8 Relevance: .1, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 084001dd467327d31ea6efdbf263b8a32894876ae9e577979823d95282cc8349
Instruction ID: 17d4c6691961f372409fda414946283a28c0164388861ae108b3b2f56759bcf7
Opcode Fuzzy Hash: 084001dd467327d31ea6efdbf263b8a32894876ae9e577979823d95282cc8349
Instruction Fuzzy Hash: 8C512875E003489FDB15DFA9D584ACEBBF1EF88310F148069E819AB355EB74A845CF90

Function 04EB2B00 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d694dfa57ae6be16247c44ead50710a564af77f6cf52f5739d30c0073b180641
Instruction ID: 048d6ebd8682fe34bd3f4011159417079913b3808a6553aeda15e3ca6116b93d
Opcode Fuzzy Hash: d694dfa57ae6be16247c44ead50710a564af77f6cf52f5739d30c0073b180641
Instruction Fuzzy Hash: 78413774A002098FCB16CF58C4D8AEAFBB1FF48310B119699D955AB364C736FC91CBA0

Function 04EBC390 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d1c93fa0a01ba1eab68c0b84641545efc625ac87d53e7b0a404cdd599f1657d
Instruction ID: ce3322a8aa40b7b25ebdbdaeba161e324961149f44451d8f05d76af89a784cd6
Opcode Fuzzy Hash: 1d1c93fa0a01ba1eab68c0b84641545efc625ac87d53e7b0a404cdd599f1657d
Instruction Fuzzy Hash: 5C31BE353003119FD719EB78E840B9ABBA2EFC4211F14813DD20ACB352DB70A946CBA1

Function 04EB6FB9 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff9cd67df8691dd402f424c3a152b7b8b41b7408c445901f8fd82022cbf6bacb
Instruction ID: ea3dff6efa68c37a009c7c83cc2ce91e6952f9892a11fc98a3590743c6d7f6fd
Opcode Fuzzy Hash: ff9cd67df8691dd402f424c3a152b7b8b41b7408c445901f8fd82022cbf6bacb
Instruction Fuzzy Hash: 8D312C34B006058FDB15CFA4C558AEABBF2AF8D314F1450A9E846AB351DB31EC01CBA0

Function 07DF3DE2 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1480347692.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7df0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8620386ff557d0a5dc5b5cd99162ce4e09a682028dfe39251ba97a87091bebe4
Instruction ID: 87bfd1e570532196357a33867e88763c8f134b5dca932dd2f8bfde76b6271d1b
Opcode Fuzzy Hash: 8620386ff557d0a5dc5b5cd99162ce4e09a682028dfe39251ba97a87091bebe4
Instruction Fuzzy Hash: 002178B2B002208BE7255768D811BAFF7539FC5610F12856ACB029B781DB32DD01C7A2

Function 04EBAE68 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98fa5b9b5fd537ecf2b556e282dfffa0724fcb11b902e86ece5c0205b7a4290e
Instruction ID: 2d61bc412feb41c7a535f3dae35d579634eb55a0af12abe10af6736500f7cbb1
Opcode Fuzzy Hash: 98fa5b9b5fd537ecf2b556e282dfffa0724fcb11b902e86ece5c0205b7a4290e
Instruction Fuzzy Hash: 2E316870E012099FDF19EFA9D484BEEBBF2AF88310F149029E505EB354EB749C418B90

Function 04EBAE78 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7259897cf312df9650ebd2e325ac8d08a694b3b6d2c170a9c3f5339fa7cd3a53
Instruction ID: 356473785e9f9ef531bcc60f31c051ff3829d0253aae261a2f42bbdbf0de6193
Opcode Fuzzy Hash: 7259897cf312df9650ebd2e325ac8d08a694b3b6d2c170a9c3f5339fa7cd3a53
Instruction Fuzzy Hash: C6313A70E002099FDF19EFA9D4947EEBAF6AF88350F149029E505EB350EB749C418BA4

Function 04EBAD30 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69c31d474c06f58bfeb47c7157f6dd1c9e439a3d537bdb2a415dcf63417202a8
Instruction ID: 3426195a7d572d54a2d5adefc40659a744b67ae8e276562c55d5ccd9b9ee3636
Opcode Fuzzy Hash: 69c31d474c06f58bfeb47c7157f6dd1c9e439a3d537bdb2a415dcf63417202a8
Instruction Fuzzy Hash: 903150B8E002059FEB05DFA4E854BEE7BB2EF85300F2584ADD511AF395DA389D418B64

Function 04EBAD40 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf80d874e7973d5fd0c44bbe2effc4dfa10d75aa6564a2262131b0e0dd87a24d
Instruction ID: 2326a688d1ab10d0f6b4ee04085e039edf63d6b0ba48ae8a4d27e5d07dd64ac7
Opcode Fuzzy Hash: cf80d874e7973d5fd0c44bbe2effc4dfa10d75aa6564a2262131b0e0dd87a24d
Instruction Fuzzy Hash: 0C3154B8E002049FEB04DF64E454BEE7BB2EF84300F248469D611AF395DA35DD018BA4

Function 0361F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1447639216.000000000361D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0361D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_361d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d87d76a48f74355ccca69cd36384f8415dd7b6f52c114a8c6abf76ccc88e61b
Instruction ID: 6a14ea7c99227beb1cc3b0ad3c1c90b6a2e5d0ea3f0bdfd60b9f14b45e14ae34
Opcode Fuzzy Hash: 7d87d76a48f74355ccca69cd36384f8415dd7b6f52c114a8c6abf76ccc88e61b
Instruction Fuzzy Hash: DB21F172608200EFDB05DF10DAC0B16BB65FB88314F28C6A9E9094E357C736C466DBA2

Function 07DF2700 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1480347692.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7df0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eac32ec52af11e918326c5e0b5b8c8ad377e651d2b6427c8ed088800d8c25089
Instruction ID: 6a84d13e87a9abd38d201f6547faab3c3e6eab1f93244863bf0d7457856f9661
Opcode Fuzzy Hash: eac32ec52af11e918326c5e0b5b8c8ad377e651d2b6427c8ed088800d8c25089
Instruction Fuzzy Hash: 492181B5A10206DFDB20CF59C584B6DF7E1BB45361F16C166EA88DB251C334F944CB61

Function 04EB93F8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13b557ff4c7bc0cf9efd6a79c648f63501d76ee3dc8c3e50ff6e67fba78d62d9
Instruction ID: 8f96457fb2a6af5bca5129c386c2191147b7a596932d0008a61ef225f897331c
Opcode Fuzzy Hash: 13b557ff4c7bc0cf9efd6a79c648f63501d76ee3dc8c3e50ff6e67fba78d62d9
Instruction Fuzzy Hash: F3318BB4D063448EDB60CF6AC4887CABFF2EF88324F28C05DD59D9B216D6746481CBA1

Function 0361F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1447639216.000000000361D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0361D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_361d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8baae0b83c8c321e10ebd3f5f464de89f24981863b3dafd3aead9d27c72e512
Instruction ID: b78153f75e5bb5214df12f1d3ba53560b1cca803ee881705efa0c5159a240ee3
Opcode Fuzzy Hash: f8baae0b83c8c321e10ebd3f5f464de89f24981863b3dafd3aead9d27c72e512
Instruction Fuzzy Hash: 32213475604200DFDB14DF20DAD0B16BBA5EB84325F28C6ADD80A4F382C336D867CB62

Function 0361F4CC Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1447639216.000000000361D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0361D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_361d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f177bf59595eeaade5c69f8e6163456542a0417b6ba35465c8827e793ca37924
Instruction ID: 752e0a72db4aa97cdc0363dce0028a32c29d36d0d9c41851233bca72a2d2a192
Opcode Fuzzy Hash: f177bf59595eeaade5c69f8e6163456542a0417b6ba35465c8827e793ca37924
Instruction Fuzzy Hash: DC2105B16043409FDB14DF14D6C4B26BBA5EB94314F28C6ADD9094F346C73AD857CA62

Function 04EB9408 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ea452c593ab17045040853c3346e67a1ee2cbd8d5b5b910cf10f89c39c44eaa
Instruction ID: 5b9db2fdb9100f2367571685a8f6cae7ed357464b901a62b0e33086ca948fa88
Opcode Fuzzy Hash: 2ea452c593ab17045040853c3346e67a1ee2cbd8d5b5b910cf10f89c39c44eaa
Instruction Fuzzy Hash: 1E2159B4D057449EDB60DF6AC0883CAFBF2EB88314F28C02DD59D97246D67464818BA1

Function 04EB7664 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e79651e367eb4ab194e48f9dd04bf2b6b95c56bb53304f0aaf7eec6b275bbc8
Instruction ID: e52d0563918cb961f895ba0e790777cc8c03c1e0e3992f91495ad8dcf6c771dd
Opcode Fuzzy Hash: 6e79651e367eb4ab194e48f9dd04bf2b6b95c56bb53304f0aaf7eec6b275bbc8
Instruction Fuzzy Hash: 47112B39B002188FCB14DFA8E844ADE77F6EBCC215B1440A8E949DB754DB31EC128B90

Function 0361F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1447639216.000000000361D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0361D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_361d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86abae72bb8b1cff9036b38b87f2b2ab2493ab898db39df918bf320120c6b226
Instruction ID: 73b1def6f0a8a663a4a8e1d4f41403051db7386524dd598a26a2c4c0dcf87c52
Opcode Fuzzy Hash: 86abae72bb8b1cff9036b38b87f2b2ab2493ab898db39df918bf320120c6b226
Instruction Fuzzy Hash: 53216A76504240DFCB06CF50DAC4B16BB72FB88314F28C6A9D9494E657C33AD46ADBA1

Function 0361F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1447639216.000000000361D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0361D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_361d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020411f76a1def23680c170f620a6ef38196b77a797ef2394590ff05fb243f34
Instruction ID: d3bede417c0401d8e1226d43ec176ed66f8f2cbb61889ed20084e9f6cb98f99b
Opcode Fuzzy Hash: 020411f76a1def23680c170f620a6ef38196b77a797ef2394590ff05fb243f34
Instruction Fuzzy Hash: E0118B79504280DFCB15CF14D6D4B15BFA2FB84324F28C6AAD8494F756C33AD45ACB61

Function 0361F4C7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1447639216.000000000361D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0361D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_361d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9166586a82980713c120ff28bf7eda989a79b0c042446dbf275705f7948bbe2f
Instruction ID: 4f750bff209f3590eb1ce3764346db5543548478fefb7a9da2ec1fc0d8adc4c8
Opcode Fuzzy Hash: 9166586a82980713c120ff28bf7eda989a79b0c042446dbf275705f7948bbe2f
Instruction Fuzzy Hash: AE11CEB55042808FCB15DF14D6C4B15BBA1FB54324F28C6ADC8494B756C33AD45ACB92

Function 04EBBCE8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce69aa169850790f10ff6b3ae7a5d4e962257060a01726db1a447dd497d599ff
Instruction ID: 1c32bf95a94d56ae790f286c91524f58e1f37f676671ecb304d1afcf01859d30
Opcode Fuzzy Hash: ce69aa169850790f10ff6b3ae7a5d4e962257060a01726db1a447dd497d599ff
Instruction Fuzzy Hash: 2F01D6316087445FD715DB75D494A967FF4DF46210F1884EED09ACB6B2CA24F845C711

Function 0361D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1447639216.000000000361D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0361D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_361d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bed93f917f219caa7eb43764820bf65bf8c59e9e0a68fca8efab5ebf6ca85399
Instruction ID: 93f0bb994f390fe755ac1997c9595fc28db210b6f93c4021959375d43d34a792
Opcode Fuzzy Hash: bed93f917f219caa7eb43764820bf65bf8c59e9e0a68fca8efab5ebf6ca85399
Instruction Fuzzy Hash: B901407240E3C09FD7128B25C994B62BFB8DF47225F1D81DBD9888F2A3C2695845C772

Function 0361D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1447639216.000000000361D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0361D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_361d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc3836d605e54e471989021c56515aa34493812f0f02246cb515b2c7b9d1634e
Instruction ID: d35f1be91fabf6e26394ebc584125826311110f7499f5ff96ded810d4cd1ef39
Opcode Fuzzy Hash: cc3836d605e54e471989021c56515aa34493812f0f02246cb515b2c7b9d1634e
Instruction Fuzzy Hash: 9501A231509344AEE720CE25CDC4B77FF9CDF45226F1CC56AED484B282C6799886CAB6

Function 04EBBF18 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 300f6d02152aeb118694e004abeeae51411fea5e094ca2e5b250db34eac095dd
Instruction ID: 538538598cd2816f81a63f30c318faef075e5b6fcf82a5d2dc2fdc9e0c87dfe7
Opcode Fuzzy Hash: 300f6d02152aeb118694e004abeeae51411fea5e094ca2e5b250db34eac095dd
Instruction Fuzzy Hash: 5EF0C8363192901FD7118B795C50ABB7FE9AF86610B1441AEF5C5C7352C9B0CC05DB60

Function 04EB7940 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c1082ae1e28729a717867538d7843b2bf6e7a352564288af32ea2eb01786334
Instruction ID: bbc879d569ff1698aaecbb7e1933983fb2fc868a204329d22302c4222702dc1b
Opcode Fuzzy Hash: 3c1082ae1e28729a717867538d7843b2bf6e7a352564288af32ea2eb01786334
Instruction Fuzzy Hash: EDF0463420A3409FC7019769D844E6FBFF8EF8A12570006AEE04ADB362CF30AC05C3A2

Function 0361D8D3 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1447639216.000000000361D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0361D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_361d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72523176ce8d919b64e72b027b9d4340852a6e87b8b5b9fccab4a00943bb131
Instruction ID: 6c6d6a05200e5ad5cfbc68fcf27f4f1ae1ddc4095194337a5721220930577022
Opcode Fuzzy Hash: e72523176ce8d919b64e72b027b9d4340852a6e87b8b5b9fccab4a00943bb131
Instruction Fuzzy Hash: 76F0E776600600AF9724CF0AD984C27FBADEBD4770319C56AE84A4B622C671EC42CAA0

Function 04EBDFE0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629a235176070f6a8460a524aae528944403d3429188d217962606ae6fe38dfe
Instruction ID: e6ded58f3e449be23e04d3d437902fc0a54f70a1dbd6576a39240635375341d4
Opcode Fuzzy Hash: 629a235176070f6a8460a524aae528944403d3429188d217962606ae6fe38dfe
Instruction Fuzzy Hash: 4AF05E387096404FC3119F2CE4948A6BBF5AFCA715319119AE485DBB32CA61DC02DF51

Function 0361D8C4 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1447639216.000000000361D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0361D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_361d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6dbcb4b8517094aae4ef1d1f5d88f9f7cc0510008597ce30dfec532db5bf9a3
Instruction ID: c1e891f9752c23fb59cdffbc2b022d84c2068a53156588f88ba338c8235490b9
Opcode Fuzzy Hash: a6dbcb4b8517094aae4ef1d1f5d88f9f7cc0510008597ce30dfec532db5bf9a3
Instruction Fuzzy Hash: FAF0F975100A40AFD725CF06CD84D23BBB9EB89720B19849DE85A4B762C675FC42CFA0

Function 04EB90E0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83dcd3ff5f14131e679e53e28f01bb0f242a586915cc7dcc48035bdece128a67
Instruction ID: 004426263f712019382bf6bd30014033e9eb6dc658316a6865a8e444d3a8a553
Opcode Fuzzy Hash: 83dcd3ff5f14131e679e53e28f01bb0f242a586915cc7dcc48035bdece128a67
Instruction Fuzzy Hash: 6BF02B79B042504FE304FF28D0547EB7B61EFC0359F14815EC55A4B345CE396842CBA0

Function 04EB7950 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 764cdd00b17e7d8f15d02d5647595c92381ebbf67e4599451bbc3672088ebc8b
Instruction ID: 9f7974b7bd520845528f6da65e0cd501b50a272ec4e54c3d21815c32f154499a
Opcode Fuzzy Hash: 764cdd00b17e7d8f15d02d5647595c92381ebbf67e4599451bbc3672088ebc8b
Instruction Fuzzy Hash: B0F082357007149FD7109B55D844A6FB7E9EB88265B00092DF14AD7341DF31AD0187A4

Function 04EB767F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da7150f34838c46ceffc2b54efe19037ea4ce56774e2942278802c5cc11a58a3
Instruction ID: 866dab4cb7cd13d69d6b5f5eb7da63ff6b190b9ef52eece0eec048a314b98bb8
Opcode Fuzzy Hash: da7150f34838c46ceffc2b54efe19037ea4ce56774e2942278802c5cc11a58a3
Instruction Fuzzy Hash: 3DF0A7397001048FDB10EB6D984069A77F2EBCC6597154198E589CB354DF30DC028BD0

Function 04EB90F0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d58de017c808eb3cb189089ac4678fa0cc6ec14a06022baace32ead0bc7d4c7a
Instruction ID: 2319266bc4ca50028530d92af85cd57834a5b646172d1e8c2194af6be770a493
Opcode Fuzzy Hash: d58de017c808eb3cb189089ac4678fa0cc6ec14a06022baace32ead0bc7d4c7a
Instruction Fuzzy Hash: BAF02779A042145BE704BB69D00479B77A6DFC0754F14816EC60A4B384CE396801C7E0

Function 04EBDFF0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a88fbed16d441353a07ed86e4a3b1f65e6e9aa6c8b9800d79c266a45f55db475
Instruction ID: f1d7e09c26dd03a034e27152baec64fd383b05460361db21848d25432c4cbe10
Opcode Fuzzy Hash: a88fbed16d441353a07ed86e4a3b1f65e6e9aa6c8b9800d79c266a45f55db475
Instruction Fuzzy Hash: BCE012357005108F83109F1DE454DA6B7FAEFCE71531510A9F585DF721DA61EC01DB90

Function 04EB9160 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bda8974b5a84057718034f973479fce3a566c915e205e0a9f21d0382302bc753
Instruction ID: 72f5cf784efff3cd65bc15028dc9e6a831383854de589c621c608b7ccc5ce638
Opcode Fuzzy Hash: bda8974b5a84057718034f973479fce3a566c915e205e0a9f21d0382302bc753
Instruction Fuzzy Hash: FDF05E749083404FD7649FB8D4987AA7FE0EB45310F14456DD59ECB342CB356881CB60

Function 04EBDE30 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c1415af734dac1f59cd788d048847cffc0b840d9746c39a804d2fe69faff175
Instruction ID: 8a067877ed7fa39eff9a0587f1bb3e84a72ab127bfe41ddb66bb51843d6187b3
Opcode Fuzzy Hash: 4c1415af734dac1f59cd788d048847cffc0b840d9746c39a804d2fe69faff175
Instruction Fuzzy Hash: 67E0E5356046901BC316976DAC109DF2FEADFC6575708406ED0DA87201CE509806CBE6

Function 04EB954A Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3034cf46c23c010025a9e3e2e511ee496965820fcc3f11a829e2011816438ba3
Instruction ID: 1b4e90d682409f043a7435b03cb3ae2f23a53c97234d72614988c29d6108fbda
Opcode Fuzzy Hash: 3034cf46c23c010025a9e3e2e511ee496965820fcc3f11a829e2011816438ba3
Instruction Fuzzy Hash: B3E0DF617462950ADB5277BC28103FB6E899FC209CB0821BDCBC5C7212C9449C0647F2

Function 04EB896A Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71eff1cd1495c2b689d501ba111a5d2e54e2309348d6a1133268cdbab262dbc3
Instruction ID: fec361efe712189b189e79cad1e05acba68ab91b1ce40f8465a8ecb07e35e99e
Opcode Fuzzy Hash: 71eff1cd1495c2b689d501ba111a5d2e54e2309348d6a1133268cdbab262dbc3
Instruction Fuzzy Hash: FFF0E53870D6904BC7097BB8A4183EE7F61ABC0718F04016EE25687343CF64181587DD

Function 04EBDE81 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee138d831e3ea33c9a96d44d7df3fb5e03fb5cffb3149805ab1b2d22aa0fc52b
Instruction ID: f6b99a493cb9834af44e4cdfdfbe691a1d808cd18cffac47e8eb6044f44eaf1b
Opcode Fuzzy Hash: ee138d831e3ea33c9a96d44d7df3fb5e03fb5cffb3149805ab1b2d22aa0fc52b
Instruction Fuzzy Hash: 5AE02B3170808057C709C66DD8148E9FFB6AFC9220F08817ED48697350D7711416C7E0

Function 04EB9170 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da4994b249ae7cec7ecb0361bf626cae5a6b27371c6b25cd782455635b4fba7
Instruction ID: aa36e36625cb81c61c98efc10e615002d785dc04b8171ecd02b52628d53b2866
Opcode Fuzzy Hash: 1da4994b249ae7cec7ecb0361bf626cae5a6b27371c6b25cd782455635b4fba7
Instruction Fuzzy Hash: CAF03970A043044BD764ABB8D49879A7BE9EB45310F10442DE24EC7341DB35A8808B90

Function 04EB8978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bf6420e30f754e0252901c7468d7a8eb558636e26e72b724ab3dfa9ecfd444f
Instruction ID: d6f2a9a78b4564acbc83f75c3cbb02242eb71bacfd7b62f1813b03826aae3d41
Opcode Fuzzy Hash: 4bf6420e30f754e0252901c7468d7a8eb558636e26e72b724ab3dfa9ecfd444f
Instruction Fuzzy Hash: 47E0863970865457CB0D3BB9A51C3AE7A56EBC4725F04012EE61A87382CF79691183ED

Function 04EB9558 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b267dffc05847608c606641f921c098df603cad6871a068ad6495a51fa023219
Instruction ID: fa1e6c0c0963669a6d835a02e209666488534cb3dfa0b3e0aebd8a2c9614a376
Opcode Fuzzy Hash: b267dffc05847608c606641f921c098df603cad6871a068ad6495a51fa023219
Instruction Fuzzy Hash: B6D05E92B422250B5A5536EA18407FBB5CEDBC54A9705607ADB95C3342ED44FC0507F2

Function 04EBDE90 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: 328bff117fa0a409ee25210b3b049ef3a593d8794e2c01e36515ceb592e4fc56
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: 4BE08631B0401497CB08959DD8108D9F7B6DFCC220F04947AD94AA7340DA32691686D1

Function 04EBDE40 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb5cfa97d130e6044ae0d2a5b5f85a4c7b50032d3452c8e4a8e7cb248e331378
Instruction ID: afa265e1b7d1d56503e4c25c90205b2fa4c93b6b4005dbc3bec5cf987bfac65a
Opcode Fuzzy Hash: bb5cfa97d130e6044ae0d2a5b5f85a4c7b50032d3452c8e4a8e7cb248e331378
Instruction Fuzzy Hash: 7EE0C235700714178326A65EAC008DF7BEBDFC99BA318402EE45ACB300DE64ED0687EA

Function 04EBAF90 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2465dd639f6e8f142b611ed3b6a04924f1a1b938c49d464c88ea8ea224e1a78
Instruction ID: b46090c119e9307d4b0e40e8516193afd09de0f0cc3100d7978fe212e2ac1765
Opcode Fuzzy Hash: f2465dd639f6e8f142b611ed3b6a04924f1a1b938c49d464c88ea8ea224e1a78
Instruction Fuzzy Hash: B4E0C22A75C1D01A9B1A963E74206EB2F928BC661471991B9E0C8CB301CC518C0643D0

Function 04EB8739 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfe3da86ffb3c99a69c2cb68556f59d10d6afbe6d1e44c1802e7c83c9bf4e12
Instruction ID: dd4c4dcefc7a60279a43ee5bba68181628b5c4389ae7e1b4d1b639a489984390
Opcode Fuzzy Hash: 6bfe3da86ffb3c99a69c2cb68556f59d10d6afbe6d1e44c1802e7c83c9bf4e12
Instruction Fuzzy Hash: 0FE01A348190898ADB0EBBB8E81A9ED7F70EA05311B40129DD9A692293DA20065BCF91

Function 04EBF580 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f1be09f1d12d962cc168f30ef00acfd660914396a8d9ccf0a5b6126d024c74
Instruction ID: 49ee37e0a7d08c7d54d9f93da0af99e754f3cae07c573071351245d0cf4bfaca
Opcode Fuzzy Hash: 33f1be09f1d12d962cc168f30ef00acfd660914396a8d9ccf0a5b6126d024c74
Instruction Fuzzy Hash: CAE01A70E001469F8780EFA8894119AFBF0EB08204B2088EED908E7212EB3246028B80

Function 04EB8800 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f846fe068fb2c4b05e8ca615cc0767cff15e4ad13e4f8f60ebc78058e0aae3d3
Instruction ID: 794e7adffe4138fd8716ed3cfdffbe7d02d2f7efcdf6feaf18c83c521a2c3fcc
Opcode Fuzzy Hash: f846fe068fb2c4b05e8ca615cc0767cff15e4ad13e4f8f60ebc78058e0aae3d3
Instruction Fuzzy Hash: 42E04F30F08186CFC708EBA4D6555AABFB1EB05301B0041ADD99597712E6305951EF81

Function 04EBF590 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 7293ec2fb524d9ddf11ae0421921b617d55f66cf88553c89bf38df18a3d8c905
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: C0D06270D042099F8780DFBDC9415AEFBF4EB48204F6085AAC919D7311F7315A128BD1

Function 04EB8748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffe9c23f1c375caa6683201847e41ca7de311b8bb73770204030276df67fab4c
Instruction ID: 6b6daa95c715864212776b72b71220defcee58627c9e28d5d15580c17cbfd325
Opcode Fuzzy Hash: ffe9c23f1c375caa6683201847e41ca7de311b8bb73770204030276df67fab4c
Instruction Fuzzy Hash: D2D012308081098BCB0CBBA4E51A5FD7B34FB00301F40015DD91792192EA301646CAC0

Function 04EB8810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e53d5523041786b2c1772e47adf47b385be0427de3f61781f64f7cc5b982c5ee
Instruction ID: 881ff775ab92c0ef64fb5a1a8b4e199502156e654c731ae7b0d2bfd1cbc71e67
Opcode Fuzzy Hash: e53d5523041786b2c1772e47adf47b385be0427de3f61781f64f7cc5b982c5ee
Instruction Fuzzy Hash: 3AD01730A0820A9BCB0CFFA4E5469AEBBB9EB44305F004169EA4993341EA306901CBC1

Function 04EB791A Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 324a577b2bbdc50bd485f717d73048962953d8e1c8fab4954a1c7cfd5081a97a
Instruction ID: c755376a5e0e64415957c251029dd18ee341f63032dd4d65fa878c8a053cf801
Opcode Fuzzy Hash: 324a577b2bbdc50bd485f717d73048962953d8e1c8fab4954a1c7cfd5081a97a
Instruction Fuzzy Hash: D2D0923844E7C49FC7168BB8949A8183F605E0322830A05DED88B9F2B7CA76C849CB16

Function 04EB7E90 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5169420bc9af13a79369648d127616a3ee51649b3f7bcde6c61c4b8df3f2b17
Instruction ID: ae27f4b3365f56aa10c3044357fe8229b062ead805c877187f093f26a731f63c
Opcode Fuzzy Hash: f5169420bc9af13a79369648d127616a3ee51649b3f7bcde6c61c4b8df3f2b17
Instruction Fuzzy Hash: D0C08C1480F3C08FDF0A8B354D368177F720F8320831B40DBC082CB872CA24880AEB06

Function 04EB7928 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ce958a046722a0f8527b9a161b79657b98307b9cf58d84c23db4550c8595ecc
Instruction ID: 145f632c221b713de946018629068ccc52f8a35550e7afe80ad362a68132f0b9
Opcode Fuzzy Hash: 8ce958a046722a0f8527b9a161b79657b98307b9cf58d84c23db4550c8595ecc
Instruction Fuzzy Hash: B4B092300447088FC3486FB9A408D287729AF4021538105A9E90E0B3978F36EC84CA44

Non-executed Functions

Function 07DF0FB8 Relevance: 11.4, Strings: 9, Instructions: 184COMMON

Download Yara Rule

Strings

`Qq, xrefs: 07DF1153
`Qq, xrefs: 07DF10ED
$q, xrefs: 07DF1044
$q, xrefs: 07DF1229
tPq, xrefs: 07DF1127
fq, xrefs: 07DF10A2
$q, xrefs: 07DF1253
$q, xrefs: 07DF1065
$q, xrefs: 07DF1081

Memory Dump Source

Source File: 00000012.00000002.1480347692.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7df0000_powershell.jbxd

Similarity

API ID:
String ID: fq$`Qq$`Qq$tPq$$q$$q$$q$$q$$q
API String ID: 0-1290391743
Opcode ID: 69e2742a77ddfac4a53534620246815c9e214fb4788894e6d6f320ab469ea50f
Instruction ID: 76ca9a47caf947d15314d52031446f8da91145cc5fdd9d431336174995446d44
Opcode Fuzzy Hash: 69e2742a77ddfac4a53534620246815c9e214fb4788894e6d6f320ab469ea50f
Instruction Fuzzy Hash: BB618DB0A1420EDFDB24CF44D945BAAF7F2BB45351F1A9065EA41AB291C733DD80CBA1

Function 04EBECD8 Relevance: 11.4, Strings: 9, Instructions: 179COMMON

Download Yara Rule

Strings

,kAq, xrefs: 04EBEE33
$q, xrefs: 04EBEE5B
$q, xrefs: 04EBEE41
$q, xrefs: 04EBEDD0
0oEp, xrefs: 04EBEE67
$q, xrefs: 04EBEE27
$q, xrefs: 04EBEE75
$q, xrefs: 04EBEE8F
,q, xrefs: 04EBED2D

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID: ,kAq$,q$0oEp$$q$$q$$q$$q$$q$$q
API String ID: 0-1341813306
Opcode ID: 675b43cf295d0b3643171678ffa3b7fe683ba561a5232dd319bfcf5035191a46
Instruction ID: a9ec30564d35320c54132c1d66ba36674dd421d290ce04c3bd6f41dbf44c725d
Opcode Fuzzy Hash: 675b43cf295d0b3643171678ffa3b7fe683ba561a5232dd319bfcf5035191a46
Instruction Fuzzy Hash: 4A51A6347041148FD729AF7E98585FE7BD2FF8C61572518AAE09ACB361DE20EC0187D2

Function 04EBEF08 Relevance: 10.5, Strings: 8, Instructions: 451COMMON

Download Yara Rule

Strings

$q, xrefs: 04EBF28C
`Qq, xrefs: 04EBF41C
0oEp, xrefs: 04EBF325
$q, xrefs: 04EBF446
$q, xrefs: 04EBF230
0oEp, xrefs: 04EBF357
0oEp, xrefs: 04EBF363
,kAq, xrefs: 04EBF273

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID: ,kAq$0oEp$0oEp$0oEp$`Qq$$q$$q$$q
API String ID: 0-484348198
Opcode ID: 13e9e4bc150e0c73cf8fdb5e10682fc5ffcdb64b271dabf967d1f437bf9f38ca
Instruction ID: ccd76f8c31d8e0abc41951b80b3c7ac2be7a7420a73e73f66bc9a8b7e220d9df
Opcode Fuzzy Hash: 13e9e4bc150e0c73cf8fdb5e10682fc5ffcdb64b271dabf967d1f437bf9f38ca
Instruction Fuzzy Hash: 87E1E930B002108FEB249B7A98147BF77D6AFC9714B2554AAD946DF3A1EE70EC4287D1

Function 07DF3928 Relevance: 10.3, Strings: 8, Instructions: 321COMMON

Download Yara Rule

Strings

tPq, xrefs: 07DF39A5
4'q, xrefs: 07DF3B35
4'q, xrefs: 07DF3B29
tPq, xrefs: 07DF39B1
$q, xrefs: 07DF3960
$q, xrefs: 07DF3C0E
$q, xrefs: 07DF393A
$q, xrefs: 07DF396C

Memory Dump Source

Source File: 00000012.00000002.1480347692.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7df0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$tPq$tPq$$q$$q$$q$$q
API String ID: 0-2958727440
Opcode ID: b8264be2f90bdc51c8f2d8a94bddaf3a4746224e8827ddff30c8e4fb7cb88c4e
Instruction ID: 59d20148bca179f33b04d2df2ea09388eb698fa8f1ad98597b9bb6248e3c43e3
Opcode Fuzzy Hash: b8264be2f90bdc51c8f2d8a94bddaf3a4746224e8827ddff30c8e4fb7cb88c4e
Instruction Fuzzy Hash: ABA19AB17043468FD7259B7AD811766FFA2AFC6211F1B80ABDA49CB391DA31CC41C7A1

Function 07DF1BE0 Relevance: 7.9, Strings: 6, Instructions: 392COMMON

Download Yara Rule

Strings

tPq, xrefs: 07DF1FDF
4'q, xrefs: 07DF1C92
4'q, xrefs: 07DF1C86
4'q, xrefs: 07DF1F89
4'q, xrefs: 07DF1F95
tPq, xrefs: 07DF1FEB

Memory Dump Source

Source File: 00000012.00000002.1480347692.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7df0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$tPq$tPq
API String ID: 0-3271992745
Opcode ID: ac6ad621e10b4997f1ada2a85288b8333784af6b7711580067ba9c5294387fa0
Instruction ID: 724248282b54afb3458f35d262ce7cd37b470e10a8e71d0987cce1f8d9238165
Opcode Fuzzy Hash: ac6ad621e10b4997f1ada2a85288b8333784af6b7711580067ba9c5294387fa0
Instruction Fuzzy Hash: 0CD148B2B0020ACFC7258B6994107ABFBB2AFC5311F1AC47BDA55CB251DB32D845C7A1

Function 07DF0488 Relevance: 6.7, Strings: 5, Instructions: 497COMMON

Download Yara Rule

Strings

4'q, xrefs: 07DF05F6
4'q, xrefs: 07DF0962
fq, xrefs: 07DF094B
4'q, xrefs: 07DF096E
4'q, xrefs: 07DF05EC

Memory Dump Source

Source File: 00000012.00000002.1480347692.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7df0000_powershell.jbxd

Similarity

API ID:
String ID: fq$4'q$4'q$4'q$4'q
API String ID: 0-2475824186
Opcode ID: 445316b28156b8785cb23ee785a5d28476e93d6340898426c3927504cc5c22a2
Instruction ID: f2f16df4d26c7a468eb8b0397b23a9c49b52008b46a3b31f5a55111f0425c1ee
Opcode Fuzzy Hash: 445316b28156b8785cb23ee785a5d28476e93d6340898426c3927504cc5c22a2
Instruction Fuzzy Hash: 13F186B1B043018FDB259B69D4107AAFBA2AFC6211F19C0BBD645CB792DB31CC52C7A1

Function 07DF3678 Relevance: 6.4, Strings: 5, Instructions: 191COMMON

Download Yara Rule

Strings

4'q, xrefs: 07DF3722
$q, xrefs: 07DF3836
$q, xrefs: 07DF37FF
$q, xrefs: 07DF382A
4'q, xrefs: 07DF372E

Memory Dump Source

Source File: 00000012.00000002.1480347692.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7df0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q$$q
API String ID: 0-170447905
Opcode ID: 3d2a2baf522aafde49e36bd857b57836306fa3422b68c8f6a644086c3624e6cf
Instruction ID: 936888a85f02f4f3b48468bd8535e6addf04517f7e6a5587b3f59f8544503ac6
Opcode Fuzzy Hash: 3d2a2baf522aafde49e36bd857b57836306fa3422b68c8f6a644086c3624e6cf
Instruction Fuzzy Hash: 005179F17043469FDB2487699811367FBA2AFC7211F2B807BDA85CB351DA35C851C7A1

Function 04EB7A09 Relevance: 5.2, Strings: 4, Instructions: 241COMMON

Download Yara Rule

Strings

`q, xrefs: 04EB7B8A
`q, xrefs: 04EB7B0B
`q, xrefs: 04EB7CAA
`q, xrefs: 04EB7C2C

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID: `q$`q$`q$`q
API String ID: 0-10485352
Opcode ID: 701187cf0e5b87dab37fd636af881619a5abc3372661bba4e15ddd01e80f64d5
Instruction ID: 71695fde521ebf7bee6d1ec076149df844579ff2b3e9ef33fc9bba01bf9ef38c
Opcode Fuzzy Hash: 701187cf0e5b87dab37fd636af881619a5abc3372661bba4e15ddd01e80f64d5
Instruction Fuzzy Hash: 60B1B274E003199FDB55DFA9D880A9EFBF2BF88304F148629D859AB314DB30A905CF91

Function 04EB7A18 Relevance: 5.2, Strings: 4, Instructions: 234COMMON

Download Yara Rule

Strings

`q, xrefs: 04EB7B8A
`q, xrefs: 04EB7B0B
`q, xrefs: 04EB7CAA
`q, xrefs: 04EB7C2C

Memory Dump Source

Source File: 00000012.00000002.1448300747.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID: `q$`q$`q$`q
API String ID: 0-10485352
Opcode ID: 7af0f6b6c8c1ba6d1558b5e686739497a7fa64a979a53f943be56995f3227793
Instruction ID: 7332afc6d13a5899efbde1d9f459b6f0935c74c5ae44e83e89252a9c6c1b6ab0
Opcode Fuzzy Hash: 7af0f6b6c8c1ba6d1558b5e686739497a7fa64a979a53f943be56995f3227793
Instruction Fuzzy Hash: 77B19274E003199FDB54DFA9D980A9EFBF2BF88304F148629D859AB304DB30A905CF90

Function 07DF5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$q, xrefs: 07DF57F4
$q, xrefs: 07DF57C6
$q, xrefs: 07DF57AA
$q, xrefs: 07DF5800

Memory Dump Source

Source File: 00000012.00000002.1480347692.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7df0000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: b97ef906b36f92c26ef5269550cafcbf6829796b5a4ec6776f9ad275806bc7e7
Instruction ID: 358567a7e26b76bcdab19f5aa2289b06a30309039f5975c4b45a871c02ddaad1
Opcode Fuzzy Hash: b97ef906b36f92c26ef5269550cafcbf6829796b5a4ec6776f9ad275806bc7e7
Instruction Fuzzy Hash: 03213BB17103069BEB34566AB811727FBD6AFC1711F26802AEB4BCB381DD75D8518361

Function 07DF0308 Relevance: 5.1, Strings: 4, Instructions: 51COMMON

Download Yara Rule

Strings

$q, xrefs: 07DF0352
4'q, xrefs: 07DF0373
$q, xrefs: 07DF035E
4'q, xrefs: 07DF037F

Memory Dump Source

Source File: 00000012.00000002.1480347692.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7df0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q
API String ID: 0-3199993180
Opcode ID: a2006bc3ebb1c95b3584db2bd503b3ec8d7d0c534c7cac58182c5049099f3914
Instruction ID: 62f30decddbf358174c2507605d04bdc86a3ac1110f620de7314098c2004aa91
Opcode Fuzzy Hash: a2006bc3ebb1c95b3584db2bd503b3ec8d7d0c534c7cac58182c5049099f3914
Instruction Fuzzy Hash: 6301F21170E7878FD72B13282820255AFB25F8765072E81E7D981CF3D3C9148D0683AB

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_50s1bmwm.0wf.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ag4xh2pk.kqi.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aqewf2zr.r45.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gxnxruir.5mu.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hszerapu.fmw.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kiqugtpy.jan.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kkchklss.xah.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_msxpimxa.zgb.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_njt55zfj.rgi.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o3l1gumt.t04.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ozmcuojc.osw.ps1

Windows Analysis Report
Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exe

Function 05707DF8 Relevance: 4.3, Strings: 2, Instructions: 1815
COMMON

Function 05707DEA Relevance: 4.3, Strings: 2, Instructions: 1806
COMMON