Edit tour

Windows Analysis Report
1In8uYbvZJ.ps1

Overview

General Information

Sample name:	1In8uYbvZJ.ps1 renamed because original name is a hash value
Original sample name:	ba373cfb9f7ee777a6dd98913b6fb167.ps1
Analysis ID:	1586504
MD5:	ba373cfb9f7ee777a6dd98913b6fb167
SHA1:	39b30f324643e6873c55847f5a5f9a84accfaacf
SHA256:	1e16b85998768f725d0a25e7ef42659157ff97b1225cdf40de229debe764328e
Tags:	ps1user-abuse_ch
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Injects a PE file into a foreign processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses ipconfig to lookup or modify the Windows network settings

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

powershell.exe (PID: 7788 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1In8uYbvZJ.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ipconfig.exe (PID: 7996 cmdline: "C:\Windows\system32\ipconfig.exe" /flushdns MD5: 62F170FB07FDBB79CEB7147101406EB8)

RegSvcs.exe (PID: 8028 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.3808094845.0000000004E50000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.3804713253.0000000003771000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.3800395573.0000000002771000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: RegSvcs.exe PID: 8028	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.RegSvcs.exe.4e50000.7.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
4.2.RegSvcs.exe.379d790.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1In8uYbvZJ.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1In8uYbvZJ.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1In8uYbvZJ.ps1", ProcessId: 7788, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1In8uYbvZJ.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1In8uYbvZJ.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1In8uYbvZJ.ps1", ProcessId: 7788, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 1In8uYbvZJ.ps1	ReversingLabs: Detection: 21%
Source: 1In8uYbvZJ.ps1	Virustotal: Detection: 29%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source:	Binary string: #.dll.pdb source: powershell.exe, 00000001.00000002.1421076683.00000172F0950000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000001.00000002.1384006471.00000172D8777000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1384006471.00000172D9919000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: RegSvcs.exe, 00000004.00000002.3804713253.0000000003771000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3800395573.0000000002771000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3808807889.0000000005100000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3804713253.000000000383D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: RegSvcs.exe, 00000004.00000002.3804713253.0000000003771000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3800395573.0000000002771000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3808807889.0000000005100000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3804713253.000000000383D000.00000004.00000800.00020000.00000000.sdmp

Source: global traffic

TCP traffic: 192.168.2.10:49761 -> 176.113.115.177:7702

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.177

Source: powershell.exe, 00000001.00000002.1405160832.00000172E8820000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1384006471.00000172DA294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.1384006471.00000172DA14A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1384006471.00000172D9ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1384006471.00000172D8551000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1384006471.00000172D9ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000001.00000002.1384006471.00000172DA14A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1384006471.00000172D9ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.1384006471.00000172D8551000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: RegSvcs.exe, 00000004.00000002.3800395573.0000000002771000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://archive.torproject.org/tor-package-archive/torbrowser/13.0.9/tor-expert-bundle-windows-i686-
Source: powershell.exe, 00000001.00000002.1384006471.00000172DA294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1384006471.00000172DA294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1384006471.00000172DA294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.1384006471.00000172DA14A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1384006471.00000172D9ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: RegSvcs.exe, 00000004.00000002.3804713253.0000000003771000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3800395573.0000000002771000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3808807889.0000000005100000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3804713253.000000000383D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: RegSvcs.exe, 00000004.00000002.3804713253.0000000003771000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3800395573.0000000002771000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3808807889.0000000005100000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3804713253.000000000383D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: RegSvcs.exe, 00000004.00000002.3804713253.0000000003771000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3800395573.0000000002771000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3808807889.0000000005100000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3804713253.000000000383D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: powershell.exe, 00000001.00000002.1384006471.00000172D9919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.1405160832.00000172E8820000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1384006471.00000172DA294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000001.00000002.1384006471.00000172D9ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000001.00000002.1384006471.00000172D9ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: RegSvcs.exe, 00000004.00000002.3804713253.0000000003771000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3800395573.0000000002771000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3808807889.0000000005100000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3804713253.000000000383D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: RegSvcs.exe, 00000004.00000002.3800395573.0000000002771000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3808807889.0000000005100000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3804713253.000000000383D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: RegSvcs.exe, 00000004.00000002.3804713253.0000000003771000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3808807889.0000000005100000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3804713253.000000000383D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

.NET source code contains very large array initializations

Source: 1.2.powershell.exe.172e8752b38.4.raw.unpack, SorterCollector.cs

Large array initialization: RemoveCollector: array initializer size 361184

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FF7C0EB0F25	1_2_00007FF7C0EB0F25
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FF7C0F80FA4	1_2_00007FF7C0F80FA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_025EDAA8	4_2_025EDAA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_025E5B08	4_2_025E5B08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_025E5B04	4_2_025E5B04
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_025E1F30	4_2_025E1F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_025E1F2B	4_2_025E1F2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_025E4D53	4_2_025E4D53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_025E4D60	4_2_025E4D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_04E4D9F8	4_2_04E4D9F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_04E489B8	4_2_04E489B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_04E4098D	4_2_04E4098D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_04E42D3A	4_2_04E42D3A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_04E4CE48	4_2_04E4CE48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_04E4CE38	4_2_04E4CE38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_04E4D9EA	4_2_04E4D9EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_04E489A8	4_2_04E489A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05189C98	4_2_05189C98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05187080	4_2_05187080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05185763	4_2_05185763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05187163	4_2_05187163
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05189C88	4_2_05189C88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05197420	4_2_05197420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_051984B8	4_2_051984B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05197747	4_2_05197747

Source: 1.2.powershell.exe.172e8752b38.4.raw.unpack, SorterCollector.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.powershell.exe.172e8752b38.4.raw.unpack, ValueGateway.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.powershell.exe.172e8752b38.4.raw.unpack, ValueGateway.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.4d90000.6.raw.unpack, QMUdLZZR29erUuhvemI.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.4d90000.6.raw.unpack, QMUdLZZR29erUuhvemI.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.4d90000.6.raw.unpack, QMUdLZZR29erUuhvemI.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.4d90000.6.raw.unpack, CrTxExT1QiMoxixk0jU.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.RegSvcs.exe.4d90000.6.raw.unpack, CrTxExT1QiMoxixk0jU.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal84.evad.winPS1@6/5@0/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\d39a6c8f7bf45e6d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7824:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oeatxu1r.okc.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: 1In8uYbvZJ.ps1	ReversingLabs: Detection: 21%
Source: 1In8uYbvZJ.ps1	Virustotal: Detection: 29%

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1In8uYbvZJ.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdns
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdns	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: #.dll.pdb source: powershell.exe, 00000001.00000002.1421076683.00000172F0950000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000001.00000002.1384006471.00000172D8777000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1384006471.00000172D9919000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: RegSvcs.exe, 00000004.00000002.3804713253.0000000003771000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3800395573.0000000002771000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3808807889.0000000005100000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3804713253.000000000383D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: RegSvcs.exe, 00000004.00000002.3804713253.0000000003771000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3800395573.0000000002771000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3808807889.0000000005100000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3804713253.000000000383D000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 1.2.powershell.exe.172e8752b38.4.raw.unpack, ValueGateway.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.RegSvcs.exe.4d90000.6.raw.unpack, QMUdLZZR29erUuhvemI.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 4.2.RegSvcs.exe.5100000.8.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 4.2.RegSvcs.exe.5100000.8.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 4.2.RegSvcs.exe.5100000.8.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 4.2.RegSvcs.exe.5100000.8.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 4.2.RegSvcs.exe.5100000.8.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 4.2.RegSvcs.exe.4d90000.6.raw.unpack, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: 4.2.RegSvcs.exe.4d90000.6.raw.unpack, T1Aa4g30A3jVnqGHQAd.cs	.Net Code: ILNHcuUfc1
Source: 4.2.RegSvcs.exe.4d90000.6.raw.unpack, T1Aa4g30A3jVnqGHQAd.cs	.Net Code: x54JJLiT6j
Source: 4.2.RegSvcs.exe.4d90000.6.raw.unpack, PGqajPQkjsFqm5PDpc.cs	.Net Code: zGqFh4uTu System.AppDomain.Load(byte[])
Source: 4.2.RegSvcs.exe.37ed9d0.3.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 4.2.RegSvcs.exe.37ed9d0.3.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 4.2.RegSvcs.exe.37ed9d0.3.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 4.2.RegSvcs.exe.37ed9d0.3.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 4.2.RegSvcs.exe.37ed9d0.3.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 4.2.RegSvcs.exe.4e50000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.379d790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3808094845.0000000004E50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3804713253.0000000003771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3800395573.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8028, type: MEMORYSTR

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FF7C0EB81B2 push edx; ret	1_2_00007FF7C0EB81B3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FF7C0EB9D3D push 14FFFFFFh; retf	1_2_00007FF7C0EB9D42
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FF7C0EB00BD pushad ; iretd	1_2_00007FF7C0EB00C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_04E41B60 push esp; retf	4_2_04E41B61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0519ECB8 push esp; retn 0515h	4_2_0519ECC5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_05193104 push eax; iretd	4_2_0519310F

Source: 4.2.RegSvcs.exe.4d90000.6.raw.unpack, MeyaSx3AXGcb9quLxVn.cs	High entropy of concatenated method names: 'gdk3JXedsw', 'UAS3WRLFJm', 'El33V1WQch', 'WEC3G7IbO6', 'ubp3ol0QuB', 'smw3QTGseH', 'JmF39ded4E', 'Elg3icnHf3', 'IQ63qrmaLI', 'nGY3F8fjgH'
Source: 4.2.RegSvcs.exe.4d90000.6.raw.unpack, wOZsjwBxZXy1BXCFga3.cs	High entropy of concatenated method names: 'mShZXOg1hu', 'M439kE8xyVPy1cFG0Nh', 'lwo18U8vnFdWaE6KxvW', 'Sk8BRCP9yt', 'W0CBTfbQe9', 'hDKBZ75DVN', 'SX4BauZaka', 'wvIB3CdsdH', 'yS0BtWmlto', 'M46hkbFqn3IK0bGnDsy'
Source: 4.2.RegSvcs.exe.4d90000.6.raw.unpack, VQPeLrPP4DkOFeVAUE.cs	High entropy of concatenated method names: 'x0N1bJWPS', 'VS1YCMd64', 'Ghv2STqRc', 'bGdf8YNNE', 'NP6ss0r5G', 'sfQUmKTgb', 'SfWkOZkOW', 'OPwSucThX', 'EkNerCJkE', 'LZTtOIFQ1mB06ACyLwQ'
Source: 4.2.RegSvcs.exe.4d90000.6.raw.unpack, QMUdLZZR29erUuhvemI.cs	High entropy of concatenated method names: 'kS6jCU8Wy3jMeQAbn8K', 'Egnt9a8VEE3DHVgnSmh', 'guaaM4LxIn', 'vh0ry9Sq2v', 'qdTaPGDwaa', 'LjWajtXyjg', 'EJ4a1JiSv2', 'kG0aYcJWnj', 'UL2pWuwCAK', 'QsyZZKFHUp'
Source: 4.2.RegSvcs.exe.4d90000.6.raw.unpack, T1Aa4g30A3jVnqGHQAd.cs	High entropy of concatenated method names: 'IVFVWGgZLP', 'Ow9VV8XFit', 'AofVGMkIc8', 'rKoVoux2sL', 'd8IVQ4JFwe', 'fHDV96dkJ8', 'I3cViSFBJX', 'EMe3Yeb7Fr', 'aP0Vqgb7tc', 'geUVFveI28'
Source: 4.2.RegSvcs.exe.4d90000.6.raw.unpack, PGqajPQkjsFqm5PDpc.cs	High entropy of concatenated method names: 'JdsuLkeSe', 'qtFpnLuAg', 'RMBm9CdVa', 'NJGl5P2gq', 'j7YihjM1r', 'hBYq8LUwT', 'zGqFh4uTu', 'rwp0IY4nL', 'MOl8q9tSS', 'j6cnRfpxa'

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdns

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegSvcs.exe, 00000004.00000002.3800395573.0000000002771000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3708	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3457	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 3221	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6633	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8012	Thread sleep time: -4611686018427385s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7968	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 35000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 34874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 34765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 34656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 34547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 34437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 34328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 34218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 34107	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 34000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 33890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 33781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 33671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 33562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 33453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 33344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 33234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 33125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 33015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 32906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 32797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 32682	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 32578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 32463	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 32359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 32250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 32139	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 32025	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 31922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 31795	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 31686	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 31578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 31468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 31351	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 31249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 31140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 31028	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 30921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 30812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 30702	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 30544	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 30437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 30328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 30219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 30109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: RegSvcs.exe, 00000004.00000002.3800395573.0000000002771000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0VMware\|VIRTUAL\|A M I\|Xen4win32_process.handle='{0}'
Source: RegSvcs.exe, 00000004.00000002.3800395573.0000000002771000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmGuestLib.dllDselect * from Win32_ComputerSystem
Source: RegSvcs.exe, 00000004.00000002.3800395573.0000000002771000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: RegSvcs.exe, 00000004.00000002.3808408747.0000000004FB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 46A000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 46C000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 627008	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdns			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	11 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	211 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1In8uYbvZJ.ps1	21%	ReversingLabs	Script-PowerShell.Spyware.AsyncRAT
1In8uYbvZJ.ps1	30%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.1405160832.00000172E8820000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1384006471.00000172DA294000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000001.00000002.1384006471.00000172D9ED2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-neti	RegSvcs.exe, 00000004.00000002.3804713253.0000000003771000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3800395573.0000000002771000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3808807889.0000000005100000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3804713253.000000000383D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	RegSvcs.exe, 00000004.00000002.3800395573.0000000002771000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3808807889.0000000005100000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3804713253.000000000383D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-netJ	RegSvcs.exe, 00000004.00000002.3804713253.0000000003771000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3800395573.0000000002771000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3808807889.0000000005100000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3804713253.000000000383D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.1384006471.00000172DA14A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1384006471.00000172D9ED2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.1384006471.00000172DA14A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1384006471.00000172D9ED2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://go.micro	powershell.exe, 00000001.00000002.1384006471.00000172D9919000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	RegSvcs.exe, 00000004.00000002.3804713253.0000000003771000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3800395573.0000000002771000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3808807889.0000000005100000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3804713253.000000000383D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354	RegSvcs.exe, 00000004.00000002.3804713253.0000000003771000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3808807889.0000000005100000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3804713253.000000000383D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000001.00000002.1384006471.00000172DA294000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.1405160832.00000172E8820000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1384006471.00000172DA294000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000001.00000002.1384006471.00000172DA294000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000001.00000002.1384006471.00000172DA294000.00000004.00000800.00020000.00000000.sdmp	false	high
https://oneget.orgX	powershell.exe, 00000001.00000002.1384006471.00000172D9ED2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-net	RegSvcs.exe, 00000004.00000002.3804713253.0000000003771000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3800395573.0000000002771000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3808807889.0000000005100000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3804713253.000000000383D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/pscore68	powershell.exe, 00000001.00000002.1384006471.00000172D8551000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.1384006471.00000172D8551000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.1384006471.00000172DA14A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1384006471.00000172D9ED2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://oneget.org	powershell.exe, 00000001.00000002.1384006471.00000172D9ED2000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
176.113.115.177	unknown	Russian Federation		49505	SELECTELRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1586504
Start date and time:	2025-01-09 08:35:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1In8uYbvZJ.ps1 renamed because original name is a hash value
Original Sample Name:	ba373cfb9f7ee777a6dd98913b6fb167.ps1
Detection:	MAL
Classification:	mal84.evad.winPS1@6/5@0/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 86% Number of executed functions: 203 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .ps1 Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7788 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:36:15	API Interceptor	10x Sleep call for process: powershell.exe modified
02:36:17	API Interceptor	9684356x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
176.113.115.177	file.exe	Get hash	malicious	XenoRAT	Browse	176.113.115.177/x/5.png

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	fuk7RfLrD3.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	Subscription_Renewal_Invoice_2025_FGHDCS.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	GT98765009064.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://lap.gnoqwwhpwe.ru/3aeK/#Dmestevao@iif.com	Get hash	malicious	Unknown	Browse	13.107.246.45
	Condenast eCHECK- Payment Advice.html	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://indyhumane.org	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxsYmJ5tlN1JIFNOQtoSEGkLgECYxMchW4UXMllXUALJmesTsjgTR1H-2FvUTVSSAEe4R1GQy-2Bvbd8Zmmy4leDYmh9UNV6oDPX-2BT4wzcyKrfAdXvv6hKSBoru3q77depPs43qOB1DgUqmMdQP-2BNz7H62jYGp-2BH9nmpPKVjXmtKn9w5STVYGL4aqMBL65ruXSYeXZw-3D-3Didct_tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419OCcA-2Bhorh4noX10R0htjc0oQD2shNvY2qd7sBvACS4ZxcOvRGqgf-2FzJzWjtjVb7R-2Fc1EPJdReLV-2BtujCvON-2Bc7V1MBDoLDS-2FjF655eEyLK512HQYbp-2FAbQ3P7q3sD01OmQtuWrJdDi7i9EqNYnB7vGsmi9YvC3tf2fi-2F59j5CgE2Yo8KxAbs4pwwxMvCRmFfOK49lsAVAfn3guJ7HTuaWX	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://ik.imagekit.io/nrof2h909/Paul%20W.%20Shaffer.pdf?updatedAt=1736369068440	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://ar.inderave.ru/jKDI30/#Tapodoll@wc.com	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://clicktoviewdocumentonadovemacroreader.federalcourtbiz.com/lhvBR/?e=amFtZXMuYm9zd2VsbEBvdmVybGFrZWhvc3BpdGFsLm9yZw==	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SELECTELRU	DLKs2Qeljg.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	fuk7RfLrD3.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	Ljrprfl3BH.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	chu4rWexSX.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	xHj1N8ylIf.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	nYT1CaXH9N.ps1	Get hash	malicious	Amadey	Browse	176.113.115.131
	iy2.dat.exe	Get hash	malicious	XWorm	Browse	176.113.115.170
	z0r0.sh4.elf	Get hash	malicious	Mirai	Browse	82.148.27.5
	K27Yg4V48M.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	IH5XqCdf06.exe	Get hash	malicious	LummaC	Browse	176.113.115.19

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1628158735648508
Encrypted:	false
SSDEEP:	3:NlllulLhwlz:NllUO
MD5:	F442CD24937ABD508058EA44FD91378E
SHA1:	FDE63CECA441AA1C5C9C401498F9032A23B38085
SHA-256:	E2960AF08E2EE7C9C72EEA31DBBFE1B55B9BF84DE2DD7BB7204487E6AF37B8F6
SHA-512:	927E2EEA0BB3FC3D3A0DA7F45644F594CE29F11D90A84B005D723500258DE9E8B3780EB87242F4C62B64B9FEEA1869FC16076FA3AC89EC34E0546CDE1BEF7631
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_llzm00un.et1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oeatxu1r.okc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\135TWFQFA2I0NQGSNY3W.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6220
Entropy (8bit):	3.73358344319953
Encrypted:	false
SSDEEP:	96:5Sw0cCgf4ckvhkvCCt+hgUbApiZH9hgUbApieHJ:5l08fb+hJbwKhJbwB
MD5:	459FCC18EDA30E5F91FAEDBD7A2574B2
SHA1:	5D49FEC63AA3CC81CCFF5941083B0B0F6AC9BB2D
SHA-256:	DAE25DAED9633694AC516E2B20B1710A4E95D1B9096AFBCE10D46451CDDB3023
SHA-512:	BAE2564EA56F3C76F4F5E3FFCC09A262076F3FD21C462BCE45F8010CDADB3665918CC3E7DF84EC20BA40698499B0C456E773E75C7FCC81686D9A794C27CB8D9A
Malicious:	false
Preview:	...................................FL..................F.".. ....N.5q....]Q(ib..z.:{.............................:..DG..Yr?.D..U..k0.&...&.........5q......"ib..1!u(ib......t...CFSF..1.....EW)N..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)N)Z.<...........................c..A.p.p.D.a.t.a...B.V.1.....)Z.<..Roaming.@......EW)N)Z.<...........................qF.R.o.a.m.i.n.g.....\.1.....EW.R..MICROS~1..D......EW)N)Z}<..........................O~X.M.i.c.r.o.s.o.f.t.....V.1.....EW.S..Windows.@......EW)N)Z}<...........................).W.i.n.d.o.w.s.......1.....EW+N..STARTM~1..n......EW)N)Z}<....................D......H..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW#O..Programs..j......EW)N)Z}<....................@.......\|.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)NEW)N..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~2.LNK..^......EW)N)Z.<................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6220
Entropy (8bit):	3.73358344319953
Encrypted:	false
SSDEEP:	96:5Sw0cCgf4ckvhkvCCt+hgUbApiZH9hgUbApieHJ:5l08fb+hJbwKhJbwB
MD5:	459FCC18EDA30E5F91FAEDBD7A2574B2
SHA1:	5D49FEC63AA3CC81CCFF5941083B0B0F6AC9BB2D
SHA-256:	DAE25DAED9633694AC516E2B20B1710A4E95D1B9096AFBCE10D46451CDDB3023
SHA-512:	BAE2564EA56F3C76F4F5E3FFCC09A262076F3FD21C462BCE45F8010CDADB3665918CC3E7DF84EC20BA40698499B0C456E773E75C7FCC81686D9A794C27CB8D9A
Malicious:	false
Preview:	...................................FL..................F.".. ....N.5q....]Q(ib..z.:{.............................:..DG..Yr?.D..U..k0.&...&.........5q......"ib..1!u(ib......t...CFSF..1.....EW)N..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)N)Z.<...........................c..A.p.p.D.a.t.a...B.V.1.....)Z.<..Roaming.@......EW)N)Z.<...........................qF.R.o.a.m.i.n.g.....\.1.....EW.R..MICROS~1..D......EW)N)Z}<..........................O~X.M.i.c.r.o.s.o.f.t.....V.1.....EW.S..Windows.@......EW)N)Z}<...........................).W.i.n.d.o.w.s.......1.....EW+N..STARTM~1..n......EW)N)Z}<....................D......H..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW#O..Programs..j......EW)N)Z}<....................@.......\|.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)NEW)N..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~2.LNK..^......EW)N)Z.<................

Static File Info

General

File type:	ASCII text, with very long lines (65459), with CRLF line terminators
Entropy (8bit):	5.868935898663187
TrID:
File name:	1In8uYbvZJ.ps1
File size:	680'460 bytes
MD5:	ba373cfb9f7ee777a6dd98913b6fb167
SHA1:	39b30f324643e6873c55847f5a5f9a84accfaacf
SHA256:	1e16b85998768f725d0a25e7ef42659157ff97b1225cdf40de229debe764328e
SHA512:	6c50e5a6475d57295eae999a2dcbeb3dd00dfe3f99455f3599e5aad594d7914f1ddb03bc3cec9042c169f6a85f203543bdb285ccde658bc2a1ba3471702e23df
SSDEEP:	12288:iY3oNJkNolmkS+EvhxWoVffP3cPp7NWQf28qPNx/C7H4ELA4kyv:iY3SJkNCbASo1fPsPXWQf4/0XsDyv
TLSH:	CBE4F1321247BC8F9F7F5E89D4402A501C9DBD7B6B64C58CFAC80AE861AA414DE7DDB0
File Content Preview:	ipconfig /flushdns...... $t0='AZAZAZIEX'.replace('AZAZAZ','');sal GG $t0;....$OE="qQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQA

File Icon


Icon Hash:	3270d6baae77db44

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 08:36:18.045586109 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:36:18.050533056 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:36:18.050620079 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:36:18.066639900 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:36:18.071455002 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:36:18.071511030 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:36:18.076395988 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:36:53.076673985 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:36:53.081516981 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:36:53.081604958 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:36:53.086358070 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:37:28.090560913 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:37:28.095508099 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:37:28.095603943 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:37:28.100488901 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:37:55.153482914 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:37:55.158269882 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:37:55.158324003 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:37:55.163099051 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:37:56.090476990 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:37:56.095500946 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:37:56.095601082 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:37:56.100451946 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:37:56.716404915 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:37:56.721362114 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:37:56.721524000 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:37:56.726370096 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:37:59.418797016 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:37:59.745733976 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:00.271859884 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:00.271872997 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:05.293903112 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:05.298877001 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:05.298989058 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:05.303863049 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:08.418739080 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:08.423616886 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:08.423751116 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:08.428558111 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:11.840647936 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:11.845422983 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:11.845494032 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:11.850272894 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:18.530428886 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:18.535254955 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:18.535351992 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:18.540302992 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:19.153599024 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:19.158601046 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:19.158658028 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:19.163489103 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:22.668658018 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:22.673537970 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:22.676531076 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:22.681389093 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:27.903172970 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:27.908113956 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:27.908282995 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:27.913090944 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:39.715599060 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:39.720808029 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:39.720890045 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:39.725879908 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:43.137799025 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:43.142640114 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:43.142690897 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:43.147589922 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:46.215723038 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:46.220652103 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:46.228545904 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:46.233491898 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:47.966240883 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:47.971139908 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:47.971189976 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:47.975945950 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:49.325613976 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:49.330524921 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:49.330575943 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:49.335338116 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:49.753139973 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:49.757992029 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:49.758126974 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:49.762882948 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:51.437748909 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:51.442709923 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:51.442751884 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:51.447596073 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:55.654875040 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:55.659645081 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:55.659698009 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:55.664443970 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:56.546534061 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:56.551358938 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:38:56.551487923 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:38:56.556258917 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:39:08.249571085 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:39:08.254522085 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:39:08.260591030 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:39:08.265465975 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:39:13.075345039 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:39:13.080333948 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:39:13.080491066 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:39:13.085357904 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:39:14.043909073 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:39:14.048922062 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:39:14.049068928 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:39:14.053905010 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:39:14.059364080 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:39:14.064239979 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:39:14.064326048 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:39:14.069163084 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:39:16.984709978 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:39:16.989741087 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:39:16.989813089 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:39:16.994678020 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:39:20.824951887 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:39:20.829915047 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:39:20.829999924 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:39:20.834876060 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:39:21.637645006 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:39:21.642607927 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:39:21.642651081 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:39:21.647501945 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:39:21.731342077 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:39:21.736357927 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:39:21.736444950 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:39:21.741285086 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:39:24.842550993 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:39:24.847481012 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:39:24.848661900 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:39:24.853482008 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:39:30.840728998 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:39:30.845637083 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:39:30.845752954 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:39:30.850620985 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:39:32.903501034 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:39:32.908490896 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:39:32.908730030 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:39:32.913593054 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:40:04.897562981 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:40:04.902420044 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:40:04.902471066 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:40:04.907268047 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:40:15.466496944 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:40:15.471474886 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:40:15.471520901 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:40:15.476289988 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:40:17.544043064 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:40:17.554805040 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:40:17.555001020 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:40:17.565850973 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:40:20.530613899 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:40:20.535521984 CET	7702	49761	176.113.115.177	192.168.2.10
Jan 9, 2025 08:40:20.535742998 CET	49761	7702	192.168.2.10	176.113.115.177
Jan 9, 2025 08:40:20.541208982 CET	7702	49761	176.113.115.177	192.168.2.10

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 08:36:08.459943056 CET	1.1.1.1	192.168.2.10	0x2c6a	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 08:36:08.459943056 CET	1.1.1.1	192.168.2.10	0x2c6a	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

Target ID:	1
Start time:	02:36:12
Start date:	09/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1In8uYbvZJ.ps1"
Imagebase:	0x7ff7b2bb0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:36:12
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:36:15
Start date:	09/01/2025
Path:	C:\Windows\System32\ipconfig.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\ipconfig.exe" /flushdns
Imagebase:	0x7ff7c88b0000
File size:	35'840 bytes
MD5 hash:	62F170FB07FDBB79CEB7147101406EB8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:36:16
Start date:	09/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x500000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.3808094845.0000000004E50000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.3804713253.0000000003771000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.3800395573.0000000002771000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Function 00007FF7C0F80FA4 Relevance: 2.0, Instructions: 2025COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1423397957.00007FF7C0F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7c0f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64fbc3c8d036872e2ce5646b32964c7dee9ac6545307fd58844e57bd7d365018
Instruction ID: d84de92c8d43f26be201510ed2c4d7a0cb4e98bbd75a3152e7423250712c1e03
Opcode Fuzzy Hash: 64fbc3c8d036872e2ce5646b32964c7dee9ac6545307fd58844e57bd7d365018
Instruction Fuzzy Hash: 4BD21621A0DB894FE756AB2858552F4BBE5FF47720B4803FBD04DD7293DA18BC4683A1

Function 00007FF7C0F81390 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1423397957.00007FF7C0F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7c0f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baced6756850ba02cf85121a0796ca96e5acb4b166763a011f401381864ca23a
Instruction ID: f4185ab3a78e1860e07e73da7ed17aaec4b02e6caed4739b92bd97b7340797ad
Opcode Fuzzy Hash: baced6756850ba02cf85121a0796ca96e5acb4b166763a011f401381864ca23a
Instruction Fuzzy Hash: 2451D721E0DA894FE756AA2844646B4BBE5FF57720B8D03FAC44DDB293DA18BC458390

Function 00007FF7C0F827E9 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1423397957.00007FF7C0F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7c0f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69c856a8a648002e6130337c53825eb76417cc675a728d5f2c2185556dc8fdf9
Instruction ID: bfdbeae8813223c03e288a0f5c4b95e23c58e16f9de3a04b727d2b4e6682fd1f
Opcode Fuzzy Hash: 69c856a8a648002e6130337c53825eb76417cc675a728d5f2c2185556dc8fdf9
Instruction Fuzzy Hash: A3115E3180D7C98FC7429F3048292917FB0EF53210F1A01EBC494CB5E3D7286855C792

Function 00007FF7C0EBD8F5 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1422480806.00007FF7C0EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7c0eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f19a00d4f8f189f1d94aa75710177ac3495ecd0297a690d7c7366bb97b5b08b7
Instruction ID: 45ffb98ba48407398eb8ae3d126e48bbc4b8bd7cf6fecbdbece7be019ec47b65
Opcode Fuzzy Hash: f19a00d4f8f189f1d94aa75710177ac3495ecd0297a690d7c7366bb97b5b08b7
Instruction Fuzzy Hash: 08112D70918A4D8FDB89EF68C85CAAABBF0FF64305F0005EBD819D72A1DB34A544CB41

Function 00007FF7C0EB37B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1422480806.00007FF7C0EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7c0eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: 37279ebecb1d48eb42851782cad6bdfada433b85463237a750df3d463b31f13d
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: DB01A77010CB0C4FD744EF0CE491AA6B3E0FB85360F50052EE58AC3651DB32E882CB45

Function 00007FF7C0EBDB35 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1422480806.00007FF7C0EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7c0eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b96a51c50db043ec36af74de80a41978607f820c3bd0385e29dd7d46c279ebf
Instruction ID: b521a1a88e6dcde36686c4972f7cb7c52234e6d79f0816b4de94db3e24f41eed
Opcode Fuzzy Hash: 1b96a51c50db043ec36af74de80a41978607f820c3bd0385e29dd7d46c279ebf
Instruction Fuzzy Hash: 4B018F7090864C9FCB49EF64C958AA8BFB1EF19304F0502DAC449DB1A2DB35A558CB41

Function 00007FF7C0EB4CA5 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1422480806.00007FF7C0EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7c0eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0c06e3ecb7a1eabff8184062f109301f1aa4a70223ea038fa946f4d788e6f74
Instruction ID: 185bdccfce0646dad10b0ef7124f0690f9f13abe984dd8d104d439645e1e453e
Opcode Fuzzy Hash: a0c06e3ecb7a1eabff8184062f109301f1aa4a70223ea038fa946f4d788e6f74
Instruction Fuzzy Hash: 95E0683148C2498BF3013E0498042E6B710EF40310F810376E41DCA2C3DB28A45AC2A1

Function 00007FF7C0EBA9EF Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1422480806.00007FF7C0EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7c0eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d3487ff4fe8b86e7872b013d746ebbb43da73d526bb585c6594a6cdd9ec8df
Instruction ID: dd10e93fe5dcc8862475a81d5c12c5fa638a84731071b5f7776e99b23fda60fb
Opcode Fuzzy Hash: e2d3487ff4fe8b86e7872b013d746ebbb43da73d526bb585c6594a6cdd9ec8df
Instruction Fuzzy Hash: D3D0173084521A8FCB85EF6485516ADB7B5BB08340B600439D40AEB6A0D739AA018B64

Non-executed Functions

Function 00007FF7C0EB0F25 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1422480806.00007FF7C0EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7c0eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b7ec687efc4d08823bee10efe3643dba7760a1e5d684316a916d84e08e388a6
Instruction ID: 34593bdc9436d60c82ae11feb1bdc0ed8f47a0b4e761b23195c4b4a0f90e05e7
Opcode Fuzzy Hash: 3b7ec687efc4d08823bee10efe3643dba7760a1e5d684316a916d84e08e388a6
Instruction Fuzzy Hash: EB51C862E4E6C14FE3667E781825175BFA0AF13B707CC01FAC4888F1D79914794993AA

Analysis Process: RegSvcs.exePID: 8028, Parent PID: 7788COMMON

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	8
Total number of Limit Nodes:	0

Executed Functions

Function 05197420 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

4, xrefs: 05197DF5

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: acad082809b3d4082debee48bc0c5df541449ca97273013d902b4363585fc67a
Instruction ID: 3fa7effd43e0e830cb5c539a4855580ee353930ba12cc7a171654077ed48ab29
Opcode Fuzzy Hash: acad082809b3d4082debee48bc0c5df541449ca97273013d902b4363585fc67a
Instruction Fuzzy Hash: D8B20634A10218DFDB18DFA4C884BADB7B6FF89300F148599E506AB3A5DB71AD81CF50

Function 05197747 Relevance: 1.7, Strings: 1, Instructions: 495COMMON

Download Yara Rule

Strings

4, xrefs: 05197DF5

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 1769581587831e7998356091a0a33c5d0861bd5659dfdd9b800fed1305e97e85
Instruction ID: 652f99fd287ffd3cb204d8adb91f4975fda16061c0c19252bd66337123b15c2f
Opcode Fuzzy Hash: 1769581587831e7998356091a0a33c5d0861bd5659dfdd9b800fed1305e97e85
Instruction Fuzzy Hash: CC22D934A10214DFDF28DF64C994BA9B7B2FF89300F1485A9E509AB395DB71AD81CF50

Function 05187080 Relevance: 1.6, Strings: 1, Instructions: 378
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{7, xrefs: 0518727B

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID: {7
API String ID: 0-2420609454
Opcode ID: 333ae965b30ccf6dd37932fb048a0eace8936d7ee243fdafd9493bc36725bfc0
Instruction ID: 48f40f7a93535a7f256a2dad074d80548e706d25335328846d32c9d27985ae71
Opcode Fuzzy Hash: 333ae965b30ccf6dd37932fb048a0eace8936d7ee243fdafd9493bc36725bfc0
Instruction Fuzzy Hash: DDE18A30B002048BE728EB69E494BBE76A3FB85301F25C529E4025B7D9DF35AD85CF91

Function 05187163 Relevance: 1.6, Strings: 1, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{7, xrefs: 0518727B

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID: {7
API String ID: 0-2420609454
Opcode ID: 4a18f789debb7855e26f8d5fa2f6c7f29875c342aa1cbc6bac8c8b71a6a57d83
Instruction ID: cdcdc06ab5131f5a72dec3ba7c7de54880a8c78128526a32a1eb5e901af3bcb5
Opcode Fuzzy Hash: 4a18f789debb7855e26f8d5fa2f6c7f29875c342aa1cbc6bac8c8b71a6a57d83
Instruction Fuzzy Hash: 69C18B30A00204CBE728EB69E054BBE76A3FB85701F25C569E4025B6D9DF36AD45CF92

Function 05185763 Relevance: .5, Instructions: 455
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 237a79f2e9494d17324d7f68d91b1e4e01032855eed13f9f51181365a5400e37
Instruction ID: 254b982538d11e94831e527a6743b80d042ffff14ee8cc543308d79252cc6d86
Opcode Fuzzy Hash: 237a79f2e9494d17324d7f68d91b1e4e01032855eed13f9f51181365a5400e37
Instruction Fuzzy Hash: B5028774B002059FDB29DBA8C494A7EFBF2FB88300F248629D55A97381CB34AD51CF95

Function 04E4098D Relevance: .4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a645fdea37bea1663be2d3273a8304099323d442a71e6777c3bbbde726499de5
Instruction ID: 41d1462e63fdc4f80500bce2bc2e334138ca722b95e793472d53a53715f1136e
Opcode Fuzzy Hash: a645fdea37bea1663be2d3273a8304099323d442a71e6777c3bbbde726499de5
Instruction Fuzzy Hash: C802E874A002189FDB55DF68D894B99B7B2FF88300F51C5A9E50AAB361DB30EE81CF51

Function 04E4D9F8 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b93e6e678e4e14d50c5bf43565cc0ada2c118c99dd6c816f946f7bf6e3f01d3
Instruction ID: 3bef7d3708e114c519fbaa3487feca9bae0bcf51b599b3a48d1e2b92c92209a3
Opcode Fuzzy Hash: 9b93e6e678e4e14d50c5bf43565cc0ada2c118c99dd6c816f946f7bf6e3f01d3
Instruction Fuzzy Hash: 56914930A04208CFEB04DF56E884FE977F2ABC5308F19D5A9D405AB299D778A982DB44

Function 05189C88 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cadfa8b91c398a288fa339f7c76e15a80830bf5de3604b26cc6d6d9b900cfcf9
Instruction ID: 0273c746db880915061c0c814d6d91e51bc79433730a649cccdedfbd0b8c9e42
Opcode Fuzzy Hash: cadfa8b91c398a288fa339f7c76e15a80830bf5de3604b26cc6d6d9b900cfcf9
Instruction Fuzzy Hash: A0517B34A00104CFDB28EF59D889BB977F3FB89315F258169E506AB7A5CB359881CF44

Function 04E489A8 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f48733d085af9d38bb1070dcb1bf37a43d9c9f98e7e64b4ca8e35565b360a329
Instruction ID: d1c6a7ee15280cd564fdae5450075e68aedb0cff5510eeb06c283ae00083bc3b
Opcode Fuzzy Hash: f48733d085af9d38bb1070dcb1bf37a43d9c9f98e7e64b4ca8e35565b360a329
Instruction Fuzzy Hash: 8D516E74A04208CFCB44EFAAE495BEDB7F2BB89308F10C05ED416A7251DB796945CF46

Function 05189C98 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8267b8d9dd82c6350bef1cd8abfe07623917bf692083c92a96041349c078fc50
Instruction ID: 66f75588b0397abb0fd8764fc4c4848800953caee622d39121c5836ea771804c
Opcode Fuzzy Hash: 8267b8d9dd82c6350bef1cd8abfe07623917bf692083c92a96041349c078fc50
Instruction Fuzzy Hash: EE515934A00104CFEB28EB59D889BB977F3FB89315F258169E506AB7A4CB759881CF44

Function 04E489B8 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6768f4164ed00091a0b6f32c0da1a07c261cd593f1f09f73bf876d9cfad3b546
Instruction ID: 294b3586b0f0ab926b445f948d037584f6331388f18b34493ebcd949ce89410e
Opcode Fuzzy Hash: 6768f4164ed00091a0b6f32c0da1a07c261cd593f1f09f73bf876d9cfad3b546
Instruction Fuzzy Hash: 67514E74A00208DFCB44EFAAE455BAEB7F2BB89308F50C05AD416A7251DB79A944CF46

Function 04E40040 Relevance: 1.8, Strings: 1, Instructions: 599
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2, xrefs: 04E404B6

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: 88cdb8bfe5e05453e3f6a09f11f5820a7621b6c125c99025b8a8d780617bfae8
Instruction ID: 924cfca6f35ff166b88a7f7006ebd801c7b4f0b119416c16453aa1746cb8de2f
Opcode Fuzzy Hash: 88cdb8bfe5e05453e3f6a09f11f5820a7621b6c125c99025b8a8d780617bfae8
Instruction Fuzzy Hash: BB422774A04218CFDB64DF69E894BADB7F2BF88304F5084AAD51AA7355DB30AD81CF41

Function 025ED6B0 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 025ED724

Memory Dump Source

Source File: 00000004.00000002.3800142239.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_25e0000_RegSvcs.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 8da336358864d1827b59fb3c7ad0aba170a095218f62eae6ad0793724382131b
Instruction ID: 0cb2efb477c74ad154ed5aae92aa288a52415c43f511edc106c6e2c3d21d5eb4
Opcode Fuzzy Hash: 8da336358864d1827b59fb3c7ad0aba170a095218f62eae6ad0793724382131b
Instruction Fuzzy Hash: 9F1102B1D003088FDB24DFAAC480BAEFBF5BB48220F14842AD419A7200C775A945CBA4

Function 04D00B28 Relevance: 1.4, Instructions: 1383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3806613775.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d00000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 275f5172f6d02001c965760bfde7fb84163273f120fdabe66af619345ee7c3c0
Instruction ID: 4daf76442044e251777f765c9c605f6ad3b86b3a481e587276ee32d531c67499
Opcode Fuzzy Hash: 275f5172f6d02001c965760bfde7fb84163273f120fdabe66af619345ee7c3c0
Instruction Fuzzy Hash: EEA2E130F00325CBEF261A68555433EA5F7BBC9B10B858029E956EB3C4EF75EC818792

Function 025ED860 Relevance: 1.3, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 025ED8C2

Memory Dump Source

Source File: 00000004.00000002.3800142239.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_25e0000_RegSvcs.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 1c1c4beefe009f87122e1e876f0011f8de111388665d4b4990adb37215cb2975
Instruction ID: 5a110661e5f2ab33922be377538649d3b99feee760df83ce09df441fd413bd6e
Opcode Fuzzy Hash: 1c1c4beefe009f87122e1e876f0011f8de111388665d4b4990adb37215cb2975
Instruction Fuzzy Hash: 49113AB1D043488FDB24DFAAC4447DEFBF9EF88324F248419D519A7640CB756945CBA4

Function 0518A1E9 Relevance: .6, Instructions: 550
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0b8818ad479a472e136b5edeb4243b5d6eac667a5708c002927a0c54ee2e6ac
Instruction ID: 6dbcc8b7753097a333dddf2d6156a02c748de565ace2c2001c1c9c02410b26ca
Opcode Fuzzy Hash: e0b8818ad479a472e136b5edeb4243b5d6eac667a5708c002927a0c54ee2e6ac
Instruction Fuzzy Hash: 99219A30A00200CFD760FB65E499B7A3BA2FF84320F65846AC002972A9EB349982CF41

Function 0519A0AF Relevance: .5, Instructions: 544
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 365bd9e1266d8fe31b73764b039630161220d996052fa5930eeadea0e5eb68c0
Instruction ID: 4ffc5930d77c1794639a382ea3449d1956e9e6b52706632f2d95e8d598d21995
Opcode Fuzzy Hash: 365bd9e1266d8fe31b73764b039630161220d996052fa5930eeadea0e5eb68c0
Instruction Fuzzy Hash: ED22AD35A10204DFDB18DF69D490B6DBBB2FF88300F158469E906AB3A2DB71ED84CB51

Function 051994E8 Relevance: .5, Instructions: 516
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2a64eba83c838896ff5ba8e5fbbce998bbafdaa8bd38b2a4f7e0d792675d4a6
Instruction ID: 14ffb1951bb229512fa4af0ffca7536283498f1ecf22ea11b7e3b4ae22b564ca
Opcode Fuzzy Hash: d2a64eba83c838896ff5ba8e5fbbce998bbafdaa8bd38b2a4f7e0d792675d4a6
Instruction Fuzzy Hash: 63224A30A04219DFDF19DFA5C854AAEBBB2FF48710F148519E812AB395DB38AD41CF91

Function 0519DB80 Relevance: .5, Instructions: 483
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1adc3f2ed220ca777bd178d37cb03e508c5fa9956e810d11bfe12ddc6a97967
Instruction ID: d4cd1a102e86fd698200b40c71fdb9c01326e8ca33f160492d4562d909ac1318
Opcode Fuzzy Hash: c1adc3f2ed220ca777bd178d37cb03e508c5fa9956e810d11bfe12ddc6a97967
Instruction Fuzzy Hash: 66124A71A00204DFDB29DFA5D485A6EB7F2FF88300B14852DE446AB391DB75AC46CB91

Function 05180CD0 Relevance: .4, Instructions: 437
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd43bd3902d1d5eb4524221284d48012b3933ff65cb2d4a202a6a213e276245a
Instruction ID: 5f9ce775e6886435c027c169b4d77eead31ce0b57bb9122f3ad0d7f07ebd667a
Opcode Fuzzy Hash: cd43bd3902d1d5eb4524221284d48012b3933ff65cb2d4a202a6a213e276245a
Instruction Fuzzy Hash: C512E935B002199FDB15EF64C898BADB7B2BF89300F5185A8D44AAB355DF70AD86CF40

Function 04D022D0 Relevance: .4, Instructions: 408
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3806613775.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d00000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d674f3989513c98f633802f1eca08b12f0ea04acf8b6aaf5ab4ebc727d78b443
Instruction ID: 979e29ee5b41b1caf48f9ea1c628b4e635946d907e7a9f13758f806d0fb899a9
Opcode Fuzzy Hash: d674f3989513c98f633802f1eca08b12f0ea04acf8b6aaf5ab4ebc727d78b443
Instruction Fuzzy Hash: B0D14C307103018BE7185AA994EC72BE6BBABD5704B90847DAA02DB3D4DFF4DD4587A2

Function 0519F840 Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3438bbf6df7947610beaf1acc90e8b7bbd7b25437abc51fa2bfa763dde4cea50
Instruction ID: e63ffae7d5d0ddba3ed752b6b3e7163bebeeb90050976f0e5b62aa786f976889
Opcode Fuzzy Hash: 3438bbf6df7947610beaf1acc90e8b7bbd7b25437abc51fa2bfa763dde4cea50
Instruction Fuzzy Hash: 1BF1C934B10218DFDB09DFA4D599AADB7B2FF89304F158558E406AB3A5DB71EC42CB80

Function 051813AF Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ad7bea61b5564a05a1565b911012bc4eb0fb9763657a680fa5595e2025c79c8
Instruction ID: 3e01cc56eb61f867dc6103fad77bf54ef95e83fdea09addcaa730d32799c8249
Opcode Fuzzy Hash: 7ad7bea61b5564a05a1565b911012bc4eb0fb9763657a680fa5595e2025c79c8
Instruction Fuzzy Hash: 63E14035B00209DFCB15EFA4D494AADBBB2FF89310F508559E406AB365DB30AD46CF91

Function 0519E3C0 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfdae562e3c48238f5e0f7bceb5dc14d222190b822b27572da391bc54959b64d
Instruction ID: ed1d6ae377598071720946ff011311c6e411cd9cfa39e848dc637f5cf2e175d8
Opcode Fuzzy Hash: cfdae562e3c48238f5e0f7bceb5dc14d222190b822b27572da391bc54959b64d
Instruction Fuzzy Hash: 8AD1C0747006159FDF18DF28C484BAEB7A6FF88314F158668E8059B3A1DB34ED46CB91

Function 05188768 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28fa0cea10564df64da559e1ff1412eb4c1ea6b58d2cb123c2542d778c1e6a63
Instruction ID: a5683fe8658c9bb601fb8ba08022b96a4f7e742b34c777ef1a30420189acaa52
Opcode Fuzzy Hash: 28fa0cea10564df64da559e1ff1412eb4c1ea6b58d2cb123c2542d778c1e6a63
Instruction Fuzzy Hash: FB913872B043005FDB25AB34985073E77A3EFC6220B54856AD446DB392EF34DD078BA6

Function 05182D70 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c79634dcd4f7410a52c95af59ac88f9e606a11ba22a3544d2424f634ac2561a3
Instruction ID: 55b86aabbb7402c81a9df48941069364e58ab7d8d28eff209bb40410005c1ccc
Opcode Fuzzy Hash: c79634dcd4f7410a52c95af59ac88f9e606a11ba22a3544d2424f634ac2561a3
Instruction Fuzzy Hash: 00C1FA75B00218DFCB09EFA4C994AADB7B2FF89700F504569E506AB3A5DB71AC42CF50

Function 05182DA0 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a02d882ff5b7b707125e2f0d5af8dab0424bbfdf0649c470e8d5505e67b985
Instruction ID: ebfd385df484fa1a26f18fa8d915c1b2b83f9efee5a9ff92e3dc278acffb2606
Opcode Fuzzy Hash: a6a02d882ff5b7b707125e2f0d5af8dab0424bbfdf0649c470e8d5505e67b985
Instruction Fuzzy Hash: C6C1B475B00218DFDB08EFA4D994AADB7B2FF89700F104569E506AB3A5DB71AC42CF50

Function 04E48C28 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcafe305fd0a2389826c7437773c903f2f076cb9519a425843a8dcf861a1af6b
Instruction ID: 0197b9aa733c4a379ecf1e7512b730bdd7d2e0e7f659a1aad1d1bf7d1803cd2b
Opcode Fuzzy Hash: fcafe305fd0a2389826c7437773c903f2f076cb9519a425843a8dcf861a1af6b
Instruction Fuzzy Hash: BAB18C34A012049FC714EF69D494A6ABBF2BFC9310F25C5A9E406AB3A1DB71EC45CF91

Function 05183D38 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 457a09601dba59e5353b97d51f2e1d598d327e68af0b54f60beb1364cf7d1116
Instruction ID: 36667153dd5914976bf2715ca289cfb26513a8727c76af860c36e4533e5e286a
Opcode Fuzzy Hash: 457a09601dba59e5353b97d51f2e1d598d327e68af0b54f60beb1364cf7d1116
Instruction Fuzzy Hash: F5A16D35B006149FCB09EF68C494AAE77B3BF8D700F108A58E5169B3A5DF70AD42CB91

Function 05195C78 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e74fa5d7fd37d374f0e03ab1107e449950b64cef5920f5c28ce87c667e395c6
Instruction ID: c6c80d7d48f25b53b13b0216dcb4ffd40555387dccba5d55b41f32264a475495
Opcode Fuzzy Hash: 5e74fa5d7fd37d374f0e03ab1107e449950b64cef5920f5c28ce87c667e395c6
Instruction Fuzzy Hash: 23A17A35B012049FDB1ACFA5D498AADBBB2FF88211F158469E912EB391CB35DD41CB50

Function 0519A848 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcb1e83c11e35f22030c4c0dddb173291e34bf4c91ceea6e81aaacabf18c15c1
Instruction ID: b5ab1fa6618fc68419840f1b7553789320f50b9f8fcd8af9e2e9f2e2825d860b
Opcode Fuzzy Hash: fcb1e83c11e35f22030c4c0dddb173291e34bf4c91ceea6e81aaacabf18c15c1
Instruction Fuzzy Hash: BD91F274B006148FDB18DF29C494AAA7BE6FF89711F1180A9E502DB3B1DB70ED45CB91

Function 0519F830 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ae568210ca2d02db07170c88360b216953e3a870892e0fa682236cf7b451707
Instruction ID: 1a428ffefd3b3ca31e2b7d469373a772b7789abc12acbc6fdff40756c60ec6d3
Opcode Fuzzy Hash: 3ae568210ca2d02db07170c88360b216953e3a870892e0fa682236cf7b451707
Instruction Fuzzy Hash: DFB1DC34A10218DFCB09EFA4D899E9DBBB2FF89300F558155E506AB365DB70EC46CB80

Function 0539F990 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3810413248.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5390000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac31916669c3b9d12fa3f2b85eee67edccba46cdc1bc4c56aab8ed167adfde74
Instruction ID: 00b16760f22cc3f75095c13fe93c17829ad8d6212b934667ccc56e24b16bb7f6
Opcode Fuzzy Hash: ac31916669c3b9d12fa3f2b85eee67edccba46cdc1bc4c56aab8ed167adfde74
Instruction Fuzzy Hash: CF81F8B5B046158FDB0AEF38C45496E7BB6FFC5200B1081AAD106DB3A1DB74DD06CB92

Function 051832A0 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c16e2132fa0d341a0b09fca740cb67293e7a5ffc987e130d981fa6c49e793684
Instruction ID: 467af30e9c46ac5f46135009e5c49e02adeb875aa7a8f6011a31f90329c1446a
Opcode Fuzzy Hash: c16e2132fa0d341a0b09fca740cb67293e7a5ffc987e130d981fa6c49e793684
Instruction Fuzzy Hash: 6A9106353012049FDB14EF28D894E6A77A2EF89715F2485A9EA168F3B5CB71EC41CB90

Function 05180CC3 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a64db7efe84d738dac7d940d813f83ae2dd12d4ca3685cfb75561a804dbc886f
Instruction ID: 912b08716acf3df3764310593344717bff32d05c291359bcfc7464d2ef539fab
Opcode Fuzzy Hash: a64db7efe84d738dac7d940d813f83ae2dd12d4ca3685cfb75561a804dbc886f
Instruction Fuzzy Hash: 6BA10E35B002159FDB24EF64C894BA9B7B2BF88300F5185A8E54AAB3A5DF70DD85CF40

Function 05181C68 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16e63ba9d50f4901f6288e84ca231988777845377a0434f53147187d53d9cace
Instruction ID: 9e1afcdf04bc848d9c6275958b5fadee9ed106a7468dd7a7e6a21e2321d2d74e
Opcode Fuzzy Hash: 16e63ba9d50f4901f6288e84ca231988777845377a0434f53147187d53d9cace
Instruction Fuzzy Hash: C3814A35B50614DFDB19EF68D498AADB7B6BF88710F148169E506DB3A1CB30EC42CB90

Function 0519B9A8 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b165325c0038b9d74cf4126d3a61c865ea3f17c62d23a2f80eb52892b471ce00
Instruction ID: 0ad6d287672858533de06f1d4c983ab6799011799a7efe4e9e1110914ba3e5ff
Opcode Fuzzy Hash: b165325c0038b9d74cf4126d3a61c865ea3f17c62d23a2f80eb52892b471ce00
Instruction Fuzzy Hash: 48811A75A04618DFCB28DF68D484E9DB7F5FF88310B158569E816AB360DB70ED81CB90

Function 05183A50 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32069c0e525d00f85ef30d8f4c7620aabffdbe9f8bb18d8e45f7ffdc6e9fbad4
Instruction ID: 6add1073366563f7edc43cd72430ff9d65da5b2cde892fa7b4d0018f096e14d7
Opcode Fuzzy Hash: 32069c0e525d00f85ef30d8f4c7620aabffdbe9f8bb18d8e45f7ffdc6e9fbad4
Instruction Fuzzy Hash: 9C814F34B00609DFCB29EF68C498AADB7B6BF89704F144969D412973A1CB759D46CF80

Function 05198A41 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e45db339e07141facdd2914c63c2ed684f7f7bf0ed7d540c9d676274220822
Instruction ID: d82db4135484d6674f58f7387e149f0adf52521797763d6ee4581221ea1e81d8
Opcode Fuzzy Hash: f4e45db339e07141facdd2914c63c2ed684f7f7bf0ed7d540c9d676274220822
Instruction Fuzzy Hash: 2F618C317002049FDB29AF34D454A6EB7A7FF86350B54886DE9069B3A1DF35EC02CB96

Function 05183A23 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faab19f2bd41bd49681461ba9efc07f8ce3c97395e41f8163505c9aa4f37119e
Instruction ID: 4af58ca6d3ebd66d38b9352dc065fa2f52fff898cf52c5006793893f2479b3e2
Opcode Fuzzy Hash: faab19f2bd41bd49681461ba9efc07f8ce3c97395e41f8163505c9aa4f37119e
Instruction Fuzzy Hash: 547182347006459FCB19EF78C458A6DBBB2BF89700F1849A9E4129B3A1DB74ED46CF90

Function 05181C5B Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3db89f7f82578545ff7d0eca4a7e51ac0111b58082aa460a4843ae6d3533fb5
Instruction ID: 9a9dd89ba816af19eeb48fad8bbcefb4b366e9302c59c10f10472d735333377e
Opcode Fuzzy Hash: c3db89f7f82578545ff7d0eca4a7e51ac0111b58082aa460a4843ae6d3533fb5
Instruction Fuzzy Hash: CA611975B50614DFCB19EF68D498AADB7B6BF88710F148169E5069B361CB30EC42CF90

Function 051873E5 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c33f03b6a2d8eb230a088ef1b537e29ed7b09b902fe7d825729aa5254b54ae2
Instruction ID: eaf69ba43f652d13ab350d05f7d8049e92b39632f1adc0ba50aa4d4221efc8a3
Opcode Fuzzy Hash: 9c33f03b6a2d8eb230a088ef1b537e29ed7b09b902fe7d825729aa5254b54ae2
Instruction Fuzzy Hash: C6617B30A01604CBDB38EB59E044BBEB2A3FB81705F79C969D4015B6C9DB369D49CF91

Function 04E48C38 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e5bf27738eb03c6a134986ab734d5131653c75fc0462a83a76925d25cdf9701
Instruction ID: 0a636befb3ec33b0ba252e6b99f9d2830ae640c9d6e55fc55998941983a74ce8
Opcode Fuzzy Hash: 5e5bf27738eb03c6a134986ab734d5131653c75fc0462a83a76925d25cdf9701
Instruction Fuzzy Hash: F1616778A016049FC714EF69E484A59BBF2BF88314F56C5A9E416AB3A5DB30FC41CF90

Function 04E4E138 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9053daa7a53b132e546e2f4c5b1709d17c90e8e6ab2085ad02b251362eaf58d9
Instruction ID: 778c96a0ee4e5d531f32de00ce98f0e00d3906c94f49adaf1678a8db7ec78b22
Opcode Fuzzy Hash: 9053daa7a53b132e546e2f4c5b1709d17c90e8e6ab2085ad02b251362eaf58d9
Instruction Fuzzy Hash: BE51BF30B00100CFEB04DF6DF449BAA73E2BBC9304F25A5AAD0069BB95DB74AC81CB45

Function 05196D10 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24c9f74d0264ebf5c773767be91302afda81a95733698a33d8d44fd99a687cab
Instruction ID: af5ebe015239ff39aefaa4c593d822c2586f1c7bad67666a02c612a892ebd750
Opcode Fuzzy Hash: 24c9f74d0264ebf5c773767be91302afda81a95733698a33d8d44fd99a687cab
Instruction Fuzzy Hash: 07517C357002108FDB15DF69D890AAEBBE2FFC9310B5581AAE506DB361CB31ED01CBA1

Function 05194548 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f6da0d3240dec88bb8fce8f023fddc4ea838cb8fc200236140672e868628657
Instruction ID: 477aa500c417934d08b8cf707b6c63ffc94c249df089e56b9c9dba23a5eb561e
Opcode Fuzzy Hash: 8f6da0d3240dec88bb8fce8f023fddc4ea838cb8fc200236140672e868628657
Instruction Fuzzy Hash: 0B515F76600104AFDB499FA8D804E697BB3FF8D3147198098E2099B372DB36DC22EF51

Function 0519EE48 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b99e4991b0916e5c1d69ff65b676219c6ef08a939c258b3857c91f4137911de3
Instruction ID: 4f2b2f6d3dbca2c55e2ec918a2198da131054c65943fc848397cc793337a40a8
Opcode Fuzzy Hash: b99e4991b0916e5c1d69ff65b676219c6ef08a939c258b3857c91f4137911de3
Instruction Fuzzy Hash: 6351D471A003048FDB09DB79C4507AEB7A7BFC9200F54886DD44AE7391EF74AD468BA2

Function 04E4D242 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33931c56d73f63b6e2eb909b315705dc0300d1aa4a9fb7245560c67318710e70
Instruction ID: 27e3b3e05a16ab0c8b0b3262011a55917c2638e044b79148e35c73fd01552f92
Opcode Fuzzy Hash: 33931c56d73f63b6e2eb909b315705dc0300d1aa4a9fb7245560c67318710e70
Instruction Fuzzy Hash: 51517F34704201CFEB14AB65E855FAA33A3EBC4704F15D16AD4028BB99DF38ED52CB89

Function 051876F5 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a6c0d2540e92e8d7dc0726a9363361def71619720b28d480ebeb44b6aa18160
Instruction ID: f5d55661eb855f8e00c497d3da8123bf4e675e66c4bda6e0ad5afd755e4684e4
Opcode Fuzzy Hash: 0a6c0d2540e92e8d7dc0726a9363361def71619720b28d480ebeb44b6aa18160
Instruction Fuzzy Hash: 7A515C31A01604CBDB38EB59E044BBEB2A3FB85701F79C969D4055B288DB369D49CFE1

Function 0519F410 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 686cd99bea58bb8084e585bceee05ead5d80142f2731f5ced0d26c38d4cb35e9
Instruction ID: 9993f05541f407c6f77a07be947d3b27c8ce974ff826187868047c26b626b0a5
Opcode Fuzzy Hash: 686cd99bea58bb8084e585bceee05ead5d80142f2731f5ced0d26c38d4cb35e9
Instruction Fuzzy Hash: 54513C34B10609DFDB059F64E499AAEBBB6FF88705F008119F5029B3A4DF349D46CB81

Function 051954F9 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201377947ef367a0e4a0cab5c1bf5e9b670b7763ca2d39f56cad7f68f16b4cb0
Instruction ID: 5a1ef329a7c833a92180db7b5bb3643d4126998cbf254223bb094aa2bc103117
Opcode Fuzzy Hash: 201377947ef367a0e4a0cab5c1bf5e9b670b7763ca2d39f56cad7f68f16b4cb0
Instruction Fuzzy Hash: 2841DF35A04246CFDB06DF68C484A6ABBB7FF89310B5681AAE515AB352D730EC51CB90

Function 05189F68 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd4121e4b583eff3146cd366a4f300c9988fa7f0d8dcbb8bbed83ca877ccb3aa
Instruction ID: 65e7b739b119f1cb2466f2fe3940823567fc73ef6fd2cb7633eb9a45e22b2d0c
Opcode Fuzzy Hash: bd4121e4b583eff3146cd366a4f300c9988fa7f0d8dcbb8bbed83ca877ccb3aa
Instruction Fuzzy Hash: 6C516C35A10104CFD728EB69D489BB97BE3FF89314F25806AE00697B95CB78AC81CF41

Function 04E4D250 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e991b2b9e5d6bddd4bc45a31934fc6ec467a0ef107e7d3bc3195d60ce7bd663e
Instruction ID: 57922900e5379f14ca16af38f5d7e3f77e6242679f4f08e3614bbe776aea842d
Opcode Fuzzy Hash: e991b2b9e5d6bddd4bc45a31934fc6ec467a0ef107e7d3bc3195d60ce7bd663e
Instruction Fuzzy Hash: E0515E347042008BEB14AB65E855FAA33E3E7C8705F15D169D5028BB9DDF38ED52CB8A

Function 05189F78 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db03ab011bea870ccfd2de40def4a42e87f361cfcd9f5df5420f2633c85f953a
Instruction ID: cdb09bdd9e2486b9256a44bd936cdb1e7e693c16ead637e3207bed091ec67a47
Opcode Fuzzy Hash: db03ab011bea870ccfd2de40def4a42e87f361cfcd9f5df5420f2633c85f953a
Instruction Fuzzy Hash: F7514A30A10104CFD728EB69D489BB97BE3FF89314F65806AE00697B95CB78AC85CF55

Function 051877A9 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45a6abb2c69cf0c66e39f946ab228b8eba35ed0eb192fe9a4a543c10b6306d38
Instruction ID: a61ff568f0e10e12860fb36a608719d1f1afb4b0a8b65e210ad3aea3233e59f4
Opcode Fuzzy Hash: 45a6abb2c69cf0c66e39f946ab228b8eba35ed0eb192fe9a4a543c10b6306d38
Instruction Fuzzy Hash: 6E514930A01604CFDB38EA59E044BBEB2A3FB80705F79C969D4055B289DB369D49CFE1

Function 05180A90 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64f8028389c474579d5a43a82b2c277cf93514d3ec728e274ecedbd6743f64c2
Instruction ID: 081161e377bcff3293deb46dd137c34cf2f4430e309f74fcf757d737f36b98f2
Opcode Fuzzy Hash: 64f8028389c474579d5a43a82b2c277cf93514d3ec728e274ecedbd6743f64c2
Instruction Fuzzy Hash: 84418D30B102189FCB19BB64C498A6EB7BBAFC8700F104429E406AB3A5DF749C468B91

Function 051875D5 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9908d65ea25eb55e04069717f6924d671ff57a95dd4224fd69b9460890eaeac8
Instruction ID: 49730fc3627740d5fe0ca8dd0b59ed70dbe70aa459245d0e1efee5c035cd1aa3
Opcode Fuzzy Hash: 9908d65ea25eb55e04069717f6924d671ff57a95dd4224fd69b9460890eaeac8
Instruction Fuzzy Hash: BE514930A01604CBDB38EB59E040BBEB2A3FB84705F79C969D4055B685DB369D49CFA1

Function 05187634 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5f97aeabce81799abfb3100f565cfdf4393e9eb78181505681c4cb197079e9
Instruction ID: f36835dba5503c02da15321a40fb8a87cefb0a7d1baf558f4fa7a3222195e28d
Opcode Fuzzy Hash: bf5f97aeabce81799abfb3100f565cfdf4393e9eb78181505681c4cb197079e9
Instruction Fuzzy Hash: 6A513930A01604CBDB38EA59E044BBEB2A3FB80705F79C969D4055B689DB369D49CFE1

Function 051875C8 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60c2215e2169bb4e858e82cc7173a2c283708905e5c8f42301beb216ec3358ec
Instruction ID: b2253893019e000b57055b52d31d6419b98dfc3133b08eda717722825fa1a30b
Opcode Fuzzy Hash: 60c2215e2169bb4e858e82cc7173a2c283708905e5c8f42301beb216ec3358ec
Instruction Fuzzy Hash: 36515C31A01604CBDB38EB59E040BBEB2A3FB80701F79C969D4055B689DB369D49CFE1

Function 0518750F Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60bbfb820580a41b5d3d9e56e9c1c98a7799345bf9385db143ee7d526562b5f0
Instruction ID: 30369d9a0394bc1885ebf5fb28bedefbf0ba33d8afe20e3333a4bb788d690700
Opcode Fuzzy Hash: 60bbfb820580a41b5d3d9e56e9c1c98a7799345bf9385db143ee7d526562b5f0
Instruction Fuzzy Hash: CB514A31A01604CBDB38EB59E040BBEB2A3FB80701F79C969D4055B689DB369D49CFE1

Function 05187F69 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eba07d28cd2d16714c6b1ef134324830639e37fadde518af10b83e81fa8db29
Instruction ID: a9fbf596060c88b0a4f928555effd1808475790e3b0b4f6af1386c8763b90506
Opcode Fuzzy Hash: 9eba07d28cd2d16714c6b1ef134324830639e37fadde518af10b83e81fa8db29
Instruction Fuzzy Hash: DC517A39B001009BD714EB66D485B6A73E3FBC8305F25C469E51287399CB38AD46CF91

Function 05187F78 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d1179c6f8b6ef7b49bdf73c453d7bdd55f8c0ea25dd72087230dc1838c0fa11
Instruction ID: 0312cbba87562e64f680e1ba5c92138b499d3f5e41719a633217bb64c626cd81
Opcode Fuzzy Hash: 1d1179c6f8b6ef7b49bdf73c453d7bdd55f8c0ea25dd72087230dc1838c0fa11
Instruction Fuzzy Hash: 34516B397001049BD724EB66E485B6AB3E3FBC8305F25C469E50687399CF38AD46CF91

Function 05185658 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a2f288bd7039de02918d77be9f5236d284eb5c06c90466c75275c9186f0864b
Instruction ID: f788db70cb98eb5a24752e64ca4c42078e75a6442ca783dc203e5c49d4c03f9e
Opcode Fuzzy Hash: 1a2f288bd7039de02918d77be9f5236d284eb5c06c90466c75275c9186f0864b
Instruction Fuzzy Hash: A041A079F007119FCB24EB68D85466EB7F2FFC8221754892ED96AD3740DB30A901CB91

Function 05184FE8 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f29574f40424a99d820c54bfb731b3cbcf423a93f8a5b7f679251e43ebb6d75e
Instruction ID: b64bc894c0001745b8d048670cbda81d825cde205a72385c61c1b7d25265bf24
Opcode Fuzzy Hash: f29574f40424a99d820c54bfb731b3cbcf423a93f8a5b7f679251e43ebb6d75e
Instruction Fuzzy Hash: C241A971F007149FDB74EB68D5542AEBBF2FF84210B05886ED49AD7A80EB34E9418B81

Function 04E481B0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8526135511e2e921b47128648ebaf59523d88588253affbfb3f3afa5089ef38
Instruction ID: 1706c1401a0562b14686ca28ca8dff67b38ba89f12c9179ae2bb6931cc9f6525
Opcode Fuzzy Hash: f8526135511e2e921b47128648ebaf59523d88588253affbfb3f3afa5089ef38
Instruction Fuzzy Hash: B831F23AB006114BE7257B65B81472F37A7EBC4358F15952ACE0A87794EF24EC0287D6

Function 05181F60 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15055daf21d67d1278fd902006c863eb06909130f962eb80b6ad485e82f7cb44
Instruction ID: 3e7c615a5fa3f88f4a4a8f67f442b894e86179b38b785b56723a255c031a04a3
Opcode Fuzzy Hash: 15055daf21d67d1278fd902006c863eb06909130f962eb80b6ad485e82f7cb44
Instruction Fuzzy Hash: 47419236A401089FCB15EF64D895BEEB7B1FB88310F14806AD502BB391DB359D16CFA0

Function 05195F98 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d9a6abf3f6745be1fbe1bf5b7685d0d1b17f7e15369d16a2ccddfce3e517c7f
Instruction ID: 4751156183d45f066d8e905c77523fdca3cb6b56d202ff3d2e3a849160fad02d
Opcode Fuzzy Hash: 1d9a6abf3f6745be1fbe1bf5b7685d0d1b17f7e15369d16a2ccddfce3e517c7f
Instruction Fuzzy Hash: 79416F34B00209DFDB29DF64C894B6ABBF2FB88750F15C429E816AB381DB75E841CB50

Function 05185418 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a61fb8c5810c6e1989fddad198823f3b350ab78763c7e0018bf9230b4454f8b2
Instruction ID: 793d160c116c7baf2973df44b538d8940dee6c384ec30335e8b8eb6e588b790d
Opcode Fuzzy Hash: a61fb8c5810c6e1989fddad198823f3b350ab78763c7e0018bf9230b4454f8b2
Instruction Fuzzy Hash: E7418B75A00744AFCB31DFA9C448A6ABBF2FF88201F198559D58697B51EB30E844CF61

Function 05195568 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2742866b02f92a6ab086b58c7597439e52e938fe92280f322ccee740ca23806
Instruction ID: 995c5eb411e12a943ea4cb1b633e00773e5cbe4cc8f9679d45a3e1de98dfb30f
Opcode Fuzzy Hash: a2742866b02f92a6ab086b58c7597439e52e938fe92280f322ccee740ca23806
Instruction Fuzzy Hash: 2041BD31B00645CFDB05CF28C484A6AFBB6FF89320F168699D569AB282D730F851CB90

Function 05185560 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86afc5a82a8f2fcfb2f39467c33b2bbd0b4376891abff80b0f82a1310dc54bb2
Instruction ID: bd262d0f28a41604f03c0d550e56c34b2bc1d163c3f09b114935483b455d28bd
Opcode Fuzzy Hash: 86afc5a82a8f2fcfb2f39467c33b2bbd0b4376891abff80b0f82a1310dc54bb2
Instruction Fuzzy Hash: 79411571F04305AFCB249B68C804BADBBB3FF85311F11806AE556DB290DB309905CB51

Function 0519EE46 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea919987b4ec0bb95c11feb8c0b61c136ec11e3c7ac4bd890e45c204dccf3e93
Instruction ID: 5b9be156819a57fe40185eb7e43c589349bdc5829f458e4fc564492448df8889
Opcode Fuzzy Hash: ea919987b4ec0bb95c11feb8c0b61c136ec11e3c7ac4bd890e45c204dccf3e93
Instruction Fuzzy Hash: F2419E71A003049FDB19DB68D8407AEB7B7BFC9200F54C92CD44AA7351EBB5A9468BA1

Function 05189DDC Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b346abaa761ff714bad5d4f7f94152b71c1a6ae187e3411d4fe1bd2632ff02
Instruction ID: 39776108ce2384bd7ad91857856d18c7a6bff10d50fb4e0df032223167bf5eeb
Opcode Fuzzy Hash: 63b346abaa761ff714bad5d4f7f94152b71c1a6ae187e3411d4fe1bd2632ff02
Instruction Fuzzy Hash: AA415B38A00104CFEB24EF55D889FB977B3FB89315F258169E5029B6A5CB759881CF48

Function 04E413AB Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc4eacaedad782ce0478fffa8aab431d821995e718209af58b0e61e6ccfc083d
Instruction ID: 7f016a32ad18cc54af95b1f8917140ec638489456e0951cce37900b258e50828
Opcode Fuzzy Hash: fc4eacaedad782ce0478fffa8aab431d821995e718209af58b0e61e6ccfc083d
Instruction Fuzzy Hash: F7317C353401108FDB14DF39E49CB2ABBE5AF89714F1641A9E50ACB372DA70EC418B92

Function 04E4F858 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 618648dd27f648fa32db82fbd016a8acb0d5d6224c0d1c5c753a783c0115bbcc
Instruction ID: 237ba80e172ca1f3081435499651439a6a333865d23651ebce55a85e2996fc45
Opcode Fuzzy Hash: 618648dd27f648fa32db82fbd016a8acb0d5d6224c0d1c5c753a783c0115bbcc
Instruction Fuzzy Hash: E531D9366101049FDB05DF98E988EA9BBB2FF48724B1680A8F5099F372C731ED55DB40

Function 04E413B0 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a24da0135eccd5a585537a318c83dbd0f0b22e2794e267143a07a97823aef50a
Instruction ID: 95a828bae2782e1709dbe564441685ef23863ce7e6f5db95ec2528eddb915fc7
Opcode Fuzzy Hash: a24da0135eccd5a585537a318c83dbd0f0b22e2794e267143a07a97823aef50a
Instruction Fuzzy Hash: EF316C353402108FDB14DF79E49CB2AB7E6AF89715F1641A9E50ACB372DB74EC408B92

Function 05196128 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bdb5f4d848e2cd8c33d28dd741f18022dbf80dcd01b5d5deb3830125243b16b
Instruction ID: 3f3a5c204d71d7a039edec1f74759c7f399fbe268e0f1ea254124d9044608ec7
Opcode Fuzzy Hash: 2bdb5f4d848e2cd8c33d28dd741f18022dbf80dcd01b5d5deb3830125243b16b
Instruction Fuzzy Hash: 6A414875A00219CFDF18DFA5C844ABEBBB1FB88314F11842AE526E7295D734E945CBA0

Function 05194DE3 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 963c0f8104f9b37daa3ae4c0babde9fdd417e692011d3abc5f82d33a728dc7e9
Instruction ID: 13009fd8b9d54437362f662d9a132cea8bd2481a51d68def9c18957610305853
Opcode Fuzzy Hash: 963c0f8104f9b37daa3ae4c0babde9fdd417e692011d3abc5f82d33a728dc7e9
Instruction Fuzzy Hash: 41312736B042505FEB049F68D840AAE7BA2FFC9220B14807EF905CB391DFB58C428791

Function 05197410 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e225057183fb90b6f0c04249a58fc1fc8bd14df8c1cb33574e7bda4f6b06260b
Instruction ID: 440be1cddca8fb217b2cd5faec71bdc363a67dc6820f8d1692460013dd51e658
Opcode Fuzzy Hash: e225057183fb90b6f0c04249a58fc1fc8bd14df8c1cb33574e7bda4f6b06260b
Instruction Fuzzy Hash: 3A41F674A112188FEB68DB24C990FA9B7B1FF49710F5041E5EA05AB3D1C731AD81CFA0

Function 0519ECB8 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e3917d9809d0b0224a8041b68671dc42fa85838593f04c753e2fce9977cb4a0
Instruction ID: 5628890edd86ceaa96f161048f660d250a88508bbedb93f0d18b471c70267e36
Opcode Fuzzy Hash: 5e3917d9809d0b0224a8041b68671dc42fa85838593f04c753e2fce9977cb4a0
Instruction Fuzzy Hash: E2317F35A00304DFDF09DF64D954A99BBB6FF88314B0541A9EA06AB3A1DB71EC52CB90

Function 05193C61 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d6132dd23eae8ac5cde502534b7a50ad0c49c777533f65e75614721de48b86d
Instruction ID: aa0690313f9a9c1c428701e790518a1362038c13f8daf7493692bf9538742338
Opcode Fuzzy Hash: 0d6132dd23eae8ac5cde502534b7a50ad0c49c777533f65e75614721de48b86d
Instruction Fuzzy Hash: FF317035A00108CFEF58CF55E4A9BE973F3FBC8314F65886AD0159B294CB745986CB91

Function 05198A98 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 858bdaa82955c85bc1cb7838488f3e626fa9d2fccdb73e3f2ad1059df3118c4a
Instruction ID: 674cb13153955d511cbcf1d728c4f878d204007dfb9f213ce37ea7bd8ae46af2
Opcode Fuzzy Hash: 858bdaa82955c85bc1cb7838488f3e626fa9d2fccdb73e3f2ad1059df3118c4a
Instruction Fuzzy Hash: BF316D31600304DFCB299F34D894A2ABBB6FF86351754886DE8028B3A1DF35EC46CB50

Function 04E4F660 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b58cd3199fb042e8ed16ef02cb82b7deaa2deb1261a2efa96cb702d56c3f0e43
Instruction ID: 53390a5a6ebaa3131aa073d541a1efd88f4569cfae56f49441d10e0d0acb4f9d
Opcode Fuzzy Hash: b58cd3199fb042e8ed16ef02cb82b7deaa2deb1261a2efa96cb702d56c3f0e43
Instruction Fuzzy Hash: EA2188717043005FEB05EB65D40076E3BE7EFCA70075581AAE506DF3A2DE74AD0687A6

Function 04D00AD7 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3806613775.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d00000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cbb571e691bb6d6c94291263c71392113581836b59dc983ff4b16d471f03724
Instruction ID: fb3f43681a238734d7f9b12b24530fca9b251c4eaec85986aae1856e3f1ce38f
Opcode Fuzzy Hash: 4cbb571e691bb6d6c94291263c71392113581836b59dc983ff4b16d471f03724
Instruction Fuzzy Hash: 7D219531A093948FDB134B7498557A9BF71FF47310F0A80EAD895AB2E3D634AC4AC752

Function 051952B1 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee2f42472e3acd3be7ac1ceb02e35ecf06f4468a05cda1bd38dc794b3aa359a
Instruction ID: 57fe0fc5e3fb5b5f1ee378176a209b41c5741e29ab4347de73ab1de5cfe0ad61
Opcode Fuzzy Hash: aee2f42472e3acd3be7ac1ceb02e35ecf06f4468a05cda1bd38dc794b3aa359a
Instruction Fuzzy Hash: 2621C276348384AFCB034F25ACA4F9A7FB5EF46610F0640E7F640CF292C6A599058721

Function 05193C70 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4afd514fd3d75fbd955cbc11630a2873d18d5fc0428b3892d0c3e79dfa6844e1
Instruction ID: 9309c0e614fa81d6fa5f2a546d3fa8528c3e05b9dfd1f7c06d10770117549e9e
Opcode Fuzzy Hash: 4afd514fd3d75fbd955cbc11630a2873d18d5fc0428b3892d0c3e79dfa6844e1
Instruction Fuzzy Hash: 02317C34A00108CFEF58CB55E469BAA73F3FBC8314F65C86AD016AB694CB749885CB95

Function 05180A8E Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa2d813a00eb13a68c863b0204d5ae249272ae69fa7d6be04dfa0a5401afb5f
Instruction ID: 0b163c73acc90ea27af700c39e996bf338ac5c171d0391e2c0daf371218648d4
Opcode Fuzzy Hash: baa2d813a00eb13a68c863b0204d5ae249272ae69fa7d6be04dfa0a5401afb5f
Instruction Fuzzy Hash: 29218330B102189BDB19AF64C499B7EB7A7BFC8700F14442DE406EB395CF744D0A9B85

Function 05199410 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c997ecd360a8ca608d86dea4d51b0387cb9fdfe1052c18a028415d699998cbf
Instruction ID: 6e924b7d0a0cbc99ed256dc62db8f81903ff79b91cdd0b4341cea09cf01b8b6e
Opcode Fuzzy Hash: 8c997ecd360a8ca608d86dea4d51b0387cb9fdfe1052c18a028415d699998cbf
Instruction Fuzzy Hash: 512181B53042449FDF1ACF6AC940AAA7FE6BF8A300B054099F859CB3A1DB31DC51CB61

Function 0519E740 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7701d7192323a019ef39cd1a26df2f28a6afaabbd5a13cbdbeb60bacace421c
Instruction ID: c9b6167ef419594c0c9288c8b8b82055de4dc63431777647345243cfe0805bd4
Opcode Fuzzy Hash: f7701d7192323a019ef39cd1a26df2f28a6afaabbd5a13cbdbeb60bacace421c
Instruction Fuzzy Hash: 3E210239900605EFCF08EF68C884ABAFBBDFF44300B4186AAD51657242D730B895CBD6

Function 05194CF1 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53f60ef8c88546ec26abe22ba3a5c3049d73510904558b91c11a27c72caeee2b
Instruction ID: 92488c16c34ba54f855a70b2cb5da9025115ed15f4eba1bfe73da0a426858360
Opcode Fuzzy Hash: 53f60ef8c88546ec26abe22ba3a5c3049d73510904558b91c11a27c72caeee2b
Instruction Fuzzy Hash: 1A213039A00209DFDF199F64C458ADEBBB6FB8C720F144529E911A7390CFB15882CB94

Function 05198970 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb21e6559d82d78dc01dbb3db4bcbdb16351484db52dcf225a24c5ddacd4f821
Instruction ID: de0676e1ab2d40e63ae63c8bcb2f9a594011aaa78f31c26015249d91d340b7f7
Opcode Fuzzy Hash: cb21e6559d82d78dc01dbb3db4bcbdb16351484db52dcf225a24c5ddacd4f821
Instruction Fuzzy Hash: 0A213632A00219EFDF28DAB9C904BAEBBA5BB45340F108066D519D7291E734DA51CB92

Function 05194278 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30fc092d4e01bd3e5d86a76247c8230b15a0ea720c01f1caa6bdc03aa08ff04b
Instruction ID: 11f09966929423801ccbc54577f8f273a671a9bffa5708be4dc54b3d826aa2c8
Opcode Fuzzy Hash: 30fc092d4e01bd3e5d86a76247c8230b15a0ea720c01f1caa6bdc03aa08ff04b
Instruction Fuzzy Hash: D721CF71A103019FDB04EB64E8597AE7BAAFBC9310F40C42DD00AEB645DFB459068BA2

Function 05196119 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 454c098c6297228542b708f65e35d49bd171c11889764065d172c22fef03bc88
Instruction ID: 57a13af35a1f9260a7b2e0b03728bdce254bce79a34e37b719a568ddba704baa
Opcode Fuzzy Hash: 454c098c6297228542b708f65e35d49bd171c11889764065d172c22fef03bc88
Instruction Fuzzy Hash: 80218C74A00219CFCF18DF65D884AAFBBF1BF88614F118439D916A7356E730E945CBA0

Function 04E4001F Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba0279d76535044df7bc953cf748c3cdb3a4ebc1624a93dd218aebe1b47e37f
Instruction ID: 8eb4725833cb74dc693612119c3732f52fa6e63a5cd7d6c8823ff6f2d733f929
Opcode Fuzzy Hash: 2ba0279d76535044df7bc953cf748c3cdb3a4ebc1624a93dd218aebe1b47e37f
Instruction Fuzzy Hash: 3521F1B0D092449FEB11CF65E9847EEBFB2EF85300F2580AAD10597292DB746D86CF80

Function 0518047D Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f76066d4552d084f6a893281d296d84297ed2824e11e0077fdfe3088d7194a9
Instruction ID: eaeb5a4df32e1896d992a67f653e91485bef205cb632d68f90cd9d447eb768a0
Opcode Fuzzy Hash: 2f76066d4552d084f6a893281d296d84297ed2824e11e0077fdfe3088d7194a9
Instruction Fuzzy Hash: C121B235E04309CFCB25AFA4D4088BDBBB2BF4A206B01856DE44667356DB31E9C9CF91

Function 05181BA8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80917c387da76038b2fb92daa8837fa1ab952db3b62fe94a2ef1ea3561b5d555
Instruction ID: cee331aef958bd5440ec9854f0adf761ab9b32f91ed12cf6c6fadd6e7c8b81a6
Opcode Fuzzy Hash: 80917c387da76038b2fb92daa8837fa1ab952db3b62fe94a2ef1ea3561b5d555
Instruction Fuzzy Hash: C6219D77608250AFCB169FA8D844D597FB6EF8A71030A80D6E205DB272C731D811DB62

Function 0519DA50 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a17637d4140dcdb177e358c345a8574a4822f888cfec6a42569ab41f8be6052f
Instruction ID: c08f0d8609578a9492b0de284e183b62a9916cc6f588dab3dbae0ae63b13e68b
Opcode Fuzzy Hash: a17637d4140dcdb177e358c345a8574a4822f888cfec6a42569ab41f8be6052f
Instruction Fuzzy Hash: 0621E875A00209CFDF08DF68D585ADDB7F2FF49300F1045A4E405AB2A1CB75AD41CBA0

Function 04E4DF5A Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20758a669d4dc29f8f3141a06959208e09f11bbcb65fc044a3f06457b70d6c09
Instruction ID: cdbcba94e177894ecdd5b97e485ab9f4dfa69b5fd9511b78aea78009e6344e16
Opcode Fuzzy Hash: 20758a669d4dc29f8f3141a06959208e09f11bbcb65fc044a3f06457b70d6c09
Instruction Fuzzy Hash: 73216D74A00204DFDB18DF79D958AADBBF2BF88304F118169D412A77A0DB71AC46CFA0

Function 0519DA40 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c391311d79dd753bd7c7799bb86a4e169c41674f6afd1711c0dd6826299c38a2
Instruction ID: ba824e5bb6461d63ac51774f9cf0731f624844c723f8e0c6944a60dfe5431812
Opcode Fuzzy Hash: c391311d79dd753bd7c7799bb86a4e169c41674f6afd1711c0dd6826299c38a2
Instruction Fuzzy Hash: 75211C35A10208CFDF09DF64D984ADDB7F2BF49301F5145A8E406AB3A1CB759D41CB60

Function 05194D00 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bb7844a199332d8131f0ad2ba8839c37713e6a718796af47e9295f7163135a5
Instruction ID: d949d071e87d0d407a06d3361a1e66338e2e0aa098bae2015dcf18f46d49a149
Opcode Fuzzy Hash: 0bb7844a199332d8131f0ad2ba8839c37713e6a718796af47e9295f7163135a5
Instruction Fuzzy Hash: 61210E39A00209DFDF19DF65C458ADEBBB6FB8C720F148129E815A7390DF719881CB90

Function 05193AE1 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14f4d9ce8f56012f170a96b13c9ea9c54c2eef5bd93b74264e9f937fba678a0a
Instruction ID: 99c9d114b3b30c4d0a4f3837dc977825045d8a85340dc8aa056a8f291b586ecc
Opcode Fuzzy Hash: 14f4d9ce8f56012f170a96b13c9ea9c54c2eef5bd93b74264e9f937fba678a0a
Instruction Fuzzy Hash: B51181316091049FEB18CF5AD8C5F66BBE3EB85310F26C5AAE41687B69D7709C42CB00

Function 05193A10 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87f2cb133fbcad8307a8f1a56d58f54b1fb7553cb2ec50251d794ce3234efcb7
Instruction ID: 41b740f285f3e848f3bfbe6097b9624a7903cec2c67eab731b3c2b8a0b3b108f
Opcode Fuzzy Hash: 87f2cb133fbcad8307a8f1a56d58f54b1fb7553cb2ec50251d794ce3234efcb7
Instruction Fuzzy Hash: EB11E5B57043141FE308DA794C91BAB6BDAFFCA250F24807DE549EB3D2DDA1AC028791

Function 05197311 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7234dac8a3a999e46def738da58993308cf79248e8fa3708d6a155ab1f6e16fc
Instruction ID: e5324bbb79a1423a7786a2f736601eb2f75cfd1ba3b641d0322af134c37cd172
Opcode Fuzzy Hash: 7234dac8a3a999e46def738da58993308cf79248e8fa3708d6a155ab1f6e16fc
Instruction Fuzzy Hash: 7511BF30A18345DFDF1E8B649854DAA7FB6EF83211F0584AAD806CB1D2EB348B40C756

Function 05196D00 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab8b5060b6c7f92b4b4d629b1a5cbed783357558181fc92188083cbf0f9e6911
Instruction ID: 8e384d9c25def3b9f22f4ea7e97064bfa838f68fbc261156ad90b04380c494c8
Opcode Fuzzy Hash: ab8b5060b6c7f92b4b4d629b1a5cbed783357558181fc92188083cbf0f9e6911
Instruction Fuzzy Hash: 3E11AF397012118FDF05DF69C854A6EBBF2EF85300B1580AAE941DB361D730ED01CBA0

Function 04E4DF13 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33531d30c4a4922e87e2ad2cbec21fb64a1991f333d3aa138e79a79b9f6a2791
Instruction ID: 8398091643460a9582640a26034408837ad059f6b146f69b79ab5674f39b921d
Opcode Fuzzy Hash: 33531d30c4a4922e87e2ad2cbec21fb64a1991f333d3aa138e79a79b9f6a2791
Instruction Fuzzy Hash: C0215E74A00205CFDB18DF69D958BADBBF1BF88308F209069D412A77A0DB75AC41CF60

Function 05193AF0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc1a3b0ef9fa410ea3d2acfd054bf1049da220ea3a135c1066876accbaa37c78
Instruction ID: 824c01d61696a18ad636ad8dd2be8547fa922af7ebf39e7ee8d6c0e59f973721
Opcode Fuzzy Hash: dc1a3b0ef9fa410ea3d2acfd054bf1049da220ea3a135c1066876accbaa37c78
Instruction Fuzzy Hash: 271151317081149FDB18CE4AD8C4F66B7E7FBC5711F22C46AE52A87B69D7709C41CA44

Function 0518A5D0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eca98ae9afe417f6e5bc19c0840159bd1b3d80a3f958266d026ff18220990dc
Instruction ID: 37f2f053bbf43312851615e123ac6d974c3d5d5669b97ecc752189b2311e1646
Opcode Fuzzy Hash: 5eca98ae9afe417f6e5bc19c0840159bd1b3d80a3f958266d026ff18220990dc
Instruction Fuzzy Hash: F0118B30A00100CFD764FB65E449B7A37A3FB84320F61C02AC40693299EB759D81CF85

Function 0519D9A0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c70fad5108a182cdf13f50cee3f87b9b91ca84c84e3a631e03186013012d07a0
Instruction ID: 097b58461489dffd10098f33ae16257556fd1d961c25c3a117f0a7df14608e55
Opcode Fuzzy Hash: c70fad5108a182cdf13f50cee3f87b9b91ca84c84e3a631e03186013012d07a0
Instruction Fuzzy Hash: 7911A935710200CF8F1A6F3AE419A3D37A7FB852A27044829E90ACB390DF35CC22DB91

Function 05195421 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe1a81e5e43417204675d26cd68a58d457cccdfb8da8084366b632f4412a562d
Instruction ID: f8ef2efb7173638d6c422b1476e5c4858dcc3d979378988d7f2457730b5a722e
Opcode Fuzzy Hash: fe1a81e5e43417204675d26cd68a58d457cccdfb8da8084366b632f4412a562d
Instruction Fuzzy Hash: E82162B8A42219EFDB04CF98D594EADB7F2BF49301F214158E802AB361DB34AD41CB50

Function 051956B0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1238a220b5fff05dab71b8a68197133f5df6c8cc93b119ed78496b237703f3ad
Instruction ID: e4debb8010a01cf7bebd7eb90205071784505e1b866851bde9d1f941709e1d13
Opcode Fuzzy Hash: 1238a220b5fff05dab71b8a68197133f5df6c8cc93b119ed78496b237703f3ad
Instruction Fuzzy Hash: 3B11A339700204DFCF2ADF799855BAE7BF7AF88650F114429E916EB380DB75C9018BA1

Function 05195380 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7931e8d7ec45c452ebe4b5722481409d5c8b74a393be8dfab8eff150d56335a0
Instruction ID: 872e0b64709b3d18058dc36833f621c30ba1797d811ce22ab0e9de403258d95e
Opcode Fuzzy Hash: 7931e8d7ec45c452ebe4b5722481409d5c8b74a393be8dfab8eff150d56335a0
Instruction Fuzzy Hash: 70110770A02209EBDB18DFA4E944AEEBBF6AF48311F214125E915B7390DB70AD408B90

Function 051886BF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c9fc636cd7e15cf855d8c28ff675173d221f487abdd1497135a1e8d1a391f52
Instruction ID: 29facbbb1477e46366df74b6288b09d7b650f59ee7855abe7a84d9a1ab198351
Opcode Fuzzy Hash: 2c9fc636cd7e15cf855d8c28ff675173d221f487abdd1497135a1e8d1a391f52
Instruction Fuzzy Hash: 1B01C431A00604EBDB25AF64C8596EEBBB6EB88304F108429F802A7381CF764D06CF91

Function 0519D993 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46c87cf2e33fa977d9ee035f8066d16d3ac1542da7ea50a123170a126c46dffd
Instruction ID: 51e5f7e854c0ff56d7a4aa882faff4d007bda3dfde26664d33394e069ee5198f
Opcode Fuzzy Hash: 46c87cf2e33fa977d9ee035f8066d16d3ac1542da7ea50a123170a126c46dffd
Instruction Fuzzy Hash: 3701CC36714601CFCF1A6F35E019A3D3BA2FB862613094468E80BCB391DF35C812CB51

Function 04E4E3C8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e029529fc318db7d1383719906ec0c23612ad33432113af3b3c41569b22e0d6b
Instruction ID: 541cfa3213fc5f6713f67c0f0d74259475faa5f6071c98c254284e134f191df5
Opcode Fuzzy Hash: e029529fc318db7d1383719906ec0c23612ad33432113af3b3c41569b22e0d6b
Instruction Fuzzy Hash: BD01DF31B19228CFD7219BADB444B6677E8FBC5328B56D4A6E449D7201CB24FC41CBA2

Function 0519E7F0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4095ee2b0702833f291072e2fe679944ce0d021ba5d05a3436850d389fa6b505
Instruction ID: 0b7b40ca9b5e64bd0f9cd49519754253cde091091fc3e36bc7e6a7496fbd72cb
Opcode Fuzzy Hash: 4095ee2b0702833f291072e2fe679944ce0d021ba5d05a3436850d389fa6b505
Instruction Fuzzy Hash: ECF02B62B0D2904FDF1A9768AD94289AFA5EB4790034D82FFE846CF353D6148C06C391

Function 051886D0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a04203d12b11428453a8475a9a8b7bdeaa2389d2cc1c9140066be5f5265b5ce1
Instruction ID: 915e52e76df84df5ace9a927800d183d1e98ac82032480967659ebfc34cabfa3
Opcode Fuzzy Hash: a04203d12b11428453a8475a9a8b7bdeaa2389d2cc1c9140066be5f5265b5ce1
Instruction Fuzzy Hash: 9001B531A00304EBDB18AF64C9596AEBFB6EB88304F10842DF802A7380CF754D04CF91

Function 0519F401 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742423ade53940357742deacfb0998023a22603372914c5d60f377ed6be72989
Instruction ID: 74cd23b8c0cbbe1f54ded9b11db9659b7d37e45a65b3255617516a55ea064e8e
Opcode Fuzzy Hash: 742423ade53940357742deacfb0998023a22603372914c5d60f377ed6be72989
Instruction Fuzzy Hash: 58F0F63AB10004AFDF199A18D4589AEB766EB84220F048026FA16DB360DB30DE178780

Function 05194720 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0f986d6dd4a82e22818a4bd6503357f981cb2f311d5aa34da38583d7d263370
Instruction ID: cb037ac667f9cb78926c5a68da4aaf75d5877dae110b9f5d14a22d8a06cce2a0
Opcode Fuzzy Hash: d0f986d6dd4a82e22818a4bd6503357f981cb2f311d5aa34da38583d7d263370
Instruction Fuzzy Hash: 4FF04C76F083541FEB1D9A15981472AB7B5FBCA210F14406ED5099F390DBE1AC4183C4

Function 0519B508 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff77a448ad8fa40963e2e270f7459e3273d34ad752a9792868b59f00b0f3d117
Instruction ID: 9ec4331c9f6b6eb377a415e8fa6427c7606f481a913890d1fca0592ed77e2282
Opcode Fuzzy Hash: ff77a448ad8fa40963e2e270f7459e3273d34ad752a9792868b59f00b0f3d117
Instruction Fuzzy Hash: 1EF084F634EB406FE72793347800B9ABF466F81B19F05406FE249CB686EA2068028381

Function 04E427DC Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30d47bfe35e312a56935c047e50ab3af27bd499841f48a358fb892f80ba3bce0
Instruction ID: d36f9f24b88d98b82ed5fb6c0c528857683f62c4730fdb5dd97e075164eb477a
Opcode Fuzzy Hash: 30d47bfe35e312a56935c047e50ab3af27bd499841f48a358fb892f80ba3bce0
Instruction Fuzzy Hash: 59F06836E081249BC7149F6AA808ADFB7E5EFC4351B06C1BBE60AD3250DE345801EB95

Function 0539F4A8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3810413248.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5390000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6597384d38ac901988c59984cf5f2fdc93e91e887c1842ce5f1a25e7304cfbbf
Instruction ID: 9ac3729900acfa748cfdd3fb53a4bfc8b13e0913477983a7355f787385a029d1
Opcode Fuzzy Hash: 6597384d38ac901988c59984cf5f2fdc93e91e887c1842ce5f1a25e7304cfbbf
Instruction Fuzzy Hash: 7D016D35300714DFC7089F24D055A1ABBA2EBCDB257108529E90A8B390CF31EC42CBC1

Function 05194788 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8140d7e1760c1c76887b4e2f9a1394596716cc32ade6e65c0b072871292e056f
Instruction ID: 53c54764bf02a5e25fbb018ff5a289531c552af2cbaec50e2b7bc1759095a697
Opcode Fuzzy Hash: 8140d7e1760c1c76887b4e2f9a1394596716cc32ade6e65c0b072871292e056f
Instruction Fuzzy Hash: 7EF02B66B0D3904FEF2E577458503656BA2ABC7600F09409AC046CF2A1DBD68C038351

Function 04E427E0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee04771dbbca419f0fefc12cacbb2d6695ff34f028e91d9dad89d4282a4efd2
Instruction ID: c09d614d4694a2484037e89482ddf834fc5372a3c51ebb504ebafa146c9683b6
Opcode Fuzzy Hash: aee04771dbbca419f0fefc12cacbb2d6695ff34f028e91d9dad89d4282a4efd2
Instruction Fuzzy Hash: CEF09C36E0812497C7149F6AA80899FB7E9EFC4751F06C077F609D3100DE349C01EB95

Function 04E4E3BA Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afd37e60e61849388a62b2427b6556e828e7977bc73aacd80c7715693e2bc291
Instruction ID: a7b032f6168379cee81467a9e36864277e9978c7780c52750dfd6fc8084593e1
Opcode Fuzzy Hash: afd37e60e61849388a62b2427b6556e828e7977bc73aacd80c7715693e2bc291
Instruction Fuzzy Hash: 82F02B31B052148FC7318FACF4446A57BA8FBC4358F0694A6C804C7202CB24FC46C7A1

Function 05397771 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3810413248.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5390000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f5b821b2e557e0294fcef82d1809ebda37f1d8d5d5ef004fee01069f077363c
Instruction ID: 0a0a9cf673c071d3cea30cc5b0d5096e72ac0e2f926bbc56a4801f98593311ca
Opcode Fuzzy Hash: 2f5b821b2e557e0294fcef82d1809ebda37f1d8d5d5ef004fee01069f077363c
Instruction Fuzzy Hash: 7001C578A002248FDB68DF58CC94B9EB7B5FB48311F1481EAE909A7365DF349E848F51

Function 04E48F80 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9da29710f53ceea4c7384ce9e3527e2248647ba625e3be2991a0ecc18c93ddc0
Instruction ID: f84cbac6ec057ec9768e85bcebd6363294f450f8fdc329ffefebe0de2a51f238
Opcode Fuzzy Hash: 9da29710f53ceea4c7384ce9e3527e2248647ba625e3be2991a0ecc18c93ddc0
Instruction Fuzzy Hash: FFF027243093541FD708577E2C61B6FAE8AABC2754F28C06FE04EC7793CCA18C0643AA

Function 0519E85F Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd541e67976c15ae0ac64e5ed180c6e8b6703fa42ffd362486349031ec6a6da
Instruction ID: b9f4befe95189acc593b98f5ffae12772cbe0804b911dc7ccc87930a4a654188
Opcode Fuzzy Hash: 1fd541e67976c15ae0ac64e5ed180c6e8b6703fa42ffd362486349031ec6a6da
Instruction Fuzzy Hash: A7F0EC716043018FD7008A15E8849CBFBA6DEE5714350C537E04A8B221ED705D87C7E0

Function 04E4D9BF Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 010b504bf81294806383495c2a1a7d1dc8a9b466ef4ac431baf4e74d58b93193
Instruction ID: f0dc29715d9a4cf421376d758174e77cb344a6ee7ac8d14a71a0cd225c815735
Opcode Fuzzy Hash: 010b504bf81294806383495c2a1a7d1dc8a9b466ef4ac431baf4e74d58b93193
Instruction Fuzzy Hash: A5F0E5A650D7C40FD302ABB0BCA14947F358A9311830990E7D149CF293E416AD07835A

Function 04E48F90 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd45775532e876a3db0331f94752b1abdc6e72a492691917f6a4ee70f2c3f64f
Instruction ID: b3d61d9c0c423b29db49f4abc48eeddfb8aa21cc38ab1be2d8538822cf2bedad
Opcode Fuzzy Hash: cd45775532e876a3db0331f94752b1abdc6e72a492691917f6a4ee70f2c3f64f
Instruction Fuzzy Hash: 52E012617002182BE708656A5856B6BA58EEBC5A60F64C02EA50ED7796DCA19C4103E5

Function 051941B5 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74ba357ea18fa7cea75f8199f35271165145756719307722d461152228d04f9b
Instruction ID: 5162de2216bda56f693f3e52ad3476b21e5a29596ee1080f438fd4f1ecb6cfe5
Opcode Fuzzy Hash: 74ba357ea18fa7cea75f8199f35271165145756719307722d461152228d04f9b
Instruction Fuzzy Hash: 9EF0A7B19052449FCF40EFA4E89079E7BB4EB86105F5081BEC845D7342EB756E0187D6

Function 04E4A125 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63bb6000611fc67600ff0a1d2528d1c6ef1d5dd720df1b94e8f322cd79c66dfb
Instruction ID: e2f2a9fef0e509a1f087f2e83866f2ad67c409072225af7b64c7ead3a212ee06
Opcode Fuzzy Hash: 63bb6000611fc67600ff0a1d2528d1c6ef1d5dd720df1b94e8f322cd79c66dfb
Instruction Fuzzy Hash: 88F037B1E44110DFEB248F349848B9AB3A0FF41354F0615E4DA46AB292D730B9018B50

Function 05188E8F Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ee6c4a21a67264ed94dc13f4fcd2f473615b9b1a9b09655e66ba2c41ad8ae66
Instruction ID: 97480c6a73144244905652524c1d8cc29fb460a2b7a852d7510f51cc67983442
Opcode Fuzzy Hash: 8ee6c4a21a67264ed94dc13f4fcd2f473615b9b1a9b09655e66ba2c41ad8ae66
Instruction Fuzzy Hash: 16F054757002459FD710CFA8D884AAAB775FF99714B14806DE10597292CA329906CBA1

Function 04E450B0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730727ff9d905fee9f8cdbd4138f4d893f3db6c17fee0f519a18fbe2cebb94c1
Instruction ID: f86fc39a8f99eaa8de1ff2e605effb0d1fa3943f015ad4bd4988c79e837ec094
Opcode Fuzzy Hash: 730727ff9d905fee9f8cdbd4138f4d893f3db6c17fee0f519a18fbe2cebb94c1
Instruction Fuzzy Hash: 91F0B439B002258BE7249F62E8043AE73B1BB84340F05A8798945A33C1DF38AC45DB43

Function 05393ADB Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3810413248.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5390000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bff5cce1276505f0221853e6d0ab42ff62393b8dfa6c9c037108aaffe88eef7
Instruction ID: f04c57ac7a8ccb94aac14190e1b2a71466ec74f88b895c7b7e5d384c083ef9c5
Opcode Fuzzy Hash: 1bff5cce1276505f0221853e6d0ab42ff62393b8dfa6c9c037108aaffe88eef7
Instruction Fuzzy Hash: 9D01A8B4A012298FD754DF58C894BDAB7F5EB88310F10C1E9A509A7366DB349E808F51

Function 05392AF6 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3810413248.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5390000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1001b3aedf0180f0c5e5c4f6e5b1a0b58ee768ce76679e69c1d1d395043bf50
Instruction ID: a0dfc8365e1ed6840ce387c2e4773a778477a24d11814ff434676db614608a5d
Opcode Fuzzy Hash: f1001b3aedf0180f0c5e5c4f6e5b1a0b58ee768ce76679e69c1d1d395043bf50
Instruction Fuzzy Hash: F3016674A402188FC759DF58C894A9AB7F5FB88710F10C0AAA949A7365DA349E81CF91

Function 05193112 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5bd0f4c289668088620d36972069bd28f84ce079d2d5e4a730f676234d03161
Instruction ID: 0c32736c348f7cfb070f3dec464cd68ddfd81f0e25857b6fc5eaab4a967414ee
Opcode Fuzzy Hash: b5bd0f4c289668088620d36972069bd28f84ce079d2d5e4a730f676234d03161
Instruction Fuzzy Hash: FCF01C75B006108FDB58FB789468A2D32E7ABCD340B5580ADA40ADB361DE749D018B42

Function 0519E870 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5b4e96ad4ef046e20c6b0945b85d271062342a7e618a00398ca9a15b3b54d1
Instruction ID: 97b2ecf19e2315754b16e43cb13cd3c129d16e1f17c96c457cfcadc2a1007585
Opcode Fuzzy Hash: ab5b4e96ad4ef046e20c6b0945b85d271062342a7e618a00398ca9a15b3b54d1
Instruction Fuzzy Hash: 3AE0D87130030587D7109A16EC84D4BFB9EDFC5624340C639E04B87221DEB0AC85C7E0

Function 04E4E0FA Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ac54b5dc3d5d768ab8113a14c63a8da8fc6af7e7b8175fd6dd7aa021534fb26
Instruction ID: e7ae88f6fc9a728f79f385ed63cef58338206447b6e2b8142ac657f3577f9871
Opcode Fuzzy Hash: 5ac54b5dc3d5d768ab8113a14c63a8da8fc6af7e7b8175fd6dd7aa021534fb26
Instruction Fuzzy Hash: A4E0867544A344AFCB01DB749D915DA7B79AA0124071041FBC805D7292E5329A06D700

Function 05198CA8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dcada880d6f510a312ebeb000e72be6862f0d79f6c3753eccebedda3899dd8a
Instruction ID: 5f049b5a4571427256d1b954c96304a5c5eb4c653cb8f597e0a1046e297b335c
Opcode Fuzzy Hash: 1dcada880d6f510a312ebeb000e72be6862f0d79f6c3753eccebedda3899dd8a
Instruction Fuzzy Hash: 29E08630305304AFDE296A6149007A6329A7F476A4F510C65D625AF2C1DB72EC4183E1

Function 04E42E07 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1d667978db8b44c06fb270da2fb3fa957b29a377a9208e3b240f3e9adff828
Instruction ID: 57dc77a175d9c9e34bb2699e511f438dd40c50a18226db2f7fc16372d8f0e459
Opcode Fuzzy Hash: ea1d667978db8b44c06fb270da2fb3fa957b29a377a9208e3b240f3e9adff828
Instruction Fuzzy Hash: 16E06D31F04024CBDB15AF99E90466EB3B6EFC4345F0190A2EA069B256EB24FC019B51

Function 04E49149 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55309cb0b4737a5fe55ef0bc554dbfb0604429feb389e5ee4339021993dc812a
Instruction ID: 52f35cfc6a44941e04335e4cd756e4d08d45f888a746d228d0ea0bf13a2096e8
Opcode Fuzzy Hash: 55309cb0b4737a5fe55ef0bc554dbfb0604429feb389e5ee4339021993dc812a
Instruction Fuzzy Hash: 06E086751082982FC311C659C821DA67FAC9F4A160B08C09BFE94C7253D569D903D7A0

Function 0519B4D3 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ac8352ff7d9ee530c5d0642760052e0af0bd4bc3b9b4f85637b78c30c783895
Instruction ID: 74919ed1247cd553ed90e8346b3dee2205a01ab19fd315882331cab5223c1692
Opcode Fuzzy Hash: 9ac8352ff7d9ee530c5d0642760052e0af0bd4bc3b9b4f85637b78c30c783895
Instruction Fuzzy Hash: E8E0867254D3646FDB2256756C41F563F58AB12B55F0A40AAEB441F292C1A0AC00C395

Function 05194208 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef0c5e0034d8b477577289a4268bc4eff85b0fae8ff82e09b44a6311a3fe2920
Instruction ID: bb0fc85fac53a7c8d0d9cb5abb0c469d5ad55286df3d14451cb1bba83c082acf
Opcode Fuzzy Hash: ef0c5e0034d8b477577289a4268bc4eff85b0fae8ff82e09b44a6311a3fe2920
Instruction Fuzzy Hash: 2BE0D8B1E45344DFD701CBB0A99576D7FB1EB85304F1581DED405DB145E9744F018742

Function 04E49C81 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c02a19b01515865c3a6c2e5ee2a46ccb2771deafc67b9adc542061b535b5f7c
Instruction ID: 1af9821986b2ba021be2a1888bb32d0bb9ba41220e30d080079864881b09d55c
Opcode Fuzzy Hash: 8c02a19b01515865c3a6c2e5ee2a46ccb2771deafc67b9adc542061b535b5f7c
Instruction Fuzzy Hash: 36D05E712657051FD344C559C892991B7A5DBC5258718C4B9E808CB243D92BFD079250

Function 0518841F Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5bb583ecc04270bf3c34dd1508d770fd916b562c7d1e9d6de64ca581b3b6b4
Instruction ID: 2ef8faa47bf719bcd35b1c567e4d59c17b41f399c78f61a69a291fde6bcbb24d
Opcode Fuzzy Hash: 1d5bb583ecc04270bf3c34dd1508d770fd916b562c7d1e9d6de64ca581b3b6b4
Instruction Fuzzy Hash: A9E0C2B3C05209AFCF019BB0CA821DE7BF1EE8720035009E7C046EB112FA354B179B80

Function 04E48338 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c422ae0edcb3cb70e06f6d3e0f87011d0e0baec1fdc2791d1ebb6668f4ec3001
Instruction ID: 0f0e71abcaaab8dee939ac3c3abc7b52c990e1341e37f4eff24fed83a146ccbc
Opcode Fuzzy Hash: c422ae0edcb3cb70e06f6d3e0f87011d0e0baec1fdc2791d1ebb6668f4ec3001
Instruction Fuzzy Hash: 9DE08CA1C0520CABDB04EAB0C91155E77BD9F86214B5009A29606EB120F8319B109B91

Function 04E4E108 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9926feeb76dfde25effd7be36c8452be770c95370844dd88641abfc2949de5d
Instruction ID: 077e8027b557c99453de85b3d57d579e1bf94df76503e23d9b94a5d2e82535d4
Opcode Fuzzy Hash: c9926feeb76dfde25effd7be36c8452be770c95370844dd88641abfc2949de5d
Instruction Fuzzy Hash: ACD05E72A4520CEFCB10DFB8ED015AAB7ADEB45215B1006FA9D0DD3240FA32EE10D790

Function 04E428C0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b5db568a6ddb7758f60a87efeaa29055def500db5c2fdce6a8ac29e4515a46d
Instruction ID: e2ce1d8e38a9071454c1a9a6ed45a7d1c26cc22cd82b1b865cf127c046457c86
Opcode Fuzzy Hash: 8b5db568a6ddb7758f60a87efeaa29055def500db5c2fdce6a8ac29e4515a46d
Instruction Fuzzy Hash: 0AD05EB2A041005FE300CA58D8A6895B7B0DBA5530314C059AC59CB392FA25AD038250

Function 05194218 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdc6aa4ea66bd54e7c5b11bbdf33fdde32d4e18e663d7b7087e2379da8e87037
Instruction ID: 5dd2b2c1a7e11a8140759dd1a94ca929d3102e0cdacc92926bfc3a92c5945d2b
Opcode Fuzzy Hash: cdc6aa4ea66bd54e7c5b11bbdf33fdde32d4e18e663d7b7087e2379da8e87037
Instruction Fuzzy Hash: E4E0EC70A10208EFDB00DBB5E985B6DB7BAEB89200F508598E80997244EA715F009B92

Function 05191293 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f19d37c5be942c7eb8c5dbade7b2f30f68df288b3b813892e958b3d8b480907
Instruction ID: 4c05d425cc51a9a7a387b45d16d56c75ce1771996e1000c5cc24fcc25d44ab9d
Opcode Fuzzy Hash: 0f19d37c5be942c7eb8c5dbade7b2f30f68df288b3b813892e958b3d8b480907
Instruction Fuzzy Hash: 17E086B4E5460E8BDF18AB74C848B643277BB46320F6983A584675A3D3DB5488818F92

Function 04E4429F Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3c9a557a3d19c187dc8b8e1102ac9fc832f3c4aa4c001506221ba679db3cd6
Instruction ID: 6cb47297e675629f9505064903853177d1ed47882c00c62b4122758a13bc45a5
Opcode Fuzzy Hash: da3c9a557a3d19c187dc8b8e1102ac9fc832f3c4aa4c001506221ba679db3cd6
Instruction Fuzzy Hash: D5E04F39B04228CBD710DF55E8547AE73B1FB88305F01A86AD546933C6DB386D45DB43

Function 051941D0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6619c281a0c6f01b83faec400e273f457da4e3e33f378a4acfe17613f1fb30d1
Instruction ID: 3f4c6557586e3b05a23d8fea6d7edaa3d38721dfab4d9e0cc8bc4779cb6a7642
Opcode Fuzzy Hash: 6619c281a0c6f01b83faec400e273f457da4e3e33f378a4acfe17613f1fb30d1
Instruction Fuzzy Hash: 8DE01271A01208EFDB00DFE8E54076D77F9EB89204F10C5AC9809D7341DA716F009B92

Function 04E46828 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a402a8dc584ac6d2299575bc4e0b6b5cc765cc3706504d505813531a9ad8338e
Instruction ID: d8c28b029612ea3da50869906115e90d41c9ae40cae7a3f63df55dbc4f1dd4a0
Opcode Fuzzy Hash: a402a8dc584ac6d2299575bc4e0b6b5cc765cc3706504d505813531a9ad8338e
Instruction Fuzzy Hash: 19D05EB57092482FD306CA68D856890BBA1DF95514714C0AED848CB293E932EE0B8351

Function 04E49158 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61cb6eb0c2bb6e897218618b6b5390077a8f722db0d7936c049c9ac793e91f32
Instruction ID: bb559cd9e63285f842ffa59cec69cfb130f4eb354ed15726ef19bdad66fad4c8
Opcode Fuzzy Hash: 61cb6eb0c2bb6e897218618b6b5390077a8f722db0d7936c049c9ac793e91f32
Instruction Fuzzy Hash: 63D05E322041686F8300CA89C810CB6BBEC9A8D120708C05BB958C7241C976ED0287A0

Function 05188690 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57cc4dfb971227784ffc78c582290c45eaa8fa4b301a594c06449886b9f4bc3b
Instruction ID: 850a2a2f15c8837aaae23f06e93db3fcfcb54b2749a1246993723d3a01f64556
Opcode Fuzzy Hash: 57cc4dfb971227784ffc78c582290c45eaa8fa4b301a594c06449886b9f4bc3b
Instruction Fuzzy Hash: 1DD05E9A64E7C05BE72386202891A963F208B93224B1844DAD8408B153C60D4A9AC765

Function 0519B4E0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d80f6896058ebedfa524a88a5997d0bfe5894c4d4cda5b61b97ce64ae34e23
Instruction ID: 16e8347b1749e18735e9dcc9257b18ac349e341f31674dcafe489cf9265880b2
Opcode Fuzzy Hash: e6d80f6896058ebedfa524a88a5997d0bfe5894c4d4cda5b61b97ce64ae34e23
Instruction Fuzzy Hash: 2BD0C733585334A7DA3555556C01F56771CAB15BA1F054055FF042F2848571BC4096D4

Function 05188430 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e498ddc77c47c4e6a59debbc97129acc0b8e60aa3bd9d99aff413044c0505a
Instruction ID: 3382e804d64f2b41984179526778e23fd6a03c23dadad7f0894112291de0e450
Opcode Fuzzy Hash: d6e498ddc77c47c4e6a59debbc97129acc0b8e60aa3bd9d99aff413044c0505a
Instruction Fuzzy Hash: 42D05E71C0120CAB8F04EFB0C50048E77F9AA8520078005A58406AB110EA314B105B91

Function 05181C30 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a2ad75b9c73e47aa72d9592af8ea65c1756dcda0f6923212e6dd72b6d40fdbb
Instruction ID: d6b92f6cf3c7f697ad41c21047c00445ee0e6cf5e6dd47c5e51646dd0c830d00
Opcode Fuzzy Hash: 6a2ad75b9c73e47aa72d9592af8ea65c1756dcda0f6923212e6dd72b6d40fdbb
Instruction Fuzzy Hash: D0D0A9FB1D8284AFC3619F34AD81EA27B30AB2370070608E3E200CF1B7C3208802CA19

Function 04E48348 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30369c07372dfb8cf3e1a04889a902da429ce3a68a10dc1bfb98da157ebea38f
Instruction ID: 577dc7f57700e2aef75ac8d6712e38227094f2f3b5db1e76a69cf4073dc7ec84
Opcode Fuzzy Hash: 30369c07372dfb8cf3e1a04889a902da429ce3a68a10dc1bfb98da157ebea38f
Instruction Fuzzy Hash: 5ED0A771C0120CAB8F04FFF0C50058EB7FDEF8620074005E59406E7210FD319B105B81

Function 051910A9 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f94255a4f2bf4de026b9fc40f34713e03614c46854a56360c7ab3aed138f640
Instruction ID: c54eaf96175a384ea14f7b389e293c04fd1b307b98961e87c3e96afc974ec2e1
Opcode Fuzzy Hash: 2f94255a4f2bf4de026b9fc40f34713e03614c46854a56360c7ab3aed138f640
Instruction Fuzzy Hash: 0ED0A721808240DEFF1A4B958C0C1D477E1BB012A6B0A066DCC8753152E7289A47CA31

Function 051939D1 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af4583d5eb6ef5ff11a66a3a9e3939595ceb4d2602a38d3ad1808113dd2b2f53
Instruction ID: 37ed90306c9643db00e5b9f1bfb991b922d39a5f00cd673a2e9f00747ff9b92f
Opcode Fuzzy Hash: af4583d5eb6ef5ff11a66a3a9e3939595ceb4d2602a38d3ad1808113dd2b2f53
Instruction Fuzzy Hash: D7C02B7142F7040FC3800B3234AF6C47B24D1130E431480A2C80EC41039C06161F1380

Function 04E437E3 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c93b2278e9024730f02d5575f7ac7a38ef7999db7d0c05b4630b769278f95319
Instruction ID: eb8ea2fadf5ec54f7c17769226f6d4368277e42ab7c5b86bdec8869b474cf0ba
Opcode Fuzzy Hash: c93b2278e9024730f02d5575f7ac7a38ef7999db7d0c05b4630b769278f95319
Instruction Fuzzy Hash: 8CC012B13402086B9244CA88C891822F3AADBC8A24320C039AA0DC7301EA72FC138690

Function 04E427B0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2df3408042580dc0b03947f7f994082d5043341b879ff17c2eed820093806cb
Instruction ID: d2779a484aba3bd42e37686e6ff5984111cd18bf46ab6306a5fa362aebd353ed
Opcode Fuzzy Hash: e2df3408042580dc0b03947f7f994082d5043341b879ff17c2eed820093806cb
Instruction Fuzzy Hash: EEC012739491000FE705A6A0A886484BB36DA9561831980EED81DCB212EE2BE9078681

Function 04E48790 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e01cdfa256bd1bbc5354d1bef7a9ec2c359bd89ec5bbec0ab55f7904bf453999
Instruction ID: 194e1cde5d24aa652075523686e5eac5d46c1bfb44d8b5b3d57f5da7361b3e36
Opcode Fuzzy Hash: e01cdfa256bd1bbc5354d1bef7a9ec2c359bd89ec5bbec0ab55f7904bf453999
Instruction Fuzzy Hash: E5D0127154D2404FD34296A4A8915C0BB30DB46698315C0EFDC5C8F553E6239A17D341

Function 04E4B0D1 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 820be5b14b53c4e5e2408f73e36a44c3f87d6f6f0f090536ddf2ea731fb63a64
Instruction ID: 7c7b66cc5b639a55f7b0607373a13cd5562ae02c4acb020fe8046bf205ba875c
Opcode Fuzzy Hash: 820be5b14b53c4e5e2408f73e36a44c3f87d6f6f0f090536ddf2ea731fb63a64
Instruction Fuzzy Hash: 2FE0EC71D05124CAFF249B21E804B9E7364FB85294F4299F4CA4AB3140D634FD828F81

Function 04E4D9A0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 885f68233fad5ce2b17232b448fd52e7cd3397162d2e7dc70c554905b6517d02
Instruction ID: 30f428846da160f7c6d67f7e55a7532f3fb1e316bad1ed9ac25291705f73054b
Opcode Fuzzy Hash: 885f68233fad5ce2b17232b448fd52e7cd3397162d2e7dc70c554905b6517d02
Instruction Fuzzy Hash: 51D022B010C7441FC301A2B0AC21481BB698981108704C0FFD40D8B103C923E8038389

Function 05186900 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1111c3ca058f8614bac19ce1bf3140fdb093d7ba377dc3b003ba5887c5cb60f7
Instruction ID: e873f148f8aa6e0c86c3af8891abbdf8286f855dc7e8b043d6120be8c92e63e9
Opcode Fuzzy Hash: 1111c3ca058f8614bac19ce1bf3140fdb093d7ba377dc3b003ba5887c5cb60f7
Instruction Fuzzy Hash: A8D0C9301096449FC38397B89861418BF659E87134308C6DED86C8B2E7DA369917C692

Function 05189F18 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f3a56448638a80d19a78ba5195ce2916f1568bc49407fa1cb078c9d2e7377d
Instruction ID: f99b6a7dfd024669cce8a56e5f7d290e93140da958dc01852578a8ee5bdb9b99
Opcode Fuzzy Hash: 25f3a56448638a80d19a78ba5195ce2916f1568bc49407fa1cb078c9d2e7377d
Instruction Fuzzy Hash: CCC012F69541446BCA00B6F0959F4E57F40AB6125571949DA845A8B003CB29D123DA10

Function 05186F60 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b878580622a1907a73f241e8b842e14185256e58d2a4e8ac18c27d9019c565ad
Instruction ID: 64519ccfe7729403fd596a9a4ecbcaa83760b197ae26b16c0dfb3401a376c4e0
Opcode Fuzzy Hash: b878580622a1907a73f241e8b842e14185256e58d2a4e8ac18c27d9019c565ad
Instruction Fuzzy Hash: 25C080706185045B8245E6E4E8A0C54BB5EDE50118354C05DA54D87117EF33FD1285C4

Function 05192E68 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ae5817a3df5315c0028acdd428f7dd07433fcc5bbec95c639aa754089ef7e68
Instruction ID: a9bdf74e0df357f8c3375256a3334a4eefac077f1b6a5c80e42ce291c50e3906
Opcode Fuzzy Hash: 8ae5817a3df5315c0028acdd428f7dd07433fcc5bbec95c639aa754089ef7e68
Instruction Fuzzy Hash: 4ED01231904615DBEF189B21D81C7997369BF04345F458574D44752150DF645D85CF52

Function 05193991 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 456b27671e0230d24b9fa34dce9942fed306119345e35941def40739e15e0a81
Instruction ID: 88a3f1d0c48037a1ebfad6038e4ab7ac3521855f9b6094a185c01df365a0e6b7
Opcode Fuzzy Hash: 456b27671e0230d24b9fa34dce9942fed306119345e35941def40739e15e0a81
Instruction Fuzzy Hash: 04C08CB291FB880BC7021EB178911D47B2299E220A71400FBC92E481239426823B834A

Function 05198940 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88bad814c2b2e286d4c835365825d48daadd6f9aaf8df8f9b2f364ab1f2d2b29
Instruction ID: aa2d60146cd44287da3c30749c0cbe4795861eef183cca55617b864f7d2c597a
Opcode Fuzzy Hash: 88bad814c2b2e286d4c835365825d48daadd6f9aaf8df8f9b2f364ab1f2d2b29
Instruction Fuzzy Hash: 25D022B680C3845EC7039320942544B3F30CA4320170280EBC140CB033AE310C00CB62

Function 04E49C90 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbcef5c395f5c673d87ed76c55c2f1c93d814102d17bdb09fc090918b690f88a
Instruction ID: 58c7e918dc9fc6e739d0296992eb27fcb8a7bf4254ad48f247067e0340e6a738
Opcode Fuzzy Hash: dbcef5c395f5c673d87ed76c55c2f1c93d814102d17bdb09fc090918b690f88a
Instruction Fuzzy Hash: A6C012313402095BD304CA88C842A22B3AADBC8614B14C079A808C7746DE36EC028694

Function 05195680 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e510a7e7d0d9006ded3a26831827a498d953f14517cb15eda609935e5c887a20
Instruction ID: ca7432d79e15bfa53e238f48532e156cef24cd882d36bb41ec3e2378b2d156d2
Opcode Fuzzy Hash: e510a7e7d0d9006ded3a26831827a498d953f14517cb15eda609935e5c887a20
Instruction Fuzzy Hash: 94C04CA95593C01EFF470B200A697813F219F53B09F0A45E6E6D9AA1D3C5851845CB67

Function 0539F458 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3810413248.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5390000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 04E45E41 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec0f80fa08439757cf94bc1d904d30404f7ce22f7959f1c716c558b8feecb111
Instruction ID: 9e04b6bb78ca8f6c8aecde45d9b61bc3e3fba240d69fcc31596d5e9cc1c7f5ab
Opcode Fuzzy Hash: ec0f80fa08439757cf94bc1d904d30404f7ce22f7959f1c716c558b8feecb111
Instruction Fuzzy Hash: E9C08C7220C2C08FE602C2D4E892A14BB309F81218768C0BFE58DCF352EA27EC03C390

Function 04E437E8 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 04E46838 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 05192C61 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 061c6b78c5f3f818be10772692b3b20efc7625ff161a24da4d1b5a9a5089116f
Instruction ID: 761058ae3e8e644dd0343906eca810b9cfeae7cdd6a8ef85fb8cbae87f1082b7
Opcode Fuzzy Hash: 061c6b78c5f3f818be10772692b3b20efc7625ff161a24da4d1b5a9a5089116f
Instruction Fuzzy Hash: F5D09234A003148FEF189B30D92DB5976BBFB89301F0440E9991E93351DE381D458F02

Function 04E4157B Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10d50580a976d6ab8a6f726c38940223735e0597a71cd03702ec0311c430ebfe
Instruction ID: 476902ae52922c721b491ad8effc14425bc45f79e7cfaa5e5602a94dfd7b3f1c
Opcode Fuzzy Hash: 10d50580a976d6ab8a6f726c38940223735e0597a71cd03702ec0311c430ebfe
Instruction Fuzzy Hash: 51C092356091044B9746DA94F8D1998B7A9DB84A28354C0ADE81C8BA02CA33DA038BC0

Function 04E4138B Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67c00e35afc57875313ee494e81cef70058ac03873699df5c5f438d5ad03ce2f
Instruction ID: 064c337a9d8d76753c619dece5c43029fd835da25a7c8059265dceeda08e2b38
Opcode Fuzzy Hash: 67c00e35afc57875313ee494e81cef70058ac03873699df5c5f438d5ad03ce2f
Instruction Fuzzy Hash: DFB0123114420C5BC740D6CCE891892F39CDB8853C364C1A9EA0C4B322DA63FE13C580

Function 05189F23 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a1a7cd8dcb9a18faec6ad7b5a605520a4b0aacbf332f4629fe5a4ac2ab06c42
Instruction ID: f47dcbf6ef0f4294380c5b5bf4a2f6771eb1764873d6cd766984be53b91e4b94
Opcode Fuzzy Hash: 0a1a7cd8dcb9a18faec6ad7b5a605520a4b0aacbf332f4629fe5a4ac2ab06c42
Instruction Fuzzy Hash: FEC02BF70010445BC340CAA0EAD34D2BF01EB60360749449ED44A0F003C726832BEB02

Function 05186910 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 05188530 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 0518852C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a0d6d2f97a646a5b6f8a50e2a6723090a1d57de7c7da7757b106e235840e79
Instruction ID: 60d58c608dc1bf67252553c288f50be987ad02a62105f1aa38afe9a1ae113cac
Opcode Fuzzy Hash: e9a0d6d2f97a646a5b6f8a50e2a6723090a1d57de7c7da7757b106e235840e79
Instruction Fuzzy Hash: 17B09230A480045B8244D6D8E441914B3659B84628358C4ADA80DCB202DB73DD0386C0

Function 05181C40 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af8e06a732ca707132f27ef7a83e288a845aad2dfe2584e40d54ff240b01922d
Instruction ID: 2ad57114494cc740969b95bee8f444b209d5990da35e5c480c7824bf6c3857fe
Opcode Fuzzy Hash: af8e06a732ca707132f27ef7a83e288a845aad2dfe2584e40d54ff240b01922d
Instruction Fuzzy Hash: B7C09276140208EFC700DF69E844C45BBB8FF1976071180A1FA088B332C732E820DA94

Function 05186F70 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 05189790 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 04E45E50 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 04E427C0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 04E487A0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 05189C51 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a59cd3075cfa095ebd7dee9175ea28bb92354134834cb39d19dbda94601af58
Instruction ID: 05ad78c5a76788e0d6b2caa98d8081a2dd8baef43ff9fd59d51243a56a43183e
Opcode Fuzzy Hash: 7a59cd3075cfa095ebd7dee9175ea28bb92354134834cb39d19dbda94601af58
Instruction Fuzzy Hash: 4AB012302080044F8244D6D4E441814B355DBC4218314C0ADE80CCB202CB33DC0385C0

Function 04E4E0B4 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3807982756.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0975440b71d2972ae2b4c22c278a36e97646582ff13823afd27cae5a5bae913e
Instruction ID: 43193d58c792e5d1b388fdccb85984eee8dcb17f4c9cfed27c489ffc4ac89ec5
Opcode Fuzzy Hash: 0975440b71d2972ae2b4c22c278a36e97646582ff13823afd27cae5a5bae913e
Instruction Fuzzy Hash: F8B0923BA0002986CA00D688E4404DCBB31DA98232F408033C200620008621157A8A60

Function 05188AE6 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809586295.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5180000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0253d29c5b3d38886c79932c3bbefe7a3308ce59e5b312c3b69203876629f9dc
Instruction ID: e3792ae4c24523b0461560050c4a67d8257194d5107971ab69802e02a953a818
Opcode Fuzzy Hash: 0253d29c5b3d38886c79932c3bbefe7a3308ce59e5b312c3b69203876629f9dc
Instruction Fuzzy Hash: EEB01274100000ABC601CF04CD44C05FBA1EFE5305B18C46EB84897315DB33DC13EA10

Function 051939A0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed44aecb405a7745a621663e02df84954dbf47740a7551d6cc00075eb9a20ae
Instruction ID: 0211bc2cc40ebc3e4ddc0c555dd3853ec5b908a756772a4239254573067e955c
Opcode Fuzzy Hash: 0ed44aecb405a7745a621663e02df84954dbf47740a7551d6cc00075eb9a20ae
Instruction Fuzzy Hash: C4A0223000AB0C82CA0832B0B800020B38C28C020A3C000BA822E08B200833E0B0888E

Function 051939E0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3809827498.0000000005190000.00000040.00000800.00020000.00000000.sdmp, Offset: 05190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5190000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79120e8edd241c7c070638671b39e2c95166af69227e5b00f019a8cc9ddc85e5
Instruction ID: 541973be635c200469c3d377e456a05afaca387ba92eb0aef9f16f191444c702
Opcode Fuzzy Hash: 79120e8edd241c7c070638671b39e2c95166af69227e5b00f019a8cc9ddc85e5
Instruction Fuzzy Hash: 2790023104570C8B46402799741D959775DE5495197844051A50E816056E59A85445A5

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1In8uYbvZJ.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_llzm00un.et1.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oeatxu1r.okc.ps1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\135TWFQFA2I0NQGSNY3W.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: powershell.exePID: 7788, Parent PID: 3968

Windows Analysis Report
1In8uYbvZJ.ps1

Function 05187080 Relevance: 1.6, Strings: 1, Instructions: 378
COMMON

Function 05187163 Relevance: 1.6, Strings: 1, Instructions: 317
COMMON

Function 05185763 Relevance: .5, Instructions: 455
COMMON

Function 04E4098D Relevance: .4, Instructions: 382
COMMON

Function 04E40040 Relevance: 1.8, Strings: 1, Instructions: 599
COMMON

Function 025ED6B0 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Function 025ED860 Relevance: 1.3, APIs: 1, Instructions: 49
COMMON

Function 0518A1E9 Relevance: .6, Instructions: 550
COMMON

Function 0519A0AF Relevance: .5, Instructions: 544
COMMON

Function 051994E8 Relevance: .5, Instructions: 516
COMMON

Function 0519DB80 Relevance: .5, Instructions: 483
COMMON

Function 05180CD0 Relevance: .4, Instructions: 437
COMMON

Function 04D022D0 Relevance: .4, Instructions: 408
COMMON