Edit tour

Windows Analysis Report
2.ps1

Overview

General Information

Sample name:	2.ps1
Analysis ID:	1591074
MD5:	2ef938214c0a5776ac2eac300f845c0c
SHA1:	38fccab71265586b09ca4a2d807ec77107e2f4c2
SHA256:	9a42d4f5f028c4f7da66edef20c02bb4c36a1970b1084924bf462057a6aef118
Tags:	92-255-57-155bookingps1SPAM-ITAuser-JAMESWT_MHT
Infos:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Tries to harvest and steal Bitcoin Wallet information

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

powershell.exe (PID: 6640 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 1456 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 3652 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.4152554723.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4152554723.000000000296F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 3652	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2.ps1", ProcessId: 6640, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2.ps1", ProcessId: 6640, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T17:13:47.590436+0100	2035595	1	Domain Observed Used for C2 Detected	92.255.57.155	56001	192.168.2.4	49730	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 2.ps1

Virustotal: Detection: 8%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source:

Binary string: #.dll.pdb source: powershell.exe, 00000000.00000002.1751168032.000001FC3843D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1785731709.000001FC4F6F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1751168032.000001FC37497000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 92.255.57.155:56001 -> 192.168.2.4:49730

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 92.255.57.155:56001

Source: Joe Sandbox View	IP Address: 92.255.57.155 92.255.57.155
Source: Joe Sandbox View	IP Address: 92.255.57.155 92.255.57.155

Source: Joe Sandbox View

ASN Name: TELSPRU TELSPRU

Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.155

Source: RegSvcs.exe, 00000003.00000002.4149962884.0000000000ABA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: RegSvcs.exe, 00000003.00000002.4149962884.0000000000ABA000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.3.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 00000000.00000002.1769442631.000001FC47512000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1751168032.000001FC38DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1751168032.000001FC37497000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1751168032.000001FC37271000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4152554723.000000000296F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1751168032.000001FC38B45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000000.00000002.1751168032.000001FC37497000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1751168032.000001FC37271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1751168032.000001FC38DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1751168032.000001FC38DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1751168032.000001FC38DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: RegSvcs.exe, 00000003.00000002.4152554723.000000000296F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll
Source: RegSvcs.exe, 00000003.00000002.4152554723.000000000296F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe
Source: RegSvcs.exe, 00000003.00000002.4152554723.000000000296F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe
Source: powershell.exe, 00000000.00000002.1751168032.000001FC37497000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1751168032.000001FC3843D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.1769442631.000001FC47512000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1751168032.000001FC38DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.1751168032.000001FC38B45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000000.00000002.1751168032.000001FC38B45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: RegSvcs.exe, 00000003.00000002.4152554723.000000000296F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: RegSvcs.exe, 00000003.00000002.4152554723.000000000296F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: RegSvcs.exe, 00000003.00000002.4152554723.000000000296F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B7EA599	0_2_00007FFD9B7EA599
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B8B0FA4	0_2_00007FFD9B8B0FA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_027448A0	3_2_027448A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02741C30	3_2_02741C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02741C1F	3_2_02741C1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06120548	3_2_06120548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_061253C3	3_2_061253C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_061230A0	3_2_061230A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06124E53	3_2_06124E53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06124E5C	3_2_06124E5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06124F48	3_2_06124F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0612549B	3_2_0612549B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_061253CC	3_2_061253CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06123090	3_2_06123090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_061229D2	3_2_061229D2

Source: classification engine

Classification label: mal92.spyw.evad.winPS1@6/7@0/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\ba5217eadeaf
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6660:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_22j4btpq.egd.ps1

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: 2.ps1

Virustotal: Detection: 8%

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B7EB3EA push ebx; ret	0_2_00007FFD9B7EB3EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B7ED86C pushad ; retf	0_2_00007FFD9B7ED883
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B7E00AD pushad ; iretd	0_2_00007FFD9B7E00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B7EE6B9 push ebx; retf	0_2_00007FFD9B7EE6BA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B8B0548 pushad ; ret	0_2_00007FFD9B8B0549

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4508	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5364	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 3086	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6711	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7132

Thread sleep time: -10145709240540247s >= -30000s

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.4149962884.0000000000ABA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4170292429.00000000052B4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4170672036.000000000531D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 45C000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 45E000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 82B008	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"			Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.4152554723.0000000002F85000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTesqDW
Source: RegSvcs.exe, 00000003.00000002.4152554723.0000000002DCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTesq,
Source: RegSvcs.exe, 00000003.00000002.4152554723.0000000002E46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4152554723.0000000002CB5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4152554723.0000000002F36000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000003.00000002.4152554723.0000000002C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTesq$
Source: RegSvcs.exe, 00000003.00000002.4152554723.0000000002E46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4152554723.0000000002CB5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4152554723.0000000002F36000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTesq
Source: RegSvcs.exe, 00000003.00000002.4152554723.0000000002D31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTesqdB
Source: RegSvcs.exe, 00000003.00000002.4152554723.0000000002E46000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4152554723.0000000002BD4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4152554723.0000000002CB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager*
Source: RegSvcs.exe, 00000003.00000002.4152554723.0000000002D7E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTesq<
Source: RegSvcs.exe, 00000003.00000002.4152554723.0000000002CDD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTesq\
Source: RegSvcs.exe, 00000003.00000002.4152554723.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerh{sq
Source: RegSvcs.exe, 00000003.00000002.4152554723.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTesqt

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.4170292429.00000000052C7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegSvcs.exe, 00000003.00000002.4152554723.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: RegSvcs.exe, 00000003.00000002.4152554723.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: RegSvcs.exe, 00000003.00000002.4152554723.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $sq3C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: RegSvcs.exe, 00000003.00000002.4152554723.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $sq0C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: RegSvcs.exe, 00000003.00000002.4152554723.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus Web3
Source: RegSvcs.exe, 00000003.00000002.4152554723.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: powershell.exe, 00000000.00000002.1790196583.00007FFD9B9B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sqlcolumnencryptionkeystoreprovider

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt

Jump to behavior

Source: Yara match	File source: 00000003.00000002.4152554723.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4152554723.000000000296F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3652, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	321 Windows Management Instrumentation	1 DLL Side-Loading	212 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	431 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	331 Virtualization/Sandbox Evasion	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	212 Process Injection	Security Account Manager	331 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	213 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
2.ps1	8%	Virustotal		Browse
2.ps1	3%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.1769442631.000001FC47512000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1751168032.000001FC38DF1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000000.00000002.1751168032.000001FC38B45000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	RegSvcs.exe, 00000003.00000002.4152554723.000000000296F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.1751168032.000001FC37497000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll	RegSvcs.exe, 00000003.00000002.4152554723.000000000296F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.1751168032.000001FC37497000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354rCannot	RegSvcs.exe, 00000003.00000002.4152554723.000000000296F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://go.micro	powershell.exe, 00000000.00000002.1751168032.000001FC3843D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	RegSvcs.exe, 00000003.00000002.4152554723.000000000296F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe	RegSvcs.exe, 00000003.00000002.4152554723.000000000296F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000000.00000002.1751168032.000001FC38DF1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe	RegSvcs.exe, 00000003.00000002.4152554723.000000000296F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.1769442631.000001FC47512000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1751168032.000001FC38DF1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000000.00000002.1751168032.000001FC38DF1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000000.00000002.1751168032.000001FC38DF1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://oneget.orgX	powershell.exe, 00000000.00000002.1751168032.000001FC38B45000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.1751168032.000001FC37271000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.1751168032.000001FC37271000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4152554723.000000000296F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.1751168032.000001FC37497000.00000004.00000800.00020000.00000000.sdmp	false	high
https://oneget.org	powershell.exe, 00000000.00000002.1751168032.000001FC38B45000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
92.255.57.155	unknown	Russian Federation		42253	TELSPRU	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591074
Start date and time:	2025-01-14 17:12:42 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2.ps1
Detection:	MAL
Classification:	mal92.spyw.evad.winPS1@6/7@0/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 83% Number of executed functions: 100 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .ps1 Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 3652 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:13:37	API Interceptor	28x Sleep call for process: powershell.exe modified
11:13:47	API Interceptor	8735232x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
92.255.57.155	http://92.255.57.155/1/1.png	Get hash	malicious	Unknown	Browse	92.255.57.155/1/1.png
	anyrunsample.ps1	Get hash	malicious	Unknown	Browse	92.255.57.155/1/1.png
	https://reviewgustereports.com/	Get hash	malicious	CAPTCHA Scam ClickFix, XWorm	Browse	92.255.57.155/1/1.png

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	Payment Receipt.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	199.232.214.172
	AimPrivStoreAtt117.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	email.eml	Get hash	malicious	unknown	Browse	199.232.214.172
	http://www.brillflooring.com	Get hash	malicious	Unknown	Browse	199.232.214.172
	final shipping documents.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	199.232.214.172
	0dsIoO7xjt.docx	Get hash	malicious	Unknown	Browse	199.232.210.172
	original.eml	Get hash	malicious	Unknown	Browse	199.232.214.172
	original.eml	Get hash	malicious	Unknown	Browse	199.232.214.172
	Mbda Us.pdf	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	T710XblGiM.docm	Get hash	malicious	Unknown	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELSPRU	92.255.57_1.112.ps1	Get hash	malicious	XWorm	Browse	92.255.57.112
	book_lumm2.dat.exe	Get hash	malicious	XWorm	Browse	92.255.57.112
	http://92.255.57.155/1/1.png	Get hash	malicious	Unknown	Browse	92.255.57.155
	92.255.57.155.ps1	Get hash	malicious	XWorm	Browse	92.255.57.155
	png2obj1_XClient.exe	Get hash	malicious	XWorm	Browse	92.255.57.155
	Dm35sdidf3.exe	Get hash	malicious	XWorm	Browse	92.255.57.155
	QP2uO3eN2p.ps1	Get hash	malicious	XWorm	Browse	92.255.57.155
	WErY5oc4hl.ps1	Get hash	malicious	XWorm	Browse	92.255.57.155
	NLXwvLjXPh.ps1	Get hash	malicious	XWorm	Browse	92.255.57.155

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.253995428229512
Encrypted:	false
SSDEEP:	6:kKSn9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:7DImsLNkPlE99SNxAhUe/3
MD5:	E47365A60D6A0E44ECFA6D05E437AD73
SHA1:	B17CDA63B7C01CD99651B02762996E2F4CE16B17
SHA-256:	B583BE8A84FBC9B424C09DA8DBC4F7DC3B419302CE3B364599C512F6B852191C
SHA-512:	89052D30B843304E362DDAD6629639CB2D4E7E9F104F94F45AA670DEDBA2B9D8D720DEF44034445C9EB133873DA3BFEC3777F17F67A80687273D26C0C31C591E
Malicious:	false
Reputation:	low
Preview:	p...... ........k..J.f..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllultnxj:NllU
MD5:	F93358E626551B46E6ED5A0A9D29BD51
SHA1:	9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
SHA-256:	0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
SHA-512:	D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_22j4btpq.egd.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3csosueh.3jl.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1JJHCI8TJXK54HJ92K6H.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.723083155478798
Encrypted:	false
SSDEEP:	96:SLX+33CxHCCkvhkvCCt8oVCjVVHedVCjVVHeC:SLX+yie8o8Kd8KC
MD5:	5A7F5483BE87145ACB1EEDECB73AFE44
SHA1:	CC9FF989A294AE17086CE9CC19420E2E269759B5
SHA-256:	95D7852899159506762990C7A71812AB4C31651335112C72EDB5F9E517245706
SHA-512:	DD262B88B78B5DE092C644D6743A294434C2961DE003B8FEEC2C062647854F76609A654286EA60E15FEF11401F990E84825A78E553C5A6F530D0756E46D83A29
Malicious:	false
Preview:	...................................FL..................F.".. ...-/.v..... .B.f..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....R_u=.f.....B.f......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Z.............................%..A.p.p.D.a.t.a...B.V.1......Z....Roaming.@......CW.^.Z............................X.E.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Z............................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`..........................P?..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.Z......Q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.723083155478798
Encrypted:	false
SSDEEP:	96:SLX+33CxHCCkvhkvCCt8oVCjVVHedVCjVVHeC:SLX+yie8o8Kd8KC
MD5:	5A7F5483BE87145ACB1EEDECB73AFE44
SHA1:	CC9FF989A294AE17086CE9CC19420E2E269759B5
SHA-256:	95D7852899159506762990C7A71812AB4C31651335112C72EDB5F9E517245706
SHA-512:	DD262B88B78B5DE092C644D6743A294434C2961DE003B8FEEC2C062647854F76609A654286EA60E15FEF11401F990E84825A78E553C5A6F530D0756E46D83A29
Malicious:	false
Preview:	...................................FL..................F.".. ...-/.v..... .B.f..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....R_u=.f.....B.f......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Z.............................%..A.p.p.D.a.t.a...B.V.1......Z....Roaming.@......CW.^.Z............................X.E.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Z............................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`..........................P?..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.Z......Q...........

Static File Info

General

File type:	ASCII text, with very long lines (65478), with CRLF line terminators
Entropy (8bit):	5.843638776803719
TrID:
File name:	2.ps1
File size:	599'249 bytes
MD5:	2ef938214c0a5776ac2eac300f845c0c
SHA1:	38fccab71265586b09ca4a2d807ec77107e2f4c2
SHA256:	9a42d4f5f028c4f7da66edef20c02bb4c36a1970b1084924bf462057a6aef118
SHA512:	64621150df7e17b331c3433b7c02bfdee621250dbcbbbc48d0575391bd1e61c6d27a1654a2ba53e34d04aecd1ecbaefa3a813162dcdd653793c1a35bb2911651
SSDEEP:	12288:7l1fO0K+jtAyrMKKwLeyKroJFuIIqsRHx9tz3UnuoqbnE:Z8AtNr+wQrWnsRRPgDqbnE
TLSH:	58D4E1721303BDCA5BBF1E49E4802A901D9D59B7AB148494BDC907E962EF910DFBCDB0
File Content Preview:	.. $t0='IQIQQIIQIQQEX'.replace('IQIQQ','');sal GG $t0;....$OE="qQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALlEXGcAAAAAAA

File Icon


Icon Hash:	3270d6baae77db44

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T17:13:47.590436+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	92.255.57.155	56001	192.168.2.4	49730	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 17:13:46.862663984 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:13:46.867455959 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:13:46.867569923 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:13:46.869321108 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:13:46.874135971 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:13:46.883905888 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:13:46.888761044 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:13:47.577964067 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:13:47.578099012 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:13:47.578195095 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:13:47.583599091 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:13:47.590435982 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:13:47.803742886 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:13:47.845918894 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:13:49.597475052 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:13:49.603311062 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:13:49.603379965 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:13:49.608748913 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:14:16.122694969 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:14:16.127599001 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:14:16.128004074 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:14:16.132878065 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:14:16.504827023 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:14:16.549046993 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:14:16.696881056 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:14:16.703248024 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:14:16.708230972 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:14:16.708295107 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:14:16.713156939 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:14:18.577164888 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:14:18.627147913 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:14:18.744447947 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:14:18.799051046 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:14:43.127705097 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:14:43.132477999 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:14:43.132519960 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:14:43.137412071 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:14:43.534826994 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:14:43.580298901 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:14:43.681735039 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:14:43.683670998 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:14:43.688429117 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:14:43.688488007 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:14:43.693295002 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:14:49.611414909 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:14:49.658440113 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:14:49.775530100 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:14:49.830298901 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:15:10.143410921 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:15:10.148222923 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:10.148286104 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:15:10.153076887 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:10.541091919 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:10.580410004 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:15:10.713860989 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:10.715909004 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:15:10.721596956 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:10.721647024 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:15:10.727170944 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:31.112050056 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:15:31.117052078 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:31.117152929 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:15:31.121929884 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:31.497056961 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:31.661757946 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:15:31.667335987 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:31.678112984 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:15:31.682897091 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:31.682943106 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:15:31.687743902 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:33.987091064 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:15:33.992749929 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:33.992799044 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:15:33.998260021 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:34.252907038 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:15:34.259749889 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:34.259803057 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:15:34.265777111 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:34.315097094 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:15:34.319921017 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:34.320219040 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:15:34.325022936 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:34.376759052 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:34.486629963 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:15:34.508451939 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:34.513180017 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:15:34.518232107 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:34.519273996 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:15:34.524154902 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:34.627671003 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:34.637335062 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:15:34.642115116 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:34.642230988 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:15:34.647063971 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:34.749299049 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:34.751957893 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:15:34.757719040 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:34.759443998 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:15:34.764256954 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:37.284600973 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:15:37.324481964 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:37.324584961 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:15:37.329391956 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:37.711898088 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:37.841944933 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:15:37.885998011 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:37.889033079 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:15:37.893965006 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:15:37.894016027 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:15:37.898853064 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:04.299886942 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:04.304774046 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:04.304867029 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:04.309787035 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:04.687388897 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:04.736953974 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:04.854970932 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:04.858222008 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:04.863066912 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:04.863338947 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:04.869323015 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:15.924629927 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:15.929470062 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:15.929560900 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:15.934382915 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:16.316189051 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:16.480613947 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:16.482323885 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:16.485917091 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:16.491329908 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:16.491399050 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:16.496150970 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:25.174613953 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:25.179542065 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:25.179630041 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:25.184396029 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:25.568942070 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:25.611696005 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:25.731081009 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:25.733475924 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:25.738276005 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:25.738377094 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:25.743273020 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:32.143496990 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:32.148252964 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:32.148426056 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:32.153202057 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:32.543914080 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:32.596290112 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:32.699320078 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:32.733460903 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:32.738419056 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:32.738580942 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:32.743307114 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:46.783973932 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:46.788825035 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:46.789241076 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:46.794101000 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:47.165436029 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:47.340243101 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:47.341763020 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:47.397088051 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:47.401901007 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:47.402142048 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:47.406924009 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:53.596548080 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:53.602106094 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:53.602204084 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:53.607584953 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:53.978617907 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:54.153057098 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:54.153209925 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:54.155464888 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:54.160387039 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:54.160464048 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:54.165304899 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:57.707253933 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:57.712191105 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:57.716645002 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:57.721518993 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:58.090269089 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:58.190068007 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:58.262355089 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:58.278804064 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:58.283734083 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:16:58.287333012 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:16:58.292253971 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:11.940243006 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:11.945074081 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:11.947794914 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:11.952584982 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:12.332926989 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:12.488868952 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:12.496937990 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:12.502268076 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:12.507136106 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:12.509881020 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:12.514724016 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:24.411298037 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:24.416400909 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:24.416804075 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:24.421869993 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:24.793078899 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:24.933659077 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:24.965892076 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:24.968704939 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:24.973602057 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:24.973653078 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:24.978502035 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:26.284739017 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:26.289643049 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:26.297859907 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:26.302644968 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:26.659149885 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:26.664058924 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:26.664216042 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:26.669142962 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:26.672708035 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:26.752398014 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:26.840936899 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:26.843497992 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:26.891719103 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:26.891779900 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:26.896714926 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:26.963198900 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:27.032453060 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:27.094254017 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:27.096782923 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:27.101679087 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:27.101723909 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:27.106585979 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:31.680769920 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:31.685681105 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:31.688265085 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:31.693130016 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:32.067687035 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:32.158767939 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:32.231712103 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:32.237354994 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:32.242240906 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:32.243350983 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:32.248166084 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:35.221690893 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:35.226557970 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:35.226623058 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:35.231394053 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:35.601214886 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:35.658664942 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:35.763020992 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:35.769088984 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:35.773865938 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:35.774053097 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:35.778769016 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:44.195456028 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:44.200357914 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:44.200403929 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:44.205190897 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:44.586334944 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:44.643229008 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:44.763356924 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:44.766946077 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:44.771723032 CET	56001	49730	92.255.57.155	192.168.2.4
Jan 14, 2025 17:17:44.772125959 CET	49730	56001	192.168.2.4	92.255.57.155
Jan 14, 2025 17:17:44.777095079 CET	56001	49730	92.255.57.155	192.168.2.4

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 17:13:47.967679024 CET	1.1.1.1	192.168.2.4	0xc049	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:13:47.967679024 CET	1.1.1.1	192.168.2.4	0xc049	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	11:13:34
Start date:	14/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\2.ps1"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:13:34
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:13:39
Start date:	14/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x1f0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:13:39
Start date:	14/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x640000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4152554723.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4152554723.000000000296F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	5
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B8B0FA4 Relevance: 2.0, Instructions: 1956COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787555970.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cbfe8f600d46d70316bc886cbd0df084f8f213f5cf832ed1c0d46750bda6c02
Instruction ID: 4c89c54c342c5a9b0a9b17fbf8f3beded3db94c32fde58428027f6018a97b49f
Opcode Fuzzy Hash: 6cbfe8f600d46d70316bc886cbd0df084f8f213f5cf832ed1c0d46750bda6c02
Instruction Fuzzy Hash: 94C23C21B1EB990FE76AA77858655B47BD1EF4A210B0A01FFD04DCB1E3DE18AD06C781

Function 00007FFD9B7ED310 Relevance: 1.6, APIs: 1, Instructions: 118
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 00007FFD9B7EFCC7

Memory Dump Source

Source File: 00000000.00000002.1786614018.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ea693624560f114285fd4ffdfbe5fab72184496075673bd4c43e16a7e9203068
Instruction ID: c5fbbde4f983f0e4826655a5378abc9853d44d44cc7a9ea71d947f1dec37d217
Opcode Fuzzy Hash: ea693624560f114285fd4ffdfbe5fab72184496075673bd4c43e16a7e9203068
Instruction Fuzzy Hash: 1C31E630A0D74C4FDB59DFA8845A6ED7BE0EF96321F0441AFD04AC71B2DA795806CB51

Function 00007FFD9B8B1390 Relevance: .2, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1787555970.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8e1f56574800cec51e3bb15a9da64723e8293795449fc613ff940c03b3ecdb
Instruction ID: c6c2d20f3e706f18944b41123a77c236a10065975fbd850d4a543acb15dba21b
Opcode Fuzzy Hash: 5f8e1f56574800cec51e3bb15a9da64723e8293795449fc613ff940c03b3ecdb
Instruction Fuzzy Hash: 9D512921B1EA9E4FE7A9EBB844B597477E1EF59310B0901FAD40DCB1A3DE18ED058780

Non-executed Functions

Function 00007FFD9B7EA599 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

0<PG, xrefs: 00007FFD9B7EACDC

Memory Dump Source

Source File: 00000000.00000002.1786614018.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd

Similarity

API ID:
String ID: 0<PG
API String ID: 0-2921181742
Opcode ID: c4870419cd89c1690a741ccf0b6d6372be7da07f10b592cf7cc19610bfd217fb
Instruction ID: 65dfe1024cd804642776ba675f677f38003f40de3488307b7c503bea55ca34d5
Opcode Fuzzy Hash: c4870419cd89c1690a741ccf0b6d6372be7da07f10b592cf7cc19610bfd217fb
Instruction Fuzzy Hash: 1731E87160E3894FD3199AB4886A475BFD5EF9322070642FFD087C71B3DE2959438751

Analysis Process: RegSvcs.exePID: 3652, Parent PID: 6640COMMON

Executed Functions

Function 06123090 Relevance: 6.5, Strings: 4, Instructions: 1497COMMON

Download Yara Rule

Strings

h>{, xrefs: 0612341D
4'sq, xrefs: 061249C9
fxq, xrefs: 06123F2C
fxq, xrefs: 06123128

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID: fxq$ fxq$4'sq$h>{
API String ID: 0-1111427828
Opcode ID: 4a36baf7a1c3c6c75e43ed297deccf5111d959da2fc46ba1f741dbe887345d6f
Instruction ID: 27bc76493cd4f854d4b7d108e84c1a0717a511597617bba6623774c67f2304a4
Opcode Fuzzy Hash: 4a36baf7a1c3c6c75e43ed297deccf5111d959da2fc46ba1f741dbe887345d6f
Instruction Fuzzy Hash: 92E2FB78754115CFC748EB28E5A4B6A73E2FB88314F1191A9D80B9F399DF30AD52CB84

Function 061230A0 Relevance: 6.5, Strings: 4, Instructions: 1495COMMON

Download Yara Rule

Strings

h>{, xrefs: 0612341D
4'sq, xrefs: 061249C9
fxq, xrefs: 06123F2C
fxq, xrefs: 06123128

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID: fxq$ fxq$4'sq$h>{
API String ID: 0-1111427828
Opcode ID: 30d2011a434f1cff84bdc8e04e377641b264763998a9f0fbdcb93cee780f6f74
Instruction ID: b579b6e6df28b86ccd4d0e0fd8aed9585d4abf463985d706aaf6e1a52d7d86e0
Opcode Fuzzy Hash: 30d2011a434f1cff84bdc8e04e377641b264763998a9f0fbdcb93cee780f6f74
Instruction Fuzzy Hash: CEE2FB78754115CFC748EB28E5A4B6A73E2FB88314F1191A9D80B9F399DF30AD52CB84

Function 061253C3 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a19e272a067da690bd254811d63a2d3d05eb4dd6e659ce120b4127a2e4a20fbc
Instruction ID: d2f5404e412fd5a0a5473325e0ef3a27e28c8e0ea61e436a90f1b2c58bc4fcfd
Opcode Fuzzy Hash: a19e272a067da690bd254811d63a2d3d05eb4dd6e659ce120b4127a2e4a20fbc
Instruction Fuzzy Hash: 3FD13E34B141168FD758EF28E598A6A77F2FBC8300F1181A9D80B9B359DF349E52CB90

Function 061253CC Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0bca13663f82aeca4d2115b784a4ee1e6115bb8ce80ee0f7c284df28d5c0415
Instruction ID: 7e4203939587f67d02252e92dd4454183d64d1c802765a98370b27f819f97476
Opcode Fuzzy Hash: d0bca13663f82aeca4d2115b784a4ee1e6115bb8ce80ee0f7c284df28d5c0415
Instruction Fuzzy Hash: 42D12F34B141168FD758EF28E598A6A73F2FBC8300F1181A9D80B9B359DF349E52CB91

Function 06120548 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12b314c5b29007fbaf800bf6a931bc0f054402b16323ae3a20ab545482ebd144
Instruction ID: bd252cda2d3e1599ca0d9066defed2a4c13a07d26e9f7ee9ca59d5e167e28a19
Opcode Fuzzy Hash: 12b314c5b29007fbaf800bf6a931bc0f054402b16323ae3a20ab545482ebd144
Instruction Fuzzy Hash: 1AB17070E0021ACFDF54CFA9C9857AEBBF2BF88315F148629D414EB254EB749895CB81

Function 0612549B Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe7ae86361a0c109df1b19fe876c3905fa3511fe8a02c9d895f213e0f9cc9584
Instruction ID: f52967a4bc7cb1e81d9bcd85ff5e5f619f8f7bdae59feeb6d07db07d4b48a82c
Opcode Fuzzy Hash: fe7ae86361a0c109df1b19fe876c3905fa3511fe8a02c9d895f213e0f9cc9584
Instruction Fuzzy Hash: E2B12F34B541168FD758EF28E598A6A73F2FBC8300F1181A9D90B9B359DF349E52CB80

Function 06126450 Relevance: 5.5, Strings: 4, Instructions: 488COMMON

Download Yara Rule

Strings

wq, xrefs: 06126A00
Hyq, xrefs: 06126614
PHsq, xrefs: 06126904
PHsq, xrefs: 061268F2

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID: Hyq$PHsq$PHsq$wq
API String ID: 0-2534935409
Opcode ID: dc8b116e703afb180b2a73d1cd787d7422efcd0319987459b1c050fb7deed4e9
Instruction ID: 62476f76f28177d6798fea46d56f3d17ef69e0553e8bd5ee97ca84a7977a9046
Opcode Fuzzy Hash: dc8b116e703afb180b2a73d1cd787d7422efcd0319987459b1c050fb7deed4e9
Instruction Fuzzy Hash: 95125070A00616CFCB69DF78C490A9EB7B2EF85310F258A6DD4169B791DF34E942CB90

Function 027418F1 Relevance: 5.2, Strings: 4, Instructions: 161COMMON

Download Yara Rule

Strings

Tesq, xrefs: 02741A00
Tesq, xrefs: 02741A55
Tesq, xrefs: 02741A3F
Tesq, xrefs: 0274196A

Memory Dump Source

Source File: 00000003.00000002.4152007080.0000000002740000.00000040.00000800.00020000.00000000.sdmp, Offset: 02740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2740000_RegSvcs.jbxd

Similarity

API ID:
String ID: Tesq$Tesq$Tesq$Tesq
API String ID: 0-2589908958
Opcode ID: 8c043c1cc2b61a34bbb14efd116f1a6bb084204d3dd5c5b4364088a7f0bbcef5
Instruction ID: b480e3e1767729bca769cba33e8450b36715a78dd77f9c20425cba782195077e
Opcode Fuzzy Hash: 8c043c1cc2b61a34bbb14efd116f1a6bb084204d3dd5c5b4364088a7f0bbcef5
Instruction Fuzzy Hash: 0C514F74B101448FCB48EF79C598AADBBF2BF88300F658469E506AB365CF709D46CB50

Function 02741900 Relevance: 5.2, Strings: 4, Instructions: 155COMMON

Download Yara Rule

Strings

Tesq, xrefs: 02741A00
Tesq, xrefs: 02741A55
Tesq, xrefs: 02741A3F
Tesq, xrefs: 0274196A

Memory Dump Source

Source File: 00000003.00000002.4152007080.0000000002740000.00000040.00000800.00020000.00000000.sdmp, Offset: 02740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2740000_RegSvcs.jbxd

Similarity

API ID:
String ID: Tesq$Tesq$Tesq$Tesq
API String ID: 0-2589908958
Opcode ID: 32f458a87486cf0fb429f48366a154c3994ec10f3362ff0f7b904a0b220a9a54
Instruction ID: cb8914f23947ef0d5e1cc51260ff1e63218c06cc44ae0e0ec055dc3c69cddbea
Opcode Fuzzy Hash: 32f458a87486cf0fb429f48366a154c3994ec10f3362ff0f7b904a0b220a9a54
Instruction Fuzzy Hash: F8514D74B101448FCB48EF79C498AADBBF2BF88300F658469E50AAB3A5CF709D41CB50

Function 06126D95 Relevance: 4.0, Strings: 3, Instructions: 267COMMON

Download Yara Rule

Strings

|>zq, xrefs: 06126F99
4'sq, xrefs: 06126FC9
|>zq, xrefs: 06126FB1

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'sq$|>zq$|>zq
API String ID: 0-1077619835
Opcode ID: 7982a322085a13c1986a261cf190f3a9b64b0ee7e8bf258db88612d0fe99f142
Instruction ID: eeda760193f0f87efd751d3fdfff181022c811081a8d95aef73053c42c3b4eb8
Opcode Fuzzy Hash: 7982a322085a13c1986a261cf190f3a9b64b0ee7e8bf258db88612d0fe99f142
Instruction Fuzzy Hash: 1531A7742042544FC715DB2DD490A5ABBE2EF85310B19CA6EE085CF2D2CF31D90A97A1

Function 06126DED Relevance: 4.0, Strings: 3, Instructions: 266COMMON

Download Yara Rule

Strings

|>zq, xrefs: 06126F99
4'sq, xrefs: 06126FC9
|>zq, xrefs: 06126FB1

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'sq$|>zq$|>zq
API String ID: 0-1077619835
Opcode ID: 79314024d7d11fd14cc57ae62eab9bf723dd4b6bd0850f8e9e0bb5dcc8b22c9b
Instruction ID: 980be590677bce99882991cf0fb48abea209c9c3affc7a5e7063304615264267
Opcode Fuzzy Hash: 79314024d7d11fd14cc57ae62eab9bf723dd4b6bd0850f8e9e0bb5dcc8b22c9b
Instruction Fuzzy Hash: 3831C7742083405FC715DF3CD890A9ABBE1EF86310719CA5EE085CF2D2DF21D90A87A2

Function 061202B4 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

\V;m, xrefs: 0612032F
\V;m, xrefs: 06120482

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID: \V;m$\V;m
API String ID: 0-758261920
Opcode ID: 2c7d8df5da4cc6f7b224be3cbcb2c8dac262a9c2abb61aed75e4fe1c29ce78d5
Instruction ID: 0e49abee7edc8b85984ebbc398f7a25a9d5155859fafdfe94fe982cc28ee802c
Opcode Fuzzy Hash: 2c7d8df5da4cc6f7b224be3cbcb2c8dac262a9c2abb61aed75e4fe1c29ce78d5
Instruction Fuzzy Hash: B3718A70E0025ADFDB50CFA8C985BDEBBF2BF88315F148629E414A7254EB749851CF91

Function 061202C0 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

\V;m, xrefs: 0612032F
\V;m, xrefs: 06120482

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID: \V;m$\V;m
API String ID: 0-758261920
Opcode ID: e28bd08dd2d11f0d6e87014280f06dec62c3f5ba5b6a7c9ed4a38680f86aea11
Instruction ID: c6ae9854f61b29ff5f1e490810925ef8d5cb81acddcb6d1f813be450414c781c
Opcode Fuzzy Hash: e28bd08dd2d11f0d6e87014280f06dec62c3f5ba5b6a7c9ed4a38680f86aea11
Instruction Fuzzy Hash: 31718B70E0025ACFDB54CFA9C985B9EBBF2FF88315F148629E414A7254EB749851CB81

Function 06125D58 Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

wq, xrefs: 06125ED1

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID: wq
API String ID: 0-718543452
Opcode ID: d85584424379feaa6b03be15000fb726fdc88acdfaf9d172f942b2881789dda5
Instruction ID: a9a29336978b90b3dc97fb8337327d724029e3fea63b22fde367f4d3ab728ade
Opcode Fuzzy Hash: d85584424379feaa6b03be15000fb726fdc88acdfaf9d172f942b2881789dda5
Instruction Fuzzy Hash: 52613871B0021A9FCF058FA9D8809EEBBF6FF88354B158026E905E7350DB31D921DBA1

Function 06129B41 Relevance: 1.4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

Strings

Tesq, xrefs: 06129CAA

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID: Tesq
API String ID: 0-136783293
Opcode ID: d937166069a47dbc3e673badadd24009c15fa2066b565eb9dc94adf63b644e0c
Instruction ID: d298c523d7b61d406509ca26301dff2bd8a337b8b8fe95163353ff964c181b9e
Opcode Fuzzy Hash: d937166069a47dbc3e673badadd24009c15fa2066b565eb9dc94adf63b644e0c
Instruction Fuzzy Hash: 6F11E4317082598FCB06AB68D8287AE7BB29FCA311F150496D402AF387CFB80D06C7D5

Function 06129BA9 Relevance: 1.4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

Strings

Tesq, xrefs: 06129CAA

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID: Tesq
API String ID: 0-136783293
Opcode ID: 5066036fdc49a12c884a9ac527f3699837dc9abda0332cead113f99203c89a3d
Instruction ID: 65d8237e46ebfd71d1bf1288e056f8461f6fbe98e7d1ddfacb4f24b55f7482a1
Opcode Fuzzy Hash: 5066036fdc49a12c884a9ac527f3699837dc9abda0332cead113f99203c89a3d
Instruction Fuzzy Hash: 1E11A5316182554FCB06AB68D82879E7FB29F8A711F150596D402AB387CFB80D06C7D5

Function 02741EDF Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

Dzq, xrefs: 02741F47

Memory Dump Source

Source File: 00000003.00000002.4152007080.0000000002740000.00000040.00000800.00020000.00000000.sdmp, Offset: 02740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2740000_RegSvcs.jbxd

Similarity

API ID:
String ID: Dzq
API String ID: 0-4123679374
Opcode ID: 8007c0adaadc4e7d441e4082b760b3989df3b724f772fbae8b4e3997a7d91087
Instruction ID: 90723e16da6045bf2f110ee0485b39498413dd3aedc2d98ab6a35aafb98f2264
Opcode Fuzzy Hash: 8007c0adaadc4e7d441e4082b760b3989df3b724f772fbae8b4e3997a7d91087
Instruction Fuzzy Hash: 3E514C79A006108FCB14EF29D584959BBF2FF88310B168569E91AAB376DF31EC51CF90

Function 06127F6F Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

t, xrefs: 061280DA

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID: t
API String ID: 0-760408342
Opcode ID: 21a694ce1c5a242ef48bc97b1599a1c49e21eec4c40ee1d3d088ce8b2be21921
Instruction ID: 3f9d1a4f1117d9c936f1f8dfce0d4b15f2566cb4fcb30763e630c413c555308c
Opcode Fuzzy Hash: 21a694ce1c5a242ef48bc97b1599a1c49e21eec4c40ee1d3d088ce8b2be21921
Instruction Fuzzy Hash: 9341C4306042499FC745EF68D89096FBBB1EF89300B54C469E5198F296DF31AD0ACBA1

Function 06127F80 Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

t, xrefs: 061280DA

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID: t
API String ID: 0-760408342
Opcode ID: 029c942f6279a8faea9d5194d4dcc85f9cc5eaa99ccad59c12099b424bf20b36
Instruction ID: d78093a7d84148d189a9b4aa3a84d1e45c9f73a56fb48c5dfe11a8c9203591d7
Opcode Fuzzy Hash: 029c942f6279a8faea9d5194d4dcc85f9cc5eaa99ccad59c12099b424bf20b36
Instruction Fuzzy Hash: 1D41D4307042089FC744EB68D49096FBBB1FF89300B50C469E51A8B796DF31ED4ACBA0

Function 06122830 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

@, xrefs: 0612297F

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: f386112c9e1b31aad6c0179dd8be06572b9548a3d00cd18d74dacf9f6ec1b532
Instruction ID: 4e9774ce4c293e14db1e6c22c52b6f61861a9e15ca693f411eac101771581e47
Opcode Fuzzy Hash: f386112c9e1b31aad6c0179dd8be06572b9548a3d00cd18d74dacf9f6ec1b532
Instruction Fuzzy Hash: B23183357041218FDB88EB24E494AAE77B2FBC8310F155169C8079F398DF309E62C791

Function 061213E8 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

$sq, xrefs: 061214B7

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID: $sq
API String ID: 0-923501781
Opcode ID: 1ff3a5d5612aa0d7186bde912ffb957dab0168fc203270a76d9fdbb237a69ba4
Instruction ID: 89ac281141f49366b3869675d16a547dddc6e41ab601507f4eb51ff5c8e4f2d2
Opcode Fuzzy Hash: 1ff3a5d5612aa0d7186bde912ffb957dab0168fc203270a76d9fdbb237a69ba4
Instruction Fuzzy Hash: 17319434B14165AFDB94EB68E855AAE77F2FBC8704F10406ADA06EB384DF308D11C791

Function 061213D8 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

$sq, xrefs: 061214B7

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID: $sq
API String ID: 0-923501781
Opcode ID: 1433bf429a311b1440cbbf7ec63d86c354b117e038abb25bb8d2b595420cea9e
Instruction ID: bf590f5a8c8d9cc679855b0f9564868af21e7ff9640793a311d1f58702bd5dd3
Opcode Fuzzy Hash: 1433bf429a311b1440cbbf7ec63d86c354b117e038abb25bb8d2b595420cea9e
Instruction Fuzzy Hash: 24310734E04265AFCB54EB68E845AAE77B2FBC8300F10446ADA06EB384CF308D11CBD1

Function 0612C372 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

asq, xrefs: 0612C440

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID: asq
API String ID: 0-3950230186
Opcode ID: 40c65df3730c396b196a893ddbc753e30567528b341787fd58988b0fa681d436
Instruction ID: 2324462b79624e57c7ae43983f852e5b9d9295007b25c4c536d45c7076831001
Opcode Fuzzy Hash: 40c65df3730c396b196a893ddbc753e30567528b341787fd58988b0fa681d436
Instruction Fuzzy Hash: 03213B34A047504FC311EB38941169E7BB2EFC6710F168559E906DF382DB34590ACBE2

Function 0612C3A0 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

asq, xrefs: 0612C440

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID: asq
API String ID: 0-3950230186
Opcode ID: 140d7d57cc15d803e3ed70704ed7915d0abb1105d1c80e8f5363e639f275f993
Instruction ID: c8005e65a70c414853c8072751b99a5f583abd487a68ea86808dd7744af0c0ea
Opcode Fuzzy Hash: 140d7d57cc15d803e3ed70704ed7915d0abb1105d1c80e8f5363e639f275f993
Instruction Fuzzy Hash: E311E234B006248BC754EB29A40066F77B2EFC4710F128929EA06AB384DF705A158BD1

Function 06129C90 Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

Tesq, xrefs: 06129CAA

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID: Tesq
API String ID: 0-136783293
Opcode ID: 64fd2762e2dfb2c87f7aa7ee96aed0968262c76f0470f72b0d693efcf87b67ee
Instruction ID: cc5f5f718939e73976612daf8c69345059f89f1b95974a86ae1d5ff7e795f5d9
Opcode Fuzzy Hash: 64fd2762e2dfb2c87f7aa7ee96aed0968262c76f0470f72b0d693efcf87b67ee
Instruction Fuzzy Hash: 3E01C831B142288BCB05EB28D4187AF7BB3AFC8710F104569D902AB385CFB40D06C7D9

Function 0612C3E7 Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

asq, xrefs: 0612C440

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID: asq
API String ID: 0-3950230186
Opcode ID: b8ce00e4db4a709089d3514880a6903d47c16e616295fdf0ad179b8957bfb25c
Instruction ID: aaa7d4a74157020a760aaf6c9c8ab1930e2ee679997e4b5b545e84afa9643345
Opcode Fuzzy Hash: b8ce00e4db4a709089d3514880a6903d47c16e616295fdf0ad179b8957bfb25c
Instruction Fuzzy Hash: 06F022357002249BC218AB28A4007AE77A3EFC0760F528D19EA125F385DFB02E5987D1

Function 06127B07 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0794334fd470f80f8c7fcd43ae1575752ecdb69fd883d79599efeb6a5a1a9a0
Instruction ID: 9ea6c4f6fb1c14091c7bf319d85183fb0ed3f4c42ae268ac06cc4c5e1b78ac5d
Opcode Fuzzy Hash: e0794334fd470f80f8c7fcd43ae1575752ecdb69fd883d79599efeb6a5a1a9a0
Instruction Fuzzy Hash: A1E1E775A04219CFDB14CF59C584A9EBBB2FF89314F25C299E404AB362D730E995CF90

Function 0612053C Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b7823308b526b8f1f8bbd010c8b4c1623b9ab867a5db2a4b5479e9295acefc
Instruction ID: c0b24768a0348e5e2be385aafb39ad73a2914a4254bdcb3618d067bf85ab23f1
Opcode Fuzzy Hash: 55b7823308b526b8f1f8bbd010c8b4c1623b9ab867a5db2a4b5479e9295acefc
Instruction Fuzzy Hash: 30B17E70E0025ACFDB50CFA8D98579EBBF2BF88315F148629E414EB254EB749895CB81

Function 061272BD Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc81ff74e471649a4849c88ac81fa226c84ff14467c876c16fb6ff8dd41b0e96
Instruction ID: 8206b6d942ea0dfde2b37226fb0cab2f9df6d750941729b400cd31ea2e6d628b
Opcode Fuzzy Hash: bc81ff74e471649a4849c88ac81fa226c84ff14467c876c16fb6ff8dd41b0e96
Instruction Fuzzy Hash: 1291FA34A00115CFCB58DFA9C994A9EBBB2FF88300F248569D8059B3A1CB31ED42CF50

Function 06127577 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b78bbe9a45fb4786924f255f733bbe6252db765cbf48ee34575e6e468d99e3ea
Instruction ID: 57fdebc69b144aabd2da69c9f4dcf2f28fce03796928f245f7c45e614d2658bf
Opcode Fuzzy Hash: b78bbe9a45fb4786924f255f733bbe6252db765cbf48ee34575e6e468d99e3ea
Instruction Fuzzy Hash: A3911D34A00119CFDB55DFA9C894AAEBBB2FF48304F258569D405AB3A1DB31ED52CF50

Function 06121160 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b581ceed18b22008c5a51dcf32e901cac449aaa0f7cb40e25c6587c1de7310d5
Instruction ID: 7c71d03225a020f7fcb1e75eb8d034f9f6f382a57afd626157e83f1dc97c9e5a
Opcode Fuzzy Hash: b581ceed18b22008c5a51dcf32e901cac449aaa0f7cb40e25c6587c1de7310d5
Instruction Fuzzy Hash: 72515B39B180159FCB04EF68F86496A77B2FBC8310B119169D9079F3A9DF385E16CB90

Function 061256EF Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77a91c811f20e36c86a38e8a7908dd860e0df37fad4c766f9886f10ccca389f9
Instruction ID: b9f88543cde453ad93f05491052c235fb3566ae1dafbceff1c1c55ac2e163e4e
Opcode Fuzzy Hash: 77a91c811f20e36c86a38e8a7908dd860e0df37fad4c766f9886f10ccca389f9
Instruction Fuzzy Hash: E4515174B1411A8FD758EF28E498A6E77F2EBC8300F1181A9D90A9B355DF349E52CF80

Function 061256FC Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 696af0a9b1456c876abd146c99eef69dfd82329933d236c775c6a199b78d3ca7
Instruction ID: a307308a90882edba00cce36d63dc650715178e3240e876edb021644f2f49471
Opcode Fuzzy Hash: 696af0a9b1456c876abd146c99eef69dfd82329933d236c775c6a199b78d3ca7
Instruction Fuzzy Hash: 61514274B1411A8FD758EF28E59866E77F2EBC8300F1181A9D90A9B355DF349E52CF80

Function 06127409 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14db88be65fd42bc6d8d66dddc4f9a5fc084ca30739e52ff59f1ac8d23276109
Instruction ID: e3a35ed91cd0c300ba9cd2acd59fe3b03c580d6737205655fdebb6dfddaf3a86
Opcode Fuzzy Hash: 14db88be65fd42bc6d8d66dddc4f9a5fc084ca30739e52ff59f1ac8d23276109
Instruction Fuzzy Hash: 46412D30A00119CFDB58DFA9C894AAEBBB2FF88305F25896DD405AB295CB359D42CF50

Function 06121F13 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4dcb5e93d24e74121588c816f0aa00fe876894015eac45a02d02ed3c287bba6
Instruction ID: 5c5350695e57af82f1fed9ae8cc69509168201a7dbc6d0da04e8b01ff22fc3ec
Opcode Fuzzy Hash: f4dcb5e93d24e74121588c816f0aa00fe876894015eac45a02d02ed3c287bba6
Instruction Fuzzy Hash: FA31AE307082458FDB85EB74E8A0AAE7BB2FBC8300F14516AC8069F399DF349D52C791

Function 06121F40 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9652110ad25a8031c08e0f4bec90d5e3d24442c6fbb862239193777e217186fc
Instruction ID: f9de7612477775d8aa140bf8f9e4d01bc273b5c3f759360907229c58aea1590f
Opcode Fuzzy Hash: 9652110ad25a8031c08e0f4bec90d5e3d24442c6fbb862239193777e217186fc
Instruction Fuzzy Hash: 5E215C34B041158BCB88FB64E5A4AAE77F2FBCC310F145529C806AB398DF30AD52CB95

Function 06129EB8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e01565b6dcbec8509ace27747a7e6ece8bbc286901d0c2c1c47f81607963dec
Instruction ID: 8b85f945ad82807ff9567187e6119bf6264141cc1d57310eb9cb3d0569cce557
Opcode Fuzzy Hash: 4e01565b6dcbec8509ace27747a7e6ece8bbc286901d0c2c1c47f81607963dec
Instruction Fuzzy Hash: 7C21C535B041189BC744DB98D959ADF7BBAEB8C310F218058F506A7384CF745E468BF1

Function 0612BADF Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d78848c1cb71e9f5968359c93dbb08244ca87fd29b8bc4c52921bfa5c9ecd4d
Instruction ID: 7404bb96c2d1cd9415ada659ff6c7a5a0d959f41c47583dad312b7f2aa4b7432
Opcode Fuzzy Hash: 8d78848c1cb71e9f5968359c93dbb08244ca87fd29b8bc4c52921bfa5c9ecd4d
Instruction Fuzzy Hash: 4021F074E082168FCB40DF59D8919EFBBB5EFC9324F148259E6609B391D7309852CBD0

Function 027417F8 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4152007080.0000000002740000.00000040.00000800.00020000.00000000.sdmp, Offset: 02740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2740000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab364731a8dc2b8c3bb916c027933155878c7a2efe19d997a2eafaa7db5d0dc8
Instruction ID: 520ad7b52b5da07f8fb6bef176caa093a2ca9ffe200d3ba816488a89f0658afc
Opcode Fuzzy Hash: ab364731a8dc2b8c3bb916c027933155878c7a2efe19d997a2eafaa7db5d0dc8
Instruction Fuzzy Hash: 5011C1347041009FC745EB79E8A9F6A7BE5EFC97607068169E90ACF355DF60DC418B90

Function 06127968 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30a24209b9293c0475b0819deba924db63549efe7212ce1fbbd21db7e956f7ac
Instruction ID: 9bccc7af4357e92c98a61d4da29ad8ced89b5d07b47c74e8cbe95b17d023f636
Opcode Fuzzy Hash: 30a24209b9293c0475b0819deba924db63549efe7212ce1fbbd21db7e956f7ac
Instruction Fuzzy Hash: A5211830600A158FC724DF19D584E52F7E5EF84320F19CA6AE49E8B6A1DB70E895CB91

Function 06122210 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdd6f0607aaf4d6c4e682a9100eb19e1e5ad831c20e957c9b57df8113f64afc5
Instruction ID: 9875bbebf656fb7d1ecc95e1c943d459737ec3284dc95d68b4bf2f0debb8b447
Opcode Fuzzy Hash: bdd6f0607aaf4d6c4e682a9100eb19e1e5ad831c20e957c9b57df8113f64afc5
Instruction Fuzzy Hash: 1321C075A00119DFDB54EBA8D4697AEBBB1EF88300F508069D102EB395CF359E46CBA0

Function 06127A38 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b79947862bbed0dd8483513acd1665687401b507f4b27967cfdb322d28ddf220
Instruction ID: b831fa77cafe93437f543770d075b6c33a58bd9ce5be6947f019ec504114d5a7
Opcode Fuzzy Hash: b79947862bbed0dd8483513acd1665687401b507f4b27967cfdb322d28ddf220
Instruction Fuzzy Hash: 6F1186717042519FD764CF29D884E53BBE5EB89324B1989ADE04AC72A2D730E846CB60

Function 02741808 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4152007080.0000000002740000.00000040.00000800.00020000.00000000.sdmp, Offset: 02740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2740000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b719995ace75862ea294c97cb556235b1a93631e9fda326d4f328147c526b1a2
Instruction ID: 8b788eab2845662a14ea8e6138eed58f4a2098d2b4a4053409e849324973fe66
Opcode Fuzzy Hash: b719995ace75862ea294c97cb556235b1a93631e9fda326d4f328147c526b1a2
Instruction Fuzzy Hash: 5C117C347041019FC748AB79D899E2A7BEAEF886A07128169E90ACF355EF60DC508B90

Function 06129EC8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6279594b383a51bd062412f3352501fce5003ee5b835ed985aad7dfc7f01dc1e
Instruction ID: 73c50378a5f7dda7dc8fa1e7aaad8040ec01e679575e14e7f2fb46ed1609a402
Opcode Fuzzy Hash: 6279594b383a51bd062412f3352501fce5003ee5b835ed985aad7dfc7f01dc1e
Instruction Fuzzy Hash: 98118435B041189BD744EB98D559AAF7BB6EBCC300F218069F606EB384CE745E46CBE1

Function 06126AD1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c846a808578b0a17f60321de937b6bfadc92bc4b3cb6fa3a22af83dceecbd695
Instruction ID: d04c6fbf5d987a414be853346f82814bec068653ae08684687c286ecce3e9575
Opcode Fuzzy Hash: c846a808578b0a17f60321de937b6bfadc92bc4b3cb6fa3a22af83dceecbd695
Instruction Fuzzy Hash: 111184397043514FC710CF69D85496ABBF5EF8A350719449EF5C5DB362DA21EC01CBA0

Function 061226C8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d96fde447451d63a07fde019b52226ab38b239fdfcee44faec3d8ef23110050
Instruction ID: 392f63986ffa0832e8b53bacf733d9e28218fdd8631841fd5ce49b127ca2216a
Opcode Fuzzy Hash: 4d96fde447451d63a07fde019b52226ab38b239fdfcee44faec3d8ef23110050
Instruction Fuzzy Hash: 030196B6A04140AFC745C764DD9675ABBB1DBA5201F19C8BF9444CB392EB31CD12C781

Function 06126AE0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a309d37b738734e39ad117022af23550336a68bceb5086114bcfdd6d8ecbe34
Instruction ID: edab87c64244adad5f877fd97f22ccd64b4940ddc39f42846f7e1aa00b600fed
Opcode Fuzzy Hash: 9a309d37b738734e39ad117022af23550336a68bceb5086114bcfdd6d8ecbe34
Instruction Fuzzy Hash: 94014F397002158FC710DF69D884926BBE6EFCD3657154469F549CB361DA31EC01CB90

Function 027408F0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4152007080.0000000002740000.00000040.00000800.00020000.00000000.sdmp, Offset: 02740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2740000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e153ccaddfc9c085136ee322abc66bd2f23cc2f830667f400bb733eec84b95
Instruction ID: c6286dafe9a6ecf19c383e026fed829c10ff2a75b25f6c8aa028cb2d4f5934fc
Opcode Fuzzy Hash: b2e153ccaddfc9c085136ee322abc66bd2f23cc2f830667f400bb733eec84b95
Instruction Fuzzy Hash: 0AF0745104EBD01FC71783706BB78A47F34AC1700030E86CBC8D98BAA3D649561BE366

Function 00DFD7F1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4151618671.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dfd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 087add54f6b88ffe673a285cb9c61197246745e8780e9cfa59c3efaae82838f3
Instruction ID: d6669de6da63120c11c5812ec3d289859fa03cec14b9e4e801fd94c7fbc53c2a
Opcode Fuzzy Hash: 087add54f6b88ffe673a285cb9c61197246745e8780e9cfa59c3efaae82838f3
Instruction Fuzzy Hash: 7301F7724083489AE7204A15CCC0776BFDAEF513A4F19C41AEE484A282C638D840D6B1

Function 0612CDA0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1315deddbf4b28db8fb1338aa1ec385460afeb702166d165c6d2fd783aad686f
Instruction ID: 243f056ad896e47a6c428ff78f8c5b995c8549a2a71983182b96da12238d098c
Opcode Fuzzy Hash: 1315deddbf4b28db8fb1338aa1ec385460afeb702166d165c6d2fd783aad686f
Instruction Fuzzy Hash: 6F11F2B58002498FCB20DF9AC945BDEBBF4AB48324F208459D519A7250C775A944CFA1

Function 0612CDA2 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099c97778ce5c69af9abf3d58a60d007c0ce2663e5a2a8392939486173988919
Instruction ID: 9806975ca7248a3c0f94b155d65f547201e3480d4f1eb2d0b3b773c15b3ce7e7
Opcode Fuzzy Hash: 099c97778ce5c69af9abf3d58a60d007c0ce2663e5a2a8392939486173988919
Instruction Fuzzy Hash: 191100B5C002498FCB20DFAAC985BDEBFF4AB48324F20845AD519A7250C379A944CFA0

Function 06120E62 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f365ef49c599d67b6cf1655ab0974648f5d495089df8ca4fc5f8c9bf5a37e488
Instruction ID: ee722dc3843118b8eb6ef4e1d2e9a7064e16001446fedb67491c74b71f66d1e8
Opcode Fuzzy Hash: f365ef49c599d67b6cf1655ab0974648f5d495089df8ca4fc5f8c9bf5a37e488
Instruction Fuzzy Hash: 4F01C8719093846FE702CFB1DC593967FF4EF06116F1801EBC485CB153EA2966178B55

Function 00DFD7F0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4151618671.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dfd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7867c20a6b34683243d33ae9cb8d3d9bf0fd18333589b9ea90338b93985b990a
Instruction ID: db4f0605049bb3b3e9eb20da775ed487079ed86a6f346756b1eee31e4d73d9ff
Opcode Fuzzy Hash: 7867c20a6b34683243d33ae9cb8d3d9bf0fd18333589b9ea90338b93985b990a
Instruction Fuzzy Hash: 14F062724053489EE7208A16DDC4B66FFD9EB51774F18C55AEE484B282C2799C44CAB1

Function 02740988 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4152007080.0000000002740000.00000040.00000800.00020000.00000000.sdmp, Offset: 02740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2740000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79170590a2bce9066903d38d2f5895dcbe8afcb8167a0fad28b7bde4f3f8ee34
Instruction ID: da1ff8715797d4957efa7cd312b2f027698110d6efbcc87f9752dc9608a6f163
Opcode Fuzzy Hash: 79170590a2bce9066903d38d2f5895dcbe8afcb8167a0fad28b7bde4f3f8ee34
Instruction Fuzzy Hash: 33F0C2359086028BD749BF668501256BAE2EB85301F97C46AC64EAF141DF3499528B51

Function 0274089A Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4152007080.0000000002740000.00000040.00000800.00020000.00000000.sdmp, Offset: 02740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2740000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b436436035994a3e9dc0556f576b7c4ec8fa3176a1d48165ae6abb7ce13179b6
Instruction ID: a45f4ddadaa7c19adae0a9135cc6afe76a96ca866123e16657dbca69040910b3
Opcode Fuzzy Hash: b436436035994a3e9dc0556f576b7c4ec8fa3176a1d48165ae6abb7ce13179b6
Instruction Fuzzy Hash: 8BF0A770908284AFCB45CBB496669BC7FB4EA0220070545C9E546D7642DB301E11DB91

Function 02740860 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4152007080.0000000002740000.00000040.00000800.00020000.00000000.sdmp, Offset: 02740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2740000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 323589d7aae12fe1d1e72f2b0ae82acd7c645b0c9f12cf556fa98f9944980ea7
Instruction ID: a5fc338b76ac7c0dc5ece3ab60b69481d6b5ea441251d840eb75ce3e756b9917
Opcode Fuzzy Hash: 323589d7aae12fe1d1e72f2b0ae82acd7c645b0c9f12cf556fa98f9944980ea7
Instruction Fuzzy Hash: DCE0670010FAC18FD70747756BB65943F707C4300134E48DBC9D58BAA7D509AA2BF3A6

Function 06121CD3 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2305758cdcaf2ea94574f93d43c0f1adb93bfc269dd8dff68c9740da64fc9c3
Instruction ID: c149b37c0283971ae0c919927745c7138f9f3c6e44dae9d8c92138bc9c910f17
Opcode Fuzzy Hash: f2305758cdcaf2ea94574f93d43c0f1adb93bfc269dd8dff68c9740da64fc9c3
Instruction Fuzzy Hash: 4BE092B2915108ABC340CBA4CD0264EBBF9EF85200F14C5B69908C7252EF319A119B81

Function 0612BAA9 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f1aaf417f1dea6b6c1d256445139382389a28401a17a2c9c4c9adab665ca081
Instruction ID: 232cc6ab1bee90a433dca8de7e6a39645ed7b1f6cd4ebacaefacc9f04417ed4a
Opcode Fuzzy Hash: 0f1aaf417f1dea6b6c1d256445139382389a28401a17a2c9c4c9adab665ca081
Instruction Fuzzy Hash: F1E0CD315096005FC301E618DD518C6B775DF97210715C54EF48597213D7309A07D7B2

Function 0612C0D9 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c072b1ea4558b686002062dadd3fa5061c5e0c5952b0a857480ed8be7ff050e0
Instruction ID: 5f4e1107f4a209e092407aaae18b17afa44f5b4f88ff800fd58b13f1d502c90e
Opcode Fuzzy Hash: c072b1ea4558b686002062dadd3fa5061c5e0c5952b0a857480ed8be7ff050e0
Instruction Fuzzy Hash: D7E02672946248DFC741CBE88A010DE3FF5AE4721071004E3D008E7113DE304A14EB92

Function 0612CE68 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 756ca5d6bf2477c9862e91e11acfd84ecab6e683bb32574d735297c03603e301
Instruction ID: c05e702a838788c1caf6944180c9730b824f31f81a6867bbec03b803d0dda0d0
Opcode Fuzzy Hash: 756ca5d6bf2477c9862e91e11acfd84ecab6e683bb32574d735297c03603e301
Instruction Fuzzy Hash: B5E08C366083915FC302DA54C9118E6BB66EFC7220325888AF48287262C7629D1BC7B1

Function 0612C110 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db134961cc70011caec8d9690b2470e4f47b4b235bc3531e5baf4161fa820323
Instruction ID: e438a68e07a11c14a1f9ea217090fb923b8862be7c886a90a58b94c5a2ed7c18
Opcode Fuzzy Hash: db134961cc70011caec8d9690b2470e4f47b4b235bc3531e5baf4161fa820323
Instruction Fuzzy Hash: AFE0CD7610D2805FC202CBD4FD108D6FF666B87220714484FF44463253C2118D16D772

Function 0274151B Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4152007080.0000000002740000.00000040.00000800.00020000.00000000.sdmp, Offset: 02740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2740000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e406af8cca186ad21d2460e1db09cf1f7b38d9215f3554a8f5bc8e7d656a3551
Instruction ID: eae1319e78127e371820cd46908eccdbf010dec70b67422ae47c7047e2d4d705
Opcode Fuzzy Hash: e406af8cca186ad21d2460e1db09cf1f7b38d9215f3554a8f5bc8e7d656a3551
Instruction Fuzzy Hash: 5FE02626D083018ACB06AA398505396BBA5AB41201B86C86BC789AB002DF3098838712

Function 027408A8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4152007080.0000000002740000.00000040.00000800.00020000.00000000.sdmp, Offset: 02740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2740000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d324fb837e18adad9776b1e4dd685e570f45cf30835ab8110ed13af266deb572
Instruction ID: ff9abe049392e1d5a1a5a0079a92f0a4811830de08b518e74ddc2700d094ba28
Opcode Fuzzy Hash: d324fb837e18adad9776b1e4dd685e570f45cf30835ab8110ed13af266deb572
Instruction Fuzzy Hash: CBE08C70D0420CEFCB48EFB4DA46A6CB7F8EB00205B514999EB0AAB640EF301F109BD1

Function 06129E89 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19f6016d14d84806eb88c4bba5e4ca7c49d5c8a8243da5c7b416ccd5c6e87092
Instruction ID: 9f4b929a71c4fedc16ca14698bac70badcec489c1fb4c3064327e8b046a5ec83
Opcode Fuzzy Hash: 19f6016d14d84806eb88c4bba5e4ca7c49d5c8a8243da5c7b416ccd5c6e87092
Instruction Fuzzy Hash: BDE08C7210E2419FC302CA94D900C96BBBAABC6610B14848AF48096213C6218D16D772

Function 0612C670 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e1adefc317aae1a555db057ddb1aaeffeb1a780235d0a8017a3a58c41468aab
Instruction ID: 9d9edc537c57f237594d0d40928dd705d39d1677faf771e406095712dfe89241
Opcode Fuzzy Hash: 9e1adefc317aae1a555db057ddb1aaeffeb1a780235d0a8017a3a58c41468aab
Instruction Fuzzy Hash: 92D05E312062401FC301C658C8548D2AF7AEB8B66031AC49EF085CB253DA21AD038360

Function 0612A818 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e0082140232af961d0ce4d521b955d0123a34e881367045489ef01db919714
Instruction ID: 2042b9433f49db9cf1c305e0227a015456a92da1a52420eed9b417acbc93fc98
Opcode Fuzzy Hash: 34e0082140232af961d0ce4d521b955d0123a34e881367045489ef01db919714
Instruction Fuzzy Hash: A9E08C765082009FC702CF94E901806FBA1AF8A604B1888CEE84097212CA22DC27CB73

Function 0612A8F9 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515ff0287d3c62d091a276f7d1ff14180ac7a43d66b32143ca11ea0a409b88b8
Instruction ID: 5802f36ea55bf78ca7cb7ed34f0338bb227498787fdaf98c0236aef6f0dfa086
Opcode Fuzzy Hash: 515ff0287d3c62d091a276f7d1ff14180ac7a43d66b32143ca11ea0a409b88b8
Instruction Fuzzy Hash: D4D012355083509FC315DF44D951891F771BF87214B14888AE4559B253CB22D82BC761

Function 0612A6A1 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5037ae734a47aad668359a8e8ca30a2b33a9fd2a1310821a25a30fe1c87c6947
Instruction ID: 92e91267d512529968e78efbeda2e058ccf288d5a9c6eaf81b0daa0a148c2c2a
Opcode Fuzzy Hash: 5037ae734a47aad668359a8e8ca30a2b33a9fd2a1310821a25a30fe1c87c6947
Instruction Fuzzy Hash: 56D0173610D3E04FC743CB58D8A0942BF62AF97214B1D88CAE8918B353C722D81BCB61

Function 061285A8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 003a7ab7dc31fc8527e86e0f3afd3f72d4a0357962dae7750beccbbb8c58eace
Instruction ID: dc62e218b46bb854b753056fafb77ff16d02171505fea4c260a4679b152c5774
Opcode Fuzzy Hash: 003a7ab7dc31fc8527e86e0f3afd3f72d4a0357962dae7750beccbbb8c58eace
Instruction Fuzzy Hash: 96D05E711183A05BE205CB54E861A22BB65EBC5210F04C94FE89083353CBA29D07DBA1

Function 0612B0D0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56a1e2cdfcc4851b28a065ad1351be676f417e13c0f7828e8f6e05a39213572f
Instruction ID: ef3c5a6e62e8f1def5cd02842e724170f22dafcec744dae4ffb659f69066e3df
Opcode Fuzzy Hash: 56a1e2cdfcc4851b28a065ad1351be676f417e13c0f7828e8f6e05a39213572f
Instruction Fuzzy Hash: EBE012B514C2816FC342DB54FD21C56BFA65FC6604B18448EB580DB243C612DD26C772

Function 06128479 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 735519215a3fd663540696308a09a85339188eabcd7d6baad27a35c39272c932
Instruction ID: 420819f785cb018f7677f2ffa79ae2c1002c77ecb1411e7ce1c260094c739b6e
Opcode Fuzzy Hash: 735519215a3fd663540696308a09a85339188eabcd7d6baad27a35c39272c932
Instruction Fuzzy Hash: EED05E351282A05BD200CB44E852972BB65EBC5210F04C88EE88043242C7A29C07CB51

Function 061281A0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa27412a06ec8738122d46c3052e60218b19660534d74d18279b7b4c582281a8
Instruction ID: c6369d6e504e67294fb77727790ab914a3c1875e32da55b1adb8909af2305105
Opcode Fuzzy Hash: aa27412a06ec8738122d46c3052e60218b19660534d74d18279b7b4c582281a8
Instruction Fuzzy Hash: E0D05E756282A05FD241CB44D810A66BBF5EFD9600F08C84EE84043292CBA29C0ACB91

Function 06120EB0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c95c4db593dcf4b4d6587d58706affcf6cda6ac2444e834e0207aac6637fa36
Instruction ID: f9fae55f1205923ec4dc4d0b0a5af8dc07e983db8528e159ee3132c720f43157
Opcode Fuzzy Hash: 8c95c4db593dcf4b4d6587d58706affcf6cda6ac2444e834e0207aac6637fa36
Instruction Fuzzy Hash: FCD0C97190110CAB8B00DFA5990149EBBF9DB49214B1045F69909D7211EE319A106B92

Function 06122FC8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e3e1552ba8221365b345765ef221869044fd85069cff78ae02a27e9c21a0d7f
Instruction ID: 75c9cd36edb25db9d1b83f6b80d878ad3b1e2c79644cf27e9d9d8120bf1a7949
Opcode Fuzzy Hash: 1e3e1552ba8221365b345765ef221869044fd85069cff78ae02a27e9c21a0d7f
Instruction Fuzzy Hash: 29D0C9716010409FE705E545C882B95A3B19B88201F18D4286408C7362DA36D8068B05

Function 06121CE0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 895fa8b0085d11c91ad3629f0daadce3ef085c40d66fb4bde87f141766ce8693
Instruction ID: bba4e463da257cfd646a99788ebea7d8c6e33d24489a52649d9595fc47a6bd6d
Opcode Fuzzy Hash: 895fa8b0085d11c91ad3629f0daadce3ef085c40d66fb4bde87f141766ce8693
Instruction Fuzzy Hash: 84D0C97190110CAB8B00DFA4D94149EBBFDEF49210B5045E69909D7211EE315A106FD2

Function 0612C0E8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d78726f05921e39affe86fb8a66f83853b58bf7c17ce9f7df64dc49581ff3e99
Instruction ID: 77da44ed35bac89ea18cb01f25e23cbc03d7bf574b5cb0c2e6396e3183d1f477
Opcode Fuzzy Hash: d78726f05921e39affe86fb8a66f83853b58bf7c17ce9f7df64dc49581ff3e99
Instruction Fuzzy Hash: 2FD0C971D0120CEBCB00DFE9D94149EBBF9DB89210B5045E69909D7251EE315A10AB92

Function 061213B1 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a2d9e622d8b3282e10c4a85cd332f88cdb956bd080a1f841415e3b89a0da2b
Instruction ID: ed07acc3e7a63eaddcaa9dcac626ee1b625f65752fd9e0b8fe2a56d32334927a
Opcode Fuzzy Hash: a6a2d9e622d8b3282e10c4a85cd332f88cdb956bd080a1f841415e3b89a0da2b
Instruction Fuzzy Hash: 83D0123131A2845BD304C754D891B12BFA59BD5150F14C09DE448C7363DB75EC03D711

Function 027418C9 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4152007080.0000000002740000.00000040.00000800.00020000.00000000.sdmp, Offset: 02740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2740000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd5bd8619152183b5220654d2e45046754997d1d72a4ff184a69d1e1f1f916da
Instruction ID: aee54e84f544207c5f074ee53b52978f4d2ff1e4599161546ee3e85e9c6b91d1
Opcode Fuzzy Hash: dd5bd8619152183b5220654d2e45046754997d1d72a4ff184a69d1e1f1f916da
Instruction Fuzzy Hash: A3C080159483C54FCF4703BC10F51D47F704C5311434509D9D488CE157F61548779700

Function 06128E08 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9a871894556945af0726d71e36e17f556a55743729206a13b76895df5a822f3
Instruction ID: 4c7b0f5334dc7d17d9b409600aa0f4a57c7e03740f8a9334dca25a34deccb61e
Opcode Fuzzy Hash: d9a871894556945af0726d71e36e17f556a55743729206a13b76895df5a822f3
Instruction Fuzzy Hash: CBD01275704140ABE304C754DC55B11B7E69BD5605F14C45D6449C7353DB37EC03D710

Function 0612A828 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
Instruction ID: 48e8204161933d4df9c7b41a33249025f43fd015cf28c75e97648b457401bf24
Opcode Fuzzy Hash: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
Instruction Fuzzy Hash: 84D012752081119F9204CF44E940C6BF7E6EFC8B10B14C84EB84053310CA72DC17CBB2

Function 0612C120 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
Instruction ID: 48e8204161933d4df9c7b41a33249025f43fd015cf28c75e97648b457401bf24
Opcode Fuzzy Hash: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
Instruction Fuzzy Hash: 84D012752081119F9204CF44E940C6BF7E6EFC8B10B14C84EB84053310CA72DC17CBB2

Function 06129152 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c834fbb71b8d2b56deb15165cd78c021c150c847b277889813dcce929fcc68f7
Instruction ID: 1cdd0907bb1481cf53249a689421ec0b8c7d5dea72c63cec8e6766e8a30852a7
Opcode Fuzzy Hash: c834fbb71b8d2b56deb15165cd78c021c150c847b277889813dcce929fcc68f7
Instruction Fuzzy Hash: DDC0122004A3C09FC70347E4CD618817F396E4322531940C6E841CF153CB198D17D360

Function 06128AC0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21703581e48dd005f98811dc026244ca87db5b898c9a1fed4bbabd7ee27d2ab5
Instruction ID: 916b7eea077dba61584543d3e4812cf558ec8376c9abac674f66bc9d4183066b
Opcode Fuzzy Hash: 21703581e48dd005f98811dc026244ca87db5b898c9a1fed4bbabd7ee27d2ab5
Instruction Fuzzy Hash: B0C012715092405FD3039254D8112007B32DB82208B0D80CE9085CB293C722D8079301

Function 06121140 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cfbdc91fa27ecf7d43bda1981840d1308f672ebee89635b07a082e721bd7def
Instruction ID: 01dd0c626af54b6ac2a237bd630948761f7d9b6b888f2be6adecf65050f2eabe
Opcode Fuzzy Hash: 1cfbdc91fa27ecf7d43bda1981840d1308f672ebee89635b07a082e721bd7def
Instruction Fuzzy Hash: 44C09B6211919047CA01DFF4D4777447F60E746134F28C6DFE44486197CF979507C705

Function 02742EB7 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4152007080.0000000002740000.00000040.00000800.00020000.00000000.sdmp, Offset: 02740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2740000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b3274517dd1b970bdc9c146d25400c53f62d0d6fb83ab481608f064658aa0d
Instruction ID: ffd2ef9a938bb677ad3a4bd9011244b35b6fd7f292fb00f1873013517aa82857
Opcode Fuzzy Hash: 55b3274517dd1b970bdc9c146d25400c53f62d0d6fb83ab481608f064658aa0d
Instruction Fuzzy Hash: 41C08C34A00008ABCF029F94E5148FDBAB2EF88300F011016FB0272290CE329E708B31

Function 06121700 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a946f7b47a568840ffcd659b70de766796089300ac619a61089659ae4b808ea
Instruction ID: ae1f12c332ced0b57271aff003f26b9e426c86bb3e3500af67e2cd13deeef2fa
Opcode Fuzzy Hash: 5a946f7b47a568840ffcd659b70de766796089300ac619a61089659ae4b808ea
Instruction Fuzzy Hash: BEC08C710080005BD700CBA4E441380BBA1DF85210F28808AC4448B242C636DA43C706

Function 0612BFB1 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be5d47c2e6bc9f2cd15b86baaaaa01717074beaff3ad6b86c313365052acd71
Instruction ID: f45bad774b957891789631b8d7b2808c5f4d26cd68c3af10f1b0b9cf98ae89a5
Opcode Fuzzy Hash: 8be5d47c2e6bc9f2cd15b86baaaaa01717074beaff3ad6b86c313365052acd71
Instruction Fuzzy Hash: E2B0920108F3D01FC30342A40D20AD36E2A1B03224B2A42C7F0819E0A3C28A8759936A

Function 06121890 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33865ce134ef2185ffa0f796e236cc2cb843d4dc6a028ffbe5f71d56a878c0a9
Instruction ID: 084137890aa17a7f24b16cb285bd74da86e8c42e6e6ba95e26bb47c724f5fcc6
Opcode Fuzzy Hash: 33865ce134ef2185ffa0f796e236cc2cb843d4dc6a028ffbe5f71d56a878c0a9
Instruction Fuzzy Hash: BCC04C2539B19046D641C77098B17447F30A742105F1CD59E948447153CB56950BE711

Function 06121A2B Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 492c859123adbe27b3d0f8a13fc172c0b88967ce12735b679e4f035b5e9237f8
Instruction ID: 98e3b93ed10d82fb56c00bad897ba2a146044f61e7e5c14e6e976bade39c8f5f
Opcode Fuzzy Hash: 492c859123adbe27b3d0f8a13fc172c0b88967ce12735b679e4f035b5e9237f8
Instruction Fuzzy Hash: ACB012303440005BA244D608C841414B352DFC4209318C09C6408CB345CF33ED039640

Function 02740940 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4152007080.0000000002740000.00000040.00000800.00020000.00000000.sdmp, Offset: 02740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2740000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7901e31e58e870bd0bb4fc4051e95230ef79f0ecdbb37b5a40c1336d534de147
Instruction ID: e2654b09533cdb59b89a2a8122d955cab345f25d8dbf55fbb55006e8dbf445e4
Opcode Fuzzy Hash: 7901e31e58e870bd0bb4fc4051e95230ef79f0ecdbb37b5a40c1336d534de147
Instruction Fuzzy Hash: B990023158460C9B4A802795B509959775C95446157801451A61D415015A55647046A6

Function 06120EF0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Function 06120F50 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Function 0612BFC0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Function 061294E0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Function 06120A80 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Function 06129860 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Function 061287D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4171613185.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
Instruction ID: 2108930940694c1c8b8ad4272d9396267f2db374b9021a0985f6588530823504
Opcode Fuzzy Hash: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
Instruction Fuzzy Hash: 6BA002742010009BC644DB54C991814F761EFC5219728C4DDA8198B256CF33ED03DA40

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_22j4btpq.egd.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3csosueh.3jl.psm1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1JJHCI8TJXK54HJ92K6H.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

DNS Answers

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
2.ps1

Function 00007FFD9B7ED310 Relevance: 1.6, APIs: 1, Instructions: 118
threadCOMMON

Function 00007FFD9B8B1390 Relevance: .2, Instructions: 172
COMMON