Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RvC3HdKbs2.exe

Overview

General Information

Sample Name:RvC3HdKbs2.exe
Analysis ID:724055
MD5:5af168c69f8a1724c43e2d9da5aa6a46
SHA1:4ad5f4fd58840e8a500c0ba60fe3d4b0765dfe96
SHA256:b3eba1fcd0633a5ba27ba2715ad1e38943c2bf5e6e4182298a3bf39492f8eca4
Tags:Arechclient2exe
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
.NET source code contains very large array initializations
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Machine Learning detection for sample
Potential dropper URLs found in powershell memory
.NET source code contains potential unpacker
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sample file is different than original file name gathered from version info
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Binary contains a suspicious time stamp
Detected potential crypto function
Creates a process in suspended mode (likely to inject code)
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • RvC3HdKbs2.exe (PID: 792 cmdline: C:\Users\user\Desktop\RvC3HdKbs2.exe MD5: 5AF168C69F8A1724C43E2D9DA5AA6A46)
    • powershell.exe (PID: 496 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5672 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.544247967.0000000005290000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_zgRATDetects zgRATditekSHen
  • 0x1a4844:$s1: file:///
  • 0x1a4754:$s2: {11111-22222-10009-11112}
  • 0x1a47d4:$s3: {11111-22222-50001-00000}
  • 0x19d6c3:$s4: get_Module
  • 0x193023:$s5: Reverse
  • 0x1a2fba:$s6: BlockCopy
  • 0x1a4115:$s7: ReadByte
  • 0x1a4856:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

Unpacked PEs

SourceRuleDescriptionAuthorStrings
0.2.RvC3HdKbs2.exe.5290000.3.raw.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
  • 0x1a4844:$s1: file:///
  • 0x1a4754:$s2: {11111-22222-10009-11112}
  • 0x1a47d4:$s3: {11111-22222-50001-00000}
  • 0x19d6c3:$s4: get_Module
  • 0x193023:$s5: Reverse
  • 0x1a2fba:$s6: BlockCopy
  • 0x1a4115:$s7: ReadByte
  • 0x1a4856:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.RvC3HdKbs2.exe.5290000.3.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
  • 0x1a2a44:$s1: file:///
  • 0x1a2954:$s2: {11111-22222-10009-11112}
  • 0x1a29d4:$s3: {11111-22222-50001-00000}
  • 0x19b8c3:$s4: get_Module
  • 0x191223:$s5: Reverse
  • 0x1a11ba:$s6: BlockCopy
  • 0x1a2315:$s7: ReadByte
  • 0x1a2a56:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.RvC3HdKbs2.exe.3c0e760.2.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
  • 0x1a2a44:$s1: file:///
  • 0x1a2954:$s2: {11111-22222-10009-11112}
  • 0x1a29d4:$s3: {11111-22222-50001-00000}
  • 0x19b8c3:$s4: get_Module
  • 0x191223:$s5: Reverse
  • 0x1a11ba:$s6: BlockCopy
  • 0x1a2315:$s7: ReadByte
  • 0x1a2a56:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.RvC3HdKbs2.exe.3e33590.0.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
  • 0x1a2a44:$s1: file:///
  • 0x1a2954:$s2: {11111-22222-10009-11112}
  • 0x1a29d4:$s3: {11111-22222-50001-00000}
  • 0x19b8c3:$s4: get_Module
  • 0x191223:$s5: Reverse
  • 0x1a11ba:$s6: BlockCopy
  • 0x1a2315:$s7: ReadByte
  • 0x1a2a56:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.RvC3HdKbs2.exe.40583b0.1.raw.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
  • 0x1a4844:$s1: file:///
  • 0x1a4754:$s2: {11111-22222-10009-11112}
  • 0x1a47d4:$s3: {11111-22222-50001-00000}
  • 0x19d6c3:$s4: get_Module
  • 0x193023:$s5: Reverse
  • 0x1a2fba:$s6: BlockCopy
  • 0x1a4115:$s7: ReadByte
  • 0x1a4856:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 3 entries

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: RvC3HdKbs2.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: RvC3HdKbs2.exeReversingLabs: Detection: 80%
Source: RvC3HdKbs2.exeVirustotal: Detection: 60%Perma Link
Machine Learning detection for sample
Source: RvC3HdKbs2.exeJoe Sandbox ML: detected
Source: RvC3HdKbs2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: RvC3HdKbs2.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

barindex
Potential dropper URLs found in powershell memory
Source: powershell.exe, 0000000F.00000002.522891272.00000000049F9000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateData
Source: powershell.exe, 0000000F.00000002.513035326.0000000002945000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RvC3HdKbs2.exe, 00000000.00000002.517113506.0000000002AAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
Source: powershell.exe, 0000000F.00000002.522891272.00000000049F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: RvC3HdKbs2.exe, 00000000.00000002.521304873.0000000002C84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.517132952.0000000004751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000F.00000002.522891272.00000000049F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: RvC3HdKbs2.exe, 00000000.00000002.517264506.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, RvC3HdKbs2.exe, 00000000.00000002.517113506.0000000002AAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
Source: RvC3HdKbs2.exe, 00000000.00000002.521355552.00000000039E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: RvC3HdKbs2.exe, 00000000.00000002.521355552.00000000039E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.RvC3HdKbs2.exe.5290000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.RvC3HdKbs2.exe.5290000.3.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.RvC3HdKbs2.exe.3c0e760.2.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.RvC3HdKbs2.exe.3e33590.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.RvC3HdKbs2.exe.40583b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.RvC3HdKbs2.exe.40583b0.1.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.RvC3HdKbs2.exe.3e33590.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.RvC3HdKbs2.exe.3c0e760.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
Source: 00000000.00000002.544247967.0000000005290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects zgRAT Author: ditekSHen
.NET source code contains very large array initializations
Source: RvC3HdKbs2.exe, WindowsFormsApp66/Hire.csLarge array initialization: Sir: array initializer size 2248208
Source: RvC3HdKbs2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 0.2.RvC3HdKbs2.exe.5290000.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.RvC3HdKbs2.exe.5290000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.RvC3HdKbs2.exe.3c0e760.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.RvC3HdKbs2.exe.3e33590.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.RvC3HdKbs2.exe.40583b0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.RvC3HdKbs2.exe.40583b0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.RvC3HdKbs2.exe.3e33590.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.RvC3HdKbs2.exe.3c0e760.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000000.00000002.544247967.0000000005290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: RvC3HdKbs2.exe, 00000000.00000002.521355552.00000000039E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLyqmdlybyfyapgilka.dll" vs RvC3HdKbs2.exe
Source: RvC3HdKbs2.exeBinary or memory string: OriginalFilenameEpzzaOnE.exe" vs RvC3HdKbs2.exe
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeCode function: 0_2_0293AA800_2_0293AA80
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeCode function: 0_2_04EF79900_2_04EF7990
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeCode function: 0_2_04EF3FA00_2_04EF3FA0
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeCode function: 0_2_04EF3FB00_2_04EF3FB0
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeCode function: 0_2_04EF79310_2_04EF7931
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeCode function: 0_2_04EF3B1D0_2_04EF3B1D
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeCode function: 0_2_04EF3B180_2_04EF3B18
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07C10AAB15_2_07C10AAB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07C10AB015_2_07C10AB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CAE30815_2_07CAE308
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CAF10015_2_07CAF100
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CA409015_2_07CA4090
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CAC96015_2_07CAC960
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07D1878815_2_07D18788
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07D1076815_2_07D10768
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07D1962015_2_07D19620
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07D1462815_2_07D14628
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_02BE6AB815_2_02BE6AB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_02BE6AAA15_2_02BE6AAA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_02BEAE7815_2_02BEAE78
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_02BEAE6815_2_02BEAE68
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07C1BE1915_2_07C1BE19
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CB004015_2_07CB0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CB002315_2_07CB0023
Source: RvC3HdKbs2.exeReversingLabs: Detection: 80%
Source: RvC3HdKbs2.exeVirustotal: Detection: 60%
Source: RvC3HdKbs2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: RvC3HdKbs2.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\RvC3HdKbs2.exe C:\Users\user\Desktop\RvC3HdKbs2.exe
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==Jump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==Jump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4648:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2620:120:WilError_01
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q1vwlvyp.1s2.ps1Jump to behavior
Source: classification engineClassification label: mal88.troj.evad.winEXE@7/6@0/0
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: RvC3HdKbs2.exeStatic file information: File size 2290176 > 1048576
Source: RvC3HdKbs2.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: RvC3HdKbs2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: RvC3HdKbs2.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x226000
Source: RvC3HdKbs2.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: RvC3HdKbs2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

barindex
.NET source code contains potential unpacker
Source: RvC3HdKbs2.exe, WindowsFormsApp66/Air.cs.Net Code: OnBuffer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeCode function: 0_2_04EF6DEC push eax; ret 0_2_04EF6DED
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeCode function: 0_2_04EF5699 push B80A4288h; iretd 0_2_04EF56B0
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeCode function: 0_2_050210E6 push ebp; iretd 0_2_050210E7
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeCode function: 0_2_050214E8 push ebx; retf 0_2_050214E9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07C1370B push eax; iretd 15_2_07C13711
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07C1369B push es; ret 15_2_07C136A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07C13653 pushfd ; iretd 15_2_07C13659
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07C1359B pushad ; iretd 15_2_07C135A1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07C1AAE0 push es; ret 15_2_07C1AAF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CA5F44 push esp; ret 15_2_07CA5F69
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CA6F35 push FFFFFF8Bh; iretd 15_2_07CA6F3A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CA7E63 pushfd ; ret 15_2_07CA7E79
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CA6CE1 push FFFFFF8Bh; iretd 15_2_07CA6CE6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CA48EF push es; ret 15_2_07CA4900
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CBC100 push eax; mov dword ptr [esp], edx15_2_07CBC2FC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CB76C0 push es; ret 15_2_07CB76D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CBC2E8 push eax; mov dword ptr [esp], edx15_2_07CBC2FC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CB8EC0 push es; ret 15_2_07CB8ED0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07CB8CE1 push es; ret 15_2_07CB8CF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07D11FD0 push es; ret 15_2_07D11FE0
Source: RvC3HdKbs2.exeStatic PE information: 0xBA632941 [Sat Feb 2 20:00:01 2069 UTC]
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RvC3HdKbs2.exe, 00000000.00000002.517264506.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
Source: RvC3HdKbs2.exe, 00000000.00000002.517264506.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, RvC3HdKbs2.exe, 00000000.00000002.517113506.0000000002AAC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL1SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9473Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7822Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3780Thread sleep time: -9223372036854770s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2400Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 0000000F.00000002.520148360.000000000488B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: RvC3HdKbs2.exe, 00000000.00000002.517113506.0000000002AAC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen-Infinity
Source: RvC3HdKbs2.exe, 00000000.00000002.517264506.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
Source: RvC3HdKbs2.exe, 00000000.00000002.517113506.0000000002AAC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Encrypted powershell cmdline option found
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess created: Base64 decoded Start-Sleep -Seconds 50
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess created: Base64 decoded Start-Sleep -Seconds 10; Set-MpPreference -ExclusionPath 'C:\'
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess created: Base64 decoded Start-Sleep -Seconds 50Jump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess created: Base64 decoded Start-Sleep -Seconds 10; Set-MpPreference -ExclusionPath 'C:\'Jump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==Jump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==Jump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeQueries volume information: C:\Users\user\Desktop\RvC3HdKbs2.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RvC3HdKbs2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
PowerShell		Path Interception11
Process Injection		1
Masquerading		OS Credential Dumping11
Security Software Discovery		Remote Services1
Archive Collected Data		Exfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
Virtualization/Sandbox Evasion		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets1
File and Directory Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common1
Obfuscated Files or Information		Cached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items1
Software Packing		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
Timestomp		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 724055 Sample: RvC3HdKbs2.exe Startdate: 17/10/2022 Architecture: WINDOWS Score: 88 18 Malicious sample detected (through community Yara rule) 2->18 20 Antivirus / Scanner detection for submitted sample 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 5 other signatures 2->24 7 RvC3HdKbs2.exe 3 2->7         started        process3 signatures4 26 Encrypted powershell cmdline option found 7->26 10 powershell.exe 19 7->10         started        12 powershell.exe 16 7->12         started        process5 process6 14 conhost.exe 10->14         started        16 conhost.exe 12->16         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
RvC3HdKbs2.exe81%ReversingLabsByteCode-MSIL.Downloader.RedLineStealer
RvC3HdKbs2.exe61%VirustotalBrowse
RvC3HdKbs2.exe100%AviraHEUR/AGEN.1246866
RvC3HdKbs2.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.0.RvC3HdKbs2.exe.300000.0.unpack100%AviraHEUR/AGEN.1246866Download File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://james.newtonking.com/projects/json0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://www.nuget.org/packages/Newtonsoft.Json.BsonRvC3HdKbs2.exe, 00000000.00000002.521355552.00000000039E1000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    https://api.telegram.org/botRvC3HdKbs2.exe, 00000000.00000002.517264506.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, RvC3HdKbs2.exe, 00000000.00000002.517113506.0000000002AAC000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000F.00000002.522891272.00000000049F9000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRvC3HdKbs2.exe, 00000000.00000002.521304873.0000000002C84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.517132952.0000000004751000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://james.newtonking.com/projects/jsonRvC3HdKbs2.exe, 00000000.00000002.517113506.0000000002AAC000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000F.00000002.522891272.00000000049F9000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://www.newtonsoft.com/jsonschemaRvC3HdKbs2.exe, 00000000.00000002.521355552.00000000039E1000.00000004.00000800.00020000.00000000.sdmpfalse
              		high

              World Map of Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox Version:36.0.0 Rainbow Opal
              Analysis ID:724055
              Start date and time:2022-10-17 02:26:07 +02:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 7m 54s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:RvC3HdKbs2.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:24
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal88.troj.evad.winEXE@7/6@0/0
              EGA Information:
              • Successful, ratio: 50%
              HDC Information:Failed
              HCA Information:
              • Successful, ratio: 97%
              • Number of executed functions: 158
              • Number of non-executed functions: 5
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 20.190.159.23, 20.190.159.64, 40.126.31.73, 40.126.31.71, 20.190.159.71, 40.126.31.67, 20.190.159.68, 20.190.159.4, 20.42.65.92, 20.82.228.9, 20.82.154.241
              • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, eudb.ris.api.iris.microsoft.com, www.tm.a.prd.aadg.akadns.net, arc.msn.com, login.msa.msidentity.com, neus1c-displaycatalog.frontdoor.bigcatalog.commerce.microsoft.com, ris.api.iris.microsoft.com, rp-consumer-prod-displaycatalog-geomap.trafficmanager.net, prda.aadg.msidentity.com, onedsblobprdeus17.eastus.cloudapp.azure.com, login.live.com, neus2c-displaycatalog.frontdoor.bigcatalog.commerce.microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net
              • Execution Graph export aborted for target powershell.exe, PID 5672 because it is empty
              • Not all processes where analyzed, report is missing behavior information
              • Report creation exceeded maximum time and may have missing disassembly code information.
              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              02:27:05API Interceptor99x Sleep call for process: powershell.exe modified
              02:29:28AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Xtvuh "C:\Users\user\AppData\Roaming\Hritsd\Xtvuh.exe"

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:data
              Category:dropped
              Size (bytes):5829
              Entropy (8bit):4.8968676994158
              Encrypted:false
              SSDEEP:96:WCJ2Woe5o2k6Lm5emmXIGvgyg12jDs+un/iQLEYFjDaeWJ6KGcmXx9smyFRLcU6f:5xoe5oVsm5emd0gkjDt4iWN3yBGHh9s6
              MD5:36DE9155D6C265A1DE62A448F3B5B66E
              SHA1:02D21946CBDD01860A0DE38D7EEC6CDE3A964FC3
              SHA-256:8BA38D55AA8F1E4F959E7223FDF653ABB9BE5B8B5DE9D116604E1ABB371C1C87
              SHA-512:C734ADE161FB89472B1DF9B9F062F4A53E7010D3FF99EDC0BD564540A56BC35743625C50A00635C31D165A74DCDBB330FFB878C5919D7B267F6F33D2AAB328E7
              Malicious:false
              Reputation:high, very likely benign file
              Preview:PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:data
              Category:dropped
              Size (bytes):16452
              Entropy (8bit):5.554670343313662
              Encrypted:false
              SSDEEP:384:jte/Rq0tnDZ3+SxGYSjnmu9FiJ9g6SJ3uzp1cYv:QDoSwYomu9p6cutv
              MD5:4F1D7FC3207E9579199A65B8F9FEAA63
              SHA1:35CCB7975485DA18CF7D534EA1890B25C4133B2B
              SHA-256:21F290E610E139965F3F1E81160405EB39EA48556365E321D87B31EB4586780D
              SHA-512:AA5B2963BF425279D13DAB340FC52A86607BA9EB87633DFF05C9A0D6B8AA9379DEF177FCCC6ED9DC0841676A49B3B4CEB04E1AA40CDB8CCAEA94D269982241C9
              Malicious:false
              Reputation:low
              Preview:@...e.......................#...G...:.n..............@..........H...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.............System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1so3dngn.lq3.psm1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Reputation:high, very likely benign file
              Preview:1

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b1uz1jtf.y13.psm1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Reputation:high, very likely benign file
              Preview:1

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ezjfoak3.wze.ps1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Preview:1

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q1vwlvyp.1s2.ps1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Preview:1

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Entropy (8bit):7.994353588943491
              TrID:
              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              • Win32 Executable (generic) a (10002005/4) 49.78%
              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
              • Generic Win/DOS Executable (2004/3) 0.01%
              • DOS Executable Generic (2002/1) 0.01%
              File name:RvC3HdKbs2.exe
              File size:2290176
              MD5:5af168c69f8a1724c43e2d9da5aa6a46
              SHA1:4ad5f4fd58840e8a500c0ba60fe3d4b0765dfe96
              SHA256:b3eba1fcd0633a5ba27ba2715ad1e38943c2bf5e6e4182298a3bf39492f8eca4
              SHA512:ba8f9cafe64c603b48ae504bc602db9827978e5d12b2d0a7ba75844d431113c567182bd2f114b4be8d96348b5845ab7b73d764448aa67b2e1a86a424d50e78a5
              SSDEEP:49152:fqtZFHW20mQB2o/jeu6y515peidernF2CqWssW5:fqbFLFDo16y5zpeuVtWssW5
              TLSH:86B533D4DB80C950E6DDC774C4AC870A2DD0FC59BA6908E8014AF1FFEAFC4675A9AC61
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A)c...............0..`".........:1... ...."...@.. .......................@#...........`................................

              File Icon

              Icon Hash:9ea2d4d8caa6f000

              Static PE Info

              General

              Entrypoint:0x40313a
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Time Stamp:0xBA632941 [Sat Feb 2 20:00:01 2069 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

              Entrypoint Preview

              Instruction
              jmp dword ptr [00402000h]
              add dword ptr [edx], eax
              add eax, dword ptr [18080706h+eax]
              mov esp, BA17C966h
              stosd
              in eax, dx
              pop ss
              cwde
              jnp 00007F38F0B4B2A2h
              jno 00007F38F0B4B216h
              jmp 00007F393EBA69F8h
              push es
              jnl 00007F38F0B4B2CAh
              lodsb
              push es
              jno 00007F38F0B4B2E4h
              push 04BDBD9Ch
              cdq
              or ecx, dword ptr [esi+41h]
              mov al, dh
              or ch, byte ptr [ebx]
              sahf
              popfd
              sbb al, 07h
              movsb
              retf
              mov al, BCh
              ffree st(4)
              add al, 5Ah
              adc dword ptr [ebp+03h], ebp
              clc
              lodsb
              mov ebx, 590DC593h
              mov bl, E7h
              mov word ptr [ebx+1B4AC724h], fs
              call eax
              adc ah, byte ptr [esi+04h]
              int 86h
              cld
              or ch, al
              jmp 00007F38F0B4B266h
              wait
              cmp byte ptr [ecx], ah
              pushfd
              sbb byte ptr [eax+ebx*8], dl
              insd
              and byte ptr [edi+ecx*8-3BAB4C00h], ch
              pushfd
              jns 00007F38F0B4B24Eh
              in al, dx
              je 00007F38F0B4B208h
              ror dword ptr [edx], 34h
              loope 00007F38F0B4B281h
              sbb eax, AFDB29FFh
              cmp eax, 644A9252h
              mov ebx, dword ptr [eax]
              mov ah, B5h
              pop ecx
              clc
              fcom qword ptr [esi-79948738h]
              test eax, A0BCBCE5h
              jo 00007F38F0B4B2D1h
              inc edx
              jnc 00007F38F0B4B285h
              inc ebx
              sbb byte ptr [eax+58124E72h], ah
              xchg eax, edi
              xchg eax, esp
              adc esp, edi
              loope 00007F38F0B4B2E4h
              in eax, dx
              xchg eax, ebp
              dec ebp
              imul ecx, dword ptr [esi-48h], 67D4068Ch
              inc edx
              fstp dword ptr [esi]
              fimul word ptr [edi-0D7B15FEh]
              nop
              inc edi
              lss eax, dword ptr [ecx+6CE98518h]

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x30e80x4f.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x2280000x8da0.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x2320000xc.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x30cc0x1c.text
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x20000x225f580x226000unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rsrc0x2280000x8da00x8e00False0.3467209507042254data5.43369944036272IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0x2320000xc0x200False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_ICON0x2281800x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896
              RT_ICON0x22c3b80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600
              RT_ICON0x22e9700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224
              RT_ICON0x22fa280x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400
              RT_ICON0x2303c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088
              RT_GROUP_ICON0x2308380x4cdata
              RT_VERSION0x2308940x30adata
              RT_MANIFEST0x230bb00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

              Imports

              DLLImport
              mscoree.dll_CorExeMain

              Network Behavior

              No network behavior found

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:02:26:57
              Start date:17/10/2022
              Path:C:\Users\user\Desktop\RvC3HdKbs2.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\RvC3HdKbs2.exe
              Imagebase:0x300000
              File size:2290176 bytes
              MD5 hash:5AF168C69F8A1724C43E2D9DA5AA6A46
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000000.00000002.544247967.0000000005290000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
              Reputation:low

              General

              Target ID:1
              Start time:02:27:03
              Start date:17/10/2022
              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):true
              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
              Imagebase:0xe0000
              File size:430592 bytes
              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Reputation:high

              General

              Target ID:2
              Start time:02:27:03
              Start date:17/10/2022
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff745070000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:15
              Start time:02:27:56
              Start date:17/10/2022
              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):true
              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
              Imagebase:0xe0000
              File size:430592 bytes
              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Reputation:high

              General

              Target ID:16
              Start time:02:27:56
              Start date:17/10/2022
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff745070000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:8.5%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:0%
                Total number of Nodes:135
                Total number of Limit Nodes:4
                execution_graph 23349 2933720 23350 293373e 23349->23350 23353 29332d4 23350->23353 23352 2933747 23354 29332df 23353->23354 23357 29332e4 23354->23357 23356 2933859 23356->23352 23358 29332ef 23357->23358 23361 2933b98 23358->23361 23360 2933e75 23360->23356 23362 2933ba3 23361->23362 23364 29364e6 23362->23364 23369 29381b2 23362->23369 23375 29381c0 23362->23375 23363 2936524 23363->23360 23364->23363 23381 2938d30 23364->23381 23386 2938d20 23364->23386 23392 2937930 23369->23392 23372 29381e3 23372->23364 23376 29381d3 23375->23376 23377 2937930 GetModuleHandleW 23375->23377 23378 29381e3 23376->23378 23379 293843a 2 API calls 23376->23379 23380 2938448 2 API calls 23376->23380 23377->23376 23378->23364 23379->23378 23380->23378 23383 2938d51 23381->23383 23382 2938d75 23382->23363 23383->23382 23412 2938ea2 23383->23412 23416 2938ee0 23383->23416 23387 2938d0b 23386->23387 23388 2938d27 23386->23388 23387->23363 23389 2938d75 23388->23389 23390 2938ea2 3 API calls 23388->23390 23391 2938ee0 3 API calls 23388->23391 23389->23363 23390->23389 23391->23389 23393 29383a0 GetModuleHandleW 23392->23393 23395 29381d3 23393->23395 23395->23372 23396 2938448 23395->23396 23401 293843a 23395->23401 23397 2937930 GetModuleHandleW 23396->23397 23398 293845c 23397->23398 23399 2938481 23398->23399 23408 2937998 23398->23408 23399->23372 23402 2938442 23401->23402 23405 29384bd 23401->23405 23403 2937930 GetModuleHandleW 23402->23403 23404 293845c 23403->23404 23406 2938481 23404->23406 23407 2937998 LoadLibraryExW 23404->23407 23406->23372 23407->23406 23409 2938628 LoadLibraryExW 23408->23409 23411 29386a1 23409->23411 23411->23399 23413 2938e95 23412->23413 23413->23382 23413->23412 23414 2938f27 23413->23414 23420 2938784 23413->23420 23414->23382 23417 2938eed 23416->23417 23418 2938784 3 API calls 23417->23418 23419 2938f27 23417->23419 23418->23419 23419->23382 23421 293878f 23420->23421 23423 2939818 23421->23423 23424 293886c 23421->23424 23423->23423 23425 2938877 23424->23425 23426 2933b98 3 API calls 23425->23426 23427 2939887 23426->23427 23431 293c0e8 23427->23431 23439 293c100 23427->23439 23428 29398c0 23428->23423 23433 293c100 23431->23433 23432 293c13d 23432->23428 23433->23432 23447 293c439 23433->23447 23451 293c448 23433->23451 23434 293c17e 23454 293d1d8 23434->23454 23465 293d1e8 23434->23465 23440 293c104 23439->23440 23441 293c13d 23440->23441 23445 293c439 2 API calls 23440->23445 23446 293c448 2 API calls 23440->23446 23441->23428 23442 293c17e 23443 293d1d8 2 API calls 23442->23443 23444 293d1e8 2 API calls 23442->23444 23443->23441 23444->23441 23445->23442 23446->23442 23448 293c448 23447->23448 23449 29381c0 2 API calls 23448->23449 23450 293c451 23449->23450 23450->23434 23452 29381c0 2 API calls 23451->23452 23453 293c451 23452->23453 23453->23434 23455 293d16b 23454->23455 23456 293d1e2 23454->23456 23455->23432 23475 293d6e0 23456->23475 23480 293d6b9 23456->23480 23457 293d290 23458 2937930 GetModuleHandleW 23457->23458 23460 293d2b9 23457->23460 23459 293d2e3 23458->23459 23461 293df88 CreateWindowExW 23459->23461 23462 293df78 CreateWindowExW 23459->23462 23461->23460 23462->23460 23466 293d212 23465->23466 23471 293d6e0 GetModuleHandleW 23466->23471 23472 293d6b9 GetModuleHandleW 23466->23472 23467 293d290 23468 2937930 GetModuleHandleW 23467->23468 23470 293d2b9 23467->23470 23469 293d2e3 23468->23469 23485 293df78 23469->23485 23488 293df88 23469->23488 23471->23467 23472->23467 23476 293d70d 23475->23476 23477 293d78e 23476->23477 23478 293d8af GetModuleHandleW 23476->23478 23479 293d92f GetModuleHandleW 23476->23479 23477->23477 23478->23477 23479->23477 23481 293d70d 23480->23481 23482 293d78e 23481->23482 23483 293d8af GetModuleHandleW 23481->23483 23484 293d92f GetModuleHandleW 23481->23484 23483->23482 23484->23482 23486 293dfbd 23485->23486 23487 293ba54 CreateWindowExW 23485->23487 23486->23470 23487->23486 23489 293ba54 CreateWindowExW 23488->23489 23490 293dfbd 23489->23490 23490->23470 23335 2938ff8 23336 293905e 23335->23336 23340 29391aa 23336->23340 23343 29391b8 23336->23343 23337 293910d 23341 29391e6 23340->23341 23346 293880c 23340->23346 23341->23337 23344 293880c DuplicateHandle 23343->23344 23345 29391e6 23344->23345 23345->23337 23347 2939220 DuplicateHandle 23346->23347 23348 29392b6 23347->23348 23348->23341 23328 4ef2860 23329 4ef286b 23328->23329 23330 4ef287b 23329->23330 23332 4ef1d14 23329->23332 23333 4ef28b0 OleInitialize 23332->23333 23334 4ef2914 23333->23334 23334->23330 23491 4ef0cd0 23492 4ef0d12 23491->23492 23494 4ef0d19 23491->23494 23493 4ef0d6a CallWindowProcW 23492->23493 23492->23494 23493->23494

                Executed Functions

                Function 04EF7990 Relevance: 2.3, Strings: 1, Instructions: 1014COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 96 4ef7990-4ef79b1 97 4ef79b8-4ef7aa7 96->97 98 4ef79b3 96->98 100 4ef7aad-4ef7bee call 4ef3f60 97->100 101 4ef8236-4ef825e 97->101 98->97 147 4ef81ff-4ef8229 100->147 148 4ef7bf4-4ef7c4f 100->148 104 4ef8964-4ef896d 101->104 106 4ef826c-4ef8276 104->106 107 4ef8973-4ef898a 104->107 108 4ef827d-4ef8371 call 4ef3f60 106->108 109 4ef8278 106->109 129 4ef839b 108->129 130 4ef8373-4ef837f 108->130 109->108 134 4ef83a1-4ef83c1 129->134 132 4ef8389-4ef838f 130->132 133 4ef8381-4ef8387 130->133 135 4ef8399 132->135 133->135 138 4ef83c3-4ef841c 134->138 139 4ef8421-4ef84a1 134->139 135->134 151 4ef8961 138->151 161 4ef84f8-4ef853b call 4ef3f60 139->161 162 4ef84a3-4ef84f6 139->162 158 4ef822b 147->158 159 4ef8233 147->159 155 4ef7c54-4ef7c5f 148->155 156 4ef7c51 148->156 151->104 160 4ef8111-4ef8117 155->160 156->155 158->159 159->101 164 4ef811d-4ef817c 160->164 165 4ef7c64-4ef7c82 160->165 186 4ef8546-4ef854f 161->186 162->186 201 4ef8188-4ef819a 164->201 167 4ef7cd9-4ef7cee 165->167 168 4ef7c84-4ef7c88 165->168 171 4ef7cf5-4ef7d0b 167->171 172 4ef7cf0 167->172 168->167 173 4ef7c8a-4ef7c95 168->173 175 4ef7d0d 171->175 176 4ef7d12-4ef7d29 171->176 172->171 177 4ef7ccb-4ef7cd1 173->177 175->176 182 4ef7d2b 176->182 183 4ef7d30-4ef7d46 176->183 179 4ef7c97-4ef7c9b 177->179 180 4ef7cd3-4ef7cd4 177->180 187 4ef7c9d 179->187 188 4ef7ca1-4ef7cb9 179->188 185 4ef7d57-4ef7d99 180->185 182->183 189 4ef7d4d-4ef7d54 183->189 190 4ef7d48 183->190 191 4ef7dad-4ef7f18 185->191 192 4ef7d9b-4ef7da7 185->192 194 4ef85af-4ef85be 186->194 187->188 195 4ef7cbb 188->195 196 4ef7cc0-4ef7cc8 188->196 189->185 190->189 199 4ef7f2c-4ef8015 191->199 200 4ef7f1a-4ef7f26 191->200 192->191 197 4ef8551-4ef8579 194->197 198 4ef85c0-4ef8648 194->198 195->196 196->177 202 4ef857b 197->202 203 4ef8580-4ef85a9 197->203 235 4ef87c1-4ef87cd 198->235 209 4ef8079-4ef808e 199->209 210 4ef8017-4ef801b 199->210 200->199 206 4ef81e9-4ef81ef 201->206 202->203 203->194 207 4ef819c-4ef81e6 206->207 208 4ef81f1-4ef81f7 206->208 207->206 208->147 212 4ef8095-4ef80b6 209->212 213 4ef8090 209->213 210->209 215 4ef801d-4ef802c 210->215 216 4ef80bd-4ef80dc 212->216 217 4ef80b8 212->217 213->212 218 4ef806b-4ef8071 215->218 221 4ef80de 216->221 222 4ef80e3-4ef8103 216->222 217->216 224 4ef802e-4ef8032 218->224 225 4ef8073-4ef8074 218->225 221->222 229 4ef810a 222->229 230 4ef8105 222->230 227 4ef803c-4ef805d 224->227 228 4ef8034-4ef8038 224->228 226 4ef810e 225->226 226->160 233 4ef805f 227->233 234 4ef8064-4ef8068 227->234 228->227 229->226 230->229 233->234 234->218 237 4ef864d-4ef8656 235->237 238 4ef87d3-4ef882e 235->238 239 4ef865f-4ef87b5 237->239 240 4ef8658 237->240 253 4ef8865-4ef888f 238->253 254 4ef8830-4ef8863 238->254 257 4ef87bb 239->257 240->239 242 4ef86ef-4ef872f 240->242 243 4ef86aa-4ef86ea 240->243 244 4ef8665-4ef86a5 240->244 245 4ef8734-4ef8774 240->245 242->257 243->257 244->257 245->257 262 4ef8898-4ef892b 253->262 254->262 257->235 266 4ef8932-4ef8952 262->266 266->151
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.542048877.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4ef0000_RvC3HdKbs2.jbxd
                Similarity
                • API ID:
                • String ID: UUUU
                • API String ID: 0-1798160573
                • Opcode ID: 20a5bb98b413a7953f90cb7ccac63001a388b4165ce35e60c0cc1da3dca4cdd8
                • Instruction ID: 3120e401d8df149b61ec94e94ca94b730eed69bbd14474886d1527492a9acf64
                • Opcode Fuzzy Hash: 20a5bb98b413a7953f90cb7ccac63001a388b4165ce35e60c0cc1da3dca4cdd8
                • Instruction Fuzzy Hash: CCB2B375A00628CFDB64DF69C984A99BBB2FF89304F1581E9D509AB325D731AE81CF40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04EF7931 Relevance: .3, Instructions: 274COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.542048877.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4ef0000_RvC3HdKbs2.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 20d1674d3acb0dd47a82f61f6eeeb1f94d0788b760fa0950fcba015daf845244
                • Instruction ID: aa20a40fcf0d563f42d86ccea33e02b0c644796129c95b14ff400bbe7a6b7961
                • Opcode Fuzzy Hash: 20d1674d3acb0dd47a82f61f6eeeb1f94d0788b760fa0950fcba015daf845244
                • Instruction Fuzzy Hash: 01C1A575E006188FDB18DF6AD9846DDBBF2AF89304F14C1A9D909AB325DB306E85CF40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0293BA54 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 268 293ba54-293e03e 270 293e040-293e046 268->270 271 293e049-293e050 268->271 270->271 272 293e052-293e058 271->272 273 293e05b-293e0fa CreateWindowExW 271->273 272->273 275 293e103-293e13b 273->275 276 293e0fc-293e102 273->276 280 293e148 275->280 281 293e13d-293e140 275->281 276->275 282 293e149 280->282 281->280 282->282
                APIs
                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0293E0EA
                Memory Dump Source
                • Source File: 00000000.00000002.513895994.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2930000_RvC3HdKbs2.jbxd
                Similarity
                • API ID: CreateWindow
                • String ID:
                • API String ID: 716092398-0
                • Opcode ID: c216187c923fcc886c8082a1deac49f8c3419cc114673815b945e189ddea6d3e
                • Instruction ID: 72b9252d8bbb7faa52ddfe64a6ca05124fa9f600f0ed7bfbcdfa5b916535f211
                • Opcode Fuzzy Hash: c216187c923fcc886c8082a1deac49f8c3419cc114673815b945e189ddea6d3e
                • Instruction Fuzzy Hash: 4C51B0B1D04309DFDB15CF99C884ADEBBB5FF88314F64812AE819AB250D775A845CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04EF0CD0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 283 4ef0cd0-4ef0d0c 284 4ef0dbc-4ef0ddc 283->284 285 4ef0d12-4ef0d17 283->285 291 4ef0ddf-4ef0dec 284->291 286 4ef0d6a-4ef0da2 CallWindowProcW 285->286 287 4ef0d19-4ef0d50 285->287 288 4ef0dab-4ef0dba 286->288 289 4ef0da4-4ef0daa 286->289 294 4ef0d59-4ef0d68 287->294 295 4ef0d52-4ef0d58 287->295 288->291 289->288 294->291 295->294
                APIs
                • CallWindowProcW.USER32(?,?,?,?,?), ref: 04EF0D91
                Memory Dump Source
                • Source File: 00000000.00000002.542048877.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4ef0000_RvC3HdKbs2.jbxd
                Similarity
                • API ID: CallProcWindow
                • String ID:
                • API String ID: 2714655100-0
                • Opcode ID: e695aab7dd235eb87da92255f362ab3a8c56b52e7d65345badd460ce633201ba
                • Instruction ID: d3e49959ccb076bab1db314a2f6ca29ff2ae18d53ee7728db5ae8a6f539df22c
                • Opcode Fuzzy Hash: e695aab7dd235eb87da92255f362ab3a8c56b52e7d65345badd460ce633201ba
                • Instruction Fuzzy Hash: 464119B5A00209CFDB14CF99C888A9ABBF5FB88314F148459D519A7321D775A841CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0293880C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 298 293880c-29392b4 DuplicateHandle 300 29392b6-29392bc 298->300 301 29392bd-29392da 298->301 300->301
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,029391E6,?,?,?,?,?), ref: 029392A7
                Memory Dump Source
                • Source File: 00000000.00000002.513895994.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2930000_RvC3HdKbs2.jbxd
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: c06139838414b62d63f199b2ee23c8e63fb9f38c3175883195dc5a5a0ac9402e
                • Instruction ID: d02aae6b6023f6bac655e88b6d29917ba4583000fa5ed3b156c34f502852ef21
                • Opcode Fuzzy Hash: c06139838414b62d63f199b2ee23c8e63fb9f38c3175883195dc5a5a0ac9402e
                • Instruction Fuzzy Hash: A621E3B5900208AFDB10CFAAD984BDEBBF8FB48324F14841AE915A3310D374A954CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0293921E Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 304 293921e 305 2939220-29392b4 DuplicateHandle 304->305 306 29392b6-29392bc 305->306 307 29392bd-29392da 305->307 306->307
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,029391E6,?,?,?,?,?), ref: 029392A7
                Memory Dump Source
                • Source File: 00000000.00000002.513895994.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2930000_RvC3HdKbs2.jbxd
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: 31789089c6acc5d3389f714c5ac0bcdb2ffb9c615258a6ded4b17a8e2fe578fe
                • Instruction ID: 6ca8f8f354b229a8700493c4c4ba7607bfd0bc8a5282962fb9d24af42b311f1f
                • Opcode Fuzzy Hash: 31789089c6acc5d3389f714c5ac0bcdb2ffb9c615258a6ded4b17a8e2fe578fe
                • Instruction Fuzzy Hash: 7021C4B5900209AFDB10CF9AD584ADEBBF8FB48324F14841AE915B3310D375A954CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02937998 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 310 2937998-2938668 312 2938670-293869f LoadLibraryExW 310->312 313 293866a-293866d 310->313 314 29386a1-29386a7 312->314 315 29386a8-29386c5 312->315 313->312 314->315
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02938481,00000800,00000000,00000000), ref: 02938692
                Memory Dump Source
                • Source File: 00000000.00000002.513895994.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2930000_RvC3HdKbs2.jbxd
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: ed85c6b091b14b8130c2247fa358a32249e1685e129fdc087d848dd77070f3d7
                • Instruction ID: 6f9c95518206387fd9568de3022e7a07235d1a58098c81314026b83c577ee76b
                • Opcode Fuzzy Hash: ed85c6b091b14b8130c2247fa358a32249e1685e129fdc087d848dd77070f3d7
                • Instruction Fuzzy Hash: 601114B69003089FDB10CF9AC448ADEFBF4FB48328F04842AE915A7300C375A945CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02938626 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 318 2938626-2938668 320 2938670-293869f LoadLibraryExW 318->320 321 293866a-293866d 318->321 322 29386a1-29386a7 320->322 323 29386a8-29386c5 320->323 321->320 322->323
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02938481,00000800,00000000,00000000), ref: 02938692
                Memory Dump Source
                • Source File: 00000000.00000002.513895994.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2930000_RvC3HdKbs2.jbxd
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: a9bb210cbe0d31c7e169a1e003ada931aa1e06a692821aa5f8bf1b8e6dc7f6be
                • Instruction ID: b8d5e5620357740c5f7b9abd40d04af85130e9de3e14a3dc4c3c2b52c70a80bc
                • Opcode Fuzzy Hash: a9bb210cbe0d31c7e169a1e003ada931aa1e06a692821aa5f8bf1b8e6dc7f6be
                • Instruction Fuzzy Hash: 5B11E2B69002099FDB10CF9AD488ADEFBF8FB88328F14842AE515A7600C375A545CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02937930 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 326 2937930-29383e0 328 29383e2-29383e5 326->328 329 29383e8-2938413 GetModuleHandleW 326->329 328->329 330 2938415-293841b 329->330 331 293841c-2938430 329->331 330->331
                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 02938406
                Memory Dump Source
                • Source File: 00000000.00000002.513895994.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2930000_RvC3HdKbs2.jbxd
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: 887cc0c76b4bd39b4de38a81ebd452d7b1ed013fa649acec1039642e68f86ed2
                • Instruction ID: f89720e7a28ca4963b8e01d7d5dae096ca2b28eeb30488656a74d810258e186b
                • Opcode Fuzzy Hash: 887cc0c76b4bd39b4de38a81ebd452d7b1ed013fa649acec1039642e68f86ed2
                • Instruction Fuzzy Hash: C511E2B5D002098BDB10CF9AC848B9EFBF4EB49224F10842AE819B7600C375A545CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 029386D2 Relevance: 1.5, APIs: 1, Instructions: 48libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 333 29386d2-29386d4 334 2938660-293866c 333->334 335 29386d6 333->335 338 2938670-293869f LoadLibraryExW 334->338 336 29386d8-29386db 335->336 337 29386dc-29386e5 335->337 336->337 339 29386e7-29386eb 337->339 340 29386ec-29386f8 337->340 341 29386a1-29386a7 338->341 342 29386a8-29386c5 338->342 346 2938702-2938717 call 293794c 340->346 347 29386fa-2938701 340->347 341->342
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02938481,00000800,00000000,00000000), ref: 02938692
                Memory Dump Source
                • Source File: 00000000.00000002.513895994.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2930000_RvC3HdKbs2.jbxd
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: 417543fef2dc5d4adac4f9ed9e7be9a34d79c412f84b50d0798752f317430130
                • Instruction ID: dd281a54ad6ee4dd867ceef44555cc4ba48161802109745a74744ee43422311a
                • Opcode Fuzzy Hash: 417543fef2dc5d4adac4f9ed9e7be9a34d79c412f84b50d0798752f317430130
                • Instruction Fuzzy Hash: CE019EB69043088FDB108B99D4047DAF7F8FF89328F14842AE609A3640C3B6A805CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04EF1D14 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 351 4ef1d14-4ef2912 OleInitialize 353 4ef291b-4ef2938 351->353 354 4ef2914-4ef291a 351->354 354->353
                APIs
                • OleInitialize.OLE32(00000000), ref: 04EF2905
                Memory Dump Source
                • Source File: 00000000.00000002.542048877.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4ef0000_RvC3HdKbs2.jbxd
                Similarity
                • API ID: Initialize
                • String ID:
                • API String ID: 2538663250-0
                • Opcode ID: 6525d3f10210a0a322c75ebc6d34df40cd5985647c0e8b083bd48b7c88cb9c2e
                • Instruction ID: a2c9ebd2faa838666c39c3b9094f84ad28603da6799c01f1be13f74e143cea01
                • Opcode Fuzzy Hash: 6525d3f10210a0a322c75ebc6d34df40cd5985647c0e8b083bd48b7c88cb9c2e
                • Instruction Fuzzy Hash: 381115B19003488FDB10CF9AD448BDEBBF4EB48328F148459E619B7700D375A944CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04EF28A8 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 357 4ef28a8-4ef28aa 358 4ef28b0-4ef2912 OleInitialize 357->358 359 4ef291b-4ef2938 358->359 360 4ef2914-4ef291a 358->360 360->359
                APIs
                • OleInitialize.OLE32(00000000), ref: 04EF2905
                Memory Dump Source
                • Source File: 00000000.00000002.542048877.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4ef0000_RvC3HdKbs2.jbxd
                Similarity
                • API ID: Initialize
                • String ID:
                • API String ID: 2538663250-0
                • Opcode ID: dd5040699a4f2c5c1e4b612256479c31ac4aae4c32b9706ca3193ba6e15d90c2
                • Instruction ID: 48b2a5cd33009c6735c43200d74921dd9ea339d861e248c097b20f891802277b
                • Opcode Fuzzy Hash: dd5040699a4f2c5c1e4b612256479c31ac4aae4c32b9706ca3193ba6e15d90c2
                • Instruction Fuzzy Hash: 211115B59002488FCB10CF9AD488BDEFBF4EB48324F14845AD619A7700C375A544CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 025AD4E0 Relevance: .1, Instructions: 75COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.513079390.00000000025AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025AD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_25ad000_RvC3HdKbs2.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5845e99571e2c84a5e581815ec536add86d1e8b6212c30b069b7c7bc1cfea469
                • Instruction ID: 32069b6a36795fe0101179c00f5ab36541c2a5695e61b5dce9845989c94da311
                • Opcode Fuzzy Hash: 5845e99571e2c84a5e581815ec536add86d1e8b6212c30b069b7c7bc1cfea469
                • Instruction Fuzzy Hash: 152106B2505200DFDB04EF10D9D1B2ABFB5FB8C318F248569E9054B606C376D846CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 025BD01C Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.513270682.00000000025BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025BD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_25bd000_RvC3HdKbs2.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d42751581b10d6756ace7d39a240000223d1c27e4912bb2c2664834291f74b9a
                • Instruction ID: 975bfa82b9f782776fc9f80653693d1e2537137633b9f929b65c2706cdf8599a
                • Opcode Fuzzy Hash: d42751581b10d6756ace7d39a240000223d1c27e4912bb2c2664834291f74b9a
                • Instruction Fuzzy Hash: 822125B5505208DFDB15CF10D8C4B66BFB1FF88314F24C969D8094B246D37AD847CA65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 025BD006 Relevance: .1, Instructions: 62COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.513270682.00000000025BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025BD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_25bd000_RvC3HdKbs2.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7b5a0d8c821f6a69d513e2be24c766a24f7810e6347fd3cde4397721101f77cd
                • Instruction ID: ea3d5cb6ed5526c71abb88add2cf171adc58644142413df3e3ddc25213e7d4ca
                • Opcode Fuzzy Hash: 7b5a0d8c821f6a69d513e2be24c766a24f7810e6347fd3cde4397721101f77cd
                • Instruction Fuzzy Hash: 8B217C755093848FCB12CF20D994B55BF71FF46214F28C5DAD8498B667C33A980ACB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 025AD4DB Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.513079390.00000000025AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025AD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_25ad000_RvC3HdKbs2.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
                • Instruction ID: b42cc510340dca5c6b1a57e1130f80e93756cb774adb2f27ab66df8dc4248900
                • Opcode Fuzzy Hash: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
                • Instruction Fuzzy Hash: 9211B176505280CFCB11DF10D5D4B1ABF71FB89324F28C6A9D8090B616C336D856CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05029451 Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.542740030.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5020000_RvC3HdKbs2.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 85ffcdeb32d9c63a8ef887c3d5453dfa6f72231e1b631a4569d919394828d6e8
                • Instruction ID: 02a485863976fe76df5e42534061a32e8eaf0803dcdb78c90bd18bdcac08b297
                • Opcode Fuzzy Hash: 85ffcdeb32d9c63a8ef887c3d5453dfa6f72231e1b631a4569d919394828d6e8
                • Instruction Fuzzy Hash: 42113930D09298DFCB56CFA8E854BADBBF1FB02305F1588D6C845AB691D3785A80CB41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05029470 Relevance: .0, Instructions: 44COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.542740030.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5020000_RvC3HdKbs2.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 08befd1f8471208ca832d56d86f58a7502506693f999d10085f8834cd787838c
                • Instruction ID: 093ba981071041c41b11ff805b36b925aa2cefe8a9d5b2fbb0bf8622f12fb1ff
                • Opcode Fuzzy Hash: 08befd1f8471208ca832d56d86f58a7502506693f999d10085f8834cd787838c
                • Instruction Fuzzy Hash: 6E11DB34E08118EFCB54DF98E554AADB7F1FB44305F1044A5D905A7344D7746F90CB95
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 0293AA80 Relevance: .3, Instructions: 265COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.513895994.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2930000_RvC3HdKbs2.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e0fc4b6fbbe8fb0bad0af5cf01ea70710fea8f746b3c015ab77f0051cb508cd4
                • Instruction ID: 49de376b57dcdbd2c43d35d6a9d7f7deb434896253ccf132032439536496dbfc
                • Opcode Fuzzy Hash: e0fc4b6fbbe8fb0bad0af5cf01ea70710fea8f746b3c015ab77f0051cb508cd4
                • Instruction Fuzzy Hash: D5A16D32E002198FCF16DFB5C99459EBBF6FF84308B15856AE905BB220DB35A945CF80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04EF3B18 Relevance: .2, Instructions: 187COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.542048877.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4ef0000_RvC3HdKbs2.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f3ab579bbe77c83ac85b3bbb3044c03008680213e4e1e53e2fe9a42a54f2acd9
                • Instruction ID: d9c99998ca6c5b9794fc9f1ee8481d2954e019ab4a7f0330af9d725dc5f4afd6
                • Opcode Fuzzy Hash: f3ab579bbe77c83ac85b3bbb3044c03008680213e4e1e53e2fe9a42a54f2acd9
                • Instruction Fuzzy Hash: 01811670E046498FD748DFAAE854A9EBBF3FFC8305F00C529C1059B668EB786D168B41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04EF3B1D Relevance: .2, Instructions: 185COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.542048877.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4ef0000_RvC3HdKbs2.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 24fecfec698e9e22a28cd99c62681936c79d8f48b7b4ccc92d7e42d5047f6d69
                • Instruction ID: ebc61e1d6e659dbd4b94452d813b43547f339de8668e53f3ff1cf38aa4646db1
                • Opcode Fuzzy Hash: 24fecfec698e9e22a28cd99c62681936c79d8f48b7b4ccc92d7e42d5047f6d69
                • Instruction Fuzzy Hash: 54811670E146498FD748DFAAE854A9EBBF3FFC8305F00C569C0059B668EB786D168B41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04EF3FB0 Relevance: .1, Instructions: 82COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.542048877.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4ef0000_RvC3HdKbs2.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ada2da2b52030bc09d44dd20a53271bd69735535da30ee60062529feba8f465b
                • Instruction ID: cfe76445167837fdc35cb74419d777d3f1c89febc78e11bc9e9fe272b21ed5db
                • Opcode Fuzzy Hash: ada2da2b52030bc09d44dd20a53271bd69735535da30ee60062529feba8f465b
                • Instruction Fuzzy Hash: 04417C71E016188FEB68CF6BC94878ABBF6BF89304F14C1E9D50DA6254DB745A858F01
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04EF3FA0 Relevance: .1, Instructions: 65COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.542048877.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4ef0000_RvC3HdKbs2.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0d3d71694e3bc20b6c51467be9d956cf2c7248a3ccc7d8b0c4ed3526ba05b7e8
                • Instruction ID: 2d2829c9808a91955a61cc7ef7b64627ec2bd8f6d37a72f9b75b13e1a71f094b
                • Opcode Fuzzy Hash: 0d3d71694e3bc20b6c51467be9d956cf2c7248a3ccc7d8b0c4ed3526ba05b7e8
                • Instruction Fuzzy Hash: D331ACB1E016188BEB58CF6BCD4978AFBF7AFC9304F14C1A9D40CA6255EB741A858F11
                Uniqueness

                Uniqueness Score: -1.00%

                Executed Functions

                Function 02BE6AAA Relevance: 1.7, Instructions: 1652COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bdaaae308ef70f41fe5d0e5d00eaf7ad53ca7549e13600365eb4fbc81ad79aa8
                • Instruction ID: bf4ec3e0165270619136eaf0d0ae3be3f2c16b2e9aeb2f691193fe7418697fc1
                • Opcode Fuzzy Hash: bdaaae308ef70f41fe5d0e5d00eaf7ad53ca7549e13600365eb4fbc81ad79aa8
                • Instruction Fuzzy Hash: 60033F34A142589FDB69EB60D855BAE7B73FB88304F1080E8EA0A67794CF356D81DF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE6AB8 Relevance: 1.6, Instructions: 1645COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9062b45da48fcd30c32108368a239986a6edadeee16ad23d7345c87a1a235f58
                • Instruction ID: 120c257b115eaee36dd99a28faadbe1d70a622134dbea4c7a60dcb722dd985f0
                • Opcode Fuzzy Hash: 9062b45da48fcd30c32108368a239986a6edadeee16ad23d7345c87a1a235f58
                • Instruction Fuzzy Hash: D8033F34A142589FDB69EB60D855BAE7B73FB88304F1080E8EA0A67794CF356D81DF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE1189 Relevance: 5.1, Strings: 4, Instructions: 60COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: Hr%l$Hr%l$caj^${aj^
                • API String ID: 0-3677555722
                • Opcode ID: b2963a34e5a19a4a5b11ef73907893a1ab086d4218c0cfd8a290c9ab16c92aab
                • Instruction ID: 6b97b7af7d5bd14de101120e067fba4782f0d489ed36d7f3cb44ad8e5a57dab8
                • Opcode Fuzzy Hash: b2963a34e5a19a4a5b11ef73907893a1ab086d4218c0cfd8a290c9ab16c92aab
                • Instruction Fuzzy Hash: 7611A7313046411BCB11EB69D490AEFB793AFC2258B048A79D96ECB741EFA1AE054BC1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE1198 Relevance: 5.1, Strings: 4, Instructions: 54COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: Hr%l$Hr%l$caj^${aj^
                • API String ID: 0-3677555722
                • Opcode ID: b977861eb2a693d7be3789235fca83921029b2f89e801a03f53c87e7a5b423be
                • Instruction ID: be803969dced3ca426c301f13afa9f9cdfe1448b06d97a578275361d0ee359ad
                • Opcode Fuzzy Hash: b977861eb2a693d7be3789235fca83921029b2f89e801a03f53c87e7a5b423be
                • Instruction Fuzzy Hash: FD11A13130064517CB11EA69D490AFFB3D7AFC2258B408A39D92ECBB40EFA1BE054BC1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CB67F0 Relevance: 1.8, Strings: 1, Instructions: 541COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: d
                • API String ID: 0-2564639436
                • Opcode ID: aa64e39cb57dbf51113a13655f8922c9b358932c95dc9fce49ba619143693a79
                • Instruction ID: 2847faddb5471b7c32c2e94158097d48df82a300038f9b0bbb7e927d7dfaabf8
                • Opcode Fuzzy Hash: aa64e39cb57dbf51113a13655f8922c9b358932c95dc9fce49ba619143693a79
                • Instruction Fuzzy Hash: 0212BDB0A006058FDB24CF29C5809AAB7F2FF88314F15C569E45AAB791DB30FC46CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE40B0 Relevance: 1.5, Strings: 1, Instructions: 294COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: d
                • API String ID: 0-2564639436
                • Opcode ID: 791b065869c81f8cde1f41d1b32144190d826df792a13d66019c17b206f2b4da
                • Instruction ID: 59476d92a92b7b1882354cd135a7b23366bc8da10752c47510eea485e3f0603b
                • Opcode Fuzzy Hash: 791b065869c81f8cde1f41d1b32144190d826df792a13d66019c17b206f2b4da
                • Instruction Fuzzy Hash: F2B189346006058FDB24DF59C590A6AF7F2FF88314B16CAA9D45A9BB61DB30FC46CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CB72F8 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: +.
                • API String ID: 0-1318544442
                • Opcode ID: 54056459aca347072f385c4a92604d697102e5811b957551bc4e2436f0a792ae
                • Instruction ID: 5153b4da6c40d22738564c84177364481d866f38d73a87f5e06227631ca7f78f
                • Opcode Fuzzy Hash: 54056459aca347072f385c4a92604d697102e5811b957551bc4e2436f0a792ae
                • Instruction Fuzzy Hash: 09A15D74A00205CFCB28DF64D498AADB7B2FF89315F14846AE9069B7A0DB35ED46CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE95B8 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: $%!l
                • API String ID: 0-4161362926
                • Opcode ID: baf6ab93f7e322c6685a9c3b63eabd0692ab8d00630f481ce49c0de872df5ac5
                • Instruction ID: cbc573a991f4bf61f080e0fbfd447fadbe694b5d388f22d707efd74e54b1c8ad
                • Opcode Fuzzy Hash: baf6ab93f7e322c6685a9c3b63eabd0692ab8d00630f481ce49c0de872df5ac5
                • Instruction Fuzzy Hash: 683190B0E046448FDB25DB74C455BEE7BE3AF89304F0488A9C506AB354EF749D0ACBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE95C8 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: $%!l
                • API String ID: 0-4161362926
                • Opcode ID: 6d147de7872221df8b43fb9fc654c38e0cb71b885294f07cfeb5c54c335b52b7
                • Instruction ID: 6559cefe128bbaecedbbdbfba3939a7dd7dad78a831109a1e6c5614d5b7fb539
                • Opcode Fuzzy Hash: 6d147de7872221df8b43fb9fc654c38e0cb71b885294f07cfeb5c54c335b52b7
                • Instruction Fuzzy Hash: D3318F70A046448FDB15EB74C854BAEBAF3AF88304F1588A9D506AB354EF749D05CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE9400 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 8^%l
                • API String ID: 0-3725521276
                • Opcode ID: 0129c1dc66a8c7117543d9244bcdec25096113d99f64b50e1c9c593f1d3457e5
                • Instruction ID: 2699ece9a3f652bad8b27f8b14e928cf4ab58d4ebd10b96a5181be3e5106b1a2
                • Opcode Fuzzy Hash: 0129c1dc66a8c7117543d9244bcdec25096113d99f64b50e1c9c593f1d3457e5
                • Instruction Fuzzy Hash: 74F044733086245FDB24DAA9E880A6BB3EDEB84765B15417AE509C7350DFB2EC0687D0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE964F Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: $%!l
                • API String ID: 0-4161362926
                • Opcode ID: b2c504728fe97ff4047cec67204bbd94877a5126846b136edad8b88086970ffc
                • Instruction ID: d61c89dea43ec23d32bfa5a1cd63f4a7a339b32fe045535d39f20e2de3aba609
                • Opcode Fuzzy Hash: b2c504728fe97ff4047cec67204bbd94877a5126846b136edad8b88086970ffc
                • Instruction Fuzzy Hash: DF118EB4B08A408FDB249F74C4156AEBAE3AF84304F1488A9D543DB364DF75ED09CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE966A Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: $%!l
                • API String ID: 0-4161362926
                • Opcode ID: 4e65bc50e7126c88f89b6e31b0fd186b0c12279518ca9e8c32e138c0852edfe5
                • Instruction ID: 19fd984852cf8737f144792709558a04adbdd477e80efd77f48d0433395d385d
                • Opcode Fuzzy Hash: 4e65bc50e7126c88f89b6e31b0fd186b0c12279518ca9e8c32e138c0852edfe5
                • Instruction Fuzzy Hash: 6C118E74B046408FDB249F74C4156AEBAE3AF84304F1488A9D543DB354DF75ED09CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE93F2 Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 8^%l
                • API String ID: 0-3725521276
                • Opcode ID: f18fc22a3ede24c44b73e2f1de0e1eab2eb5acd12708b5257fa9a418f1eb92f4
                • Instruction ID: e81e79a3f5875c56e63bba13eb8e7a56be29b95642e744f2705dc3391747b885
                • Opcode Fuzzy Hash: f18fc22a3ede24c44b73e2f1de0e1eab2eb5acd12708b5257fa9a418f1eb92f4
                • Instruction Fuzzy Hash: 89F028727082109FD724CBA8D8809AB77E9EFC5315B15417AE406CB391CBB1EC03C791
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE4A98 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: $,%l
                • API String ID: 0-2478089573
                • Opcode ID: 7d02980b7b8c30ef10f145221244214e7de386933cd2a09e8641c48ad9f8a1de
                • Instruction ID: 2f2e669d51145cbb16b36eebbf79e336865c926284d041e9e4509dea31f3e414
                • Opcode Fuzzy Hash: 7d02980b7b8c30ef10f145221244214e7de386933cd2a09e8641c48ad9f8a1de
                • Instruction Fuzzy Hash: 44F0A0353005044FC6A4E779D448BAEB3EADB85315F0148A9E20ECB761CF20AC428B91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE4A97 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: $,%l
                • API String ID: 0-2478089573
                • Opcode ID: df78d6e760d8745c2e62ed44f4c532eb7fe048f3351416f88d849f283e0e4bc1
                • Instruction ID: 7ecb559d431959416986c9cb6283e8151a3ed7dfa827dac7d7d510c72cf217b9
                • Opcode Fuzzy Hash: df78d6e760d8745c2e62ed44f4c532eb7fe048f3351416f88d849f283e0e4bc1
                • Instruction Fuzzy Hash: A2F0A0353005044FC7A4EB74D088BEEB3E6DB85315F0148A9E21ECB761CF20AC428B91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBA750 Relevance: .4, Instructions: 380COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ba62973171143875d59a2ab8f0f78ced7357e77a8eddd01f6c72b96c0a42d511
                • Instruction ID: ce44df72c905401a688c55b7f0315717683999c88a5925b3caa38b74b671b40b
                • Opcode Fuzzy Hash: ba62973171143875d59a2ab8f0f78ced7357e77a8eddd01f6c72b96c0a42d511
                • Instruction Fuzzy Hash: 4ED1CD74B042069FCB149F74C895ABF77A7EF88304F018529EA46CB790DB79DD168BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE2658 Relevance: .3, Instructions: 316COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4b89ada5775f3cf0149efd014bbde768037ad3113ddb001f845388a9dbca960f
                • Instruction ID: 70eaac23051e7f48e7ec5d9a9fc63d34d67685842a9b04b438e426d6870b7108
                • Opcode Fuzzy Hash: 4b89ada5775f3cf0149efd014bbde768037ad3113ddb001f845388a9dbca960f
                • Instruction Fuzzy Hash: 6FD12B34614208CBD709EF60D454AAEB773EF89305F119578D2052B3A6DFBAAD42DFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE3920 Relevance: .3, Instructions: 314COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 62b2c9ed401cd6dcbf51740ae11fb7d7eb4d350a50517603c2e74297afe38e8d
                • Instruction ID: ef6575208adfcb2e68422ab433467f8517a63258478059daf30438932657b3f2
                • Opcode Fuzzy Hash: 62b2c9ed401cd6dcbf51740ae11fb7d7eb4d350a50517603c2e74297afe38e8d
                • Instruction Fuzzy Hash: A4C18D74A042089FCB04DFA4C490AADBBF2FF88314F1484A9D906AF355DB75ED86CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBC380 Relevance: .3, Instructions: 291COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3f58192c32541452606eabc1b9ed3b45a3cc82a81937b7a92abf57c13af87266
                • Instruction ID: 1dc2f68460d03b650076649725b160a6056d17ae088671236847830569ab9384
                • Opcode Fuzzy Hash: 3f58192c32541452606eabc1b9ed3b45a3cc82a81937b7a92abf57c13af87266
                • Instruction Fuzzy Hash: D6B1C2B0A042099FDB24DFA5C454BEEBBF3EF89304F118469E905AB350DB74A946CF61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CB7778 Relevance: .3, Instructions: 280COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 05645233335fd0dae3836a2c9053396d9ed2a3975a2ce6942113ae49e5160584
                • Instruction ID: 992f5a1ba34ec5a68f1bcc0e5e9b0a25476c66ebf48816b30fd0e61966b419d6
                • Opcode Fuzzy Hash: 05645233335fd0dae3836a2c9053396d9ed2a3975a2ce6942113ae49e5160584
                • Instruction Fuzzy Hash: 0FC15BB0A042498FDB65DFA4C494BAEBBF2EF85300F158469E805AB794DB34DD86CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07D16810 Relevance: .3, Instructions: 279COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.543666975.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7d10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 951647a932fc24f8f636d14a4b1a29d6d50c123c6cc98daeecd389aabffb5b51
                • Instruction ID: 246eee2c306503e3477ccdefb64b2cc49e9fbdccefcf8e701aab074efc743f9c
                • Opcode Fuzzy Hash: 951647a932fc24f8f636d14a4b1a29d6d50c123c6cc98daeecd389aabffb5b51
                • Instruction Fuzzy Hash: 6CA15D743143009FD725AB74D459B6AB7A3AF85324F60CA6CE1568BBC4CF79E8468B80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07C1E3E0 Relevance: .3, Instructions: 273COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.540767897.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7c10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8a96a06cd26b9223e4ad510ae29b01386dd877500e482301f0dcb2caba444455
                • Instruction ID: f13eec1609422160c6fa475042f26b4ac1eeb20e073e1987c10aeb83f351ea03
                • Opcode Fuzzy Hash: 8a96a06cd26b9223e4ad510ae29b01386dd877500e482301f0dcb2caba444455
                • Instruction Fuzzy Hash: F6A1BD70A042159FCB18DF68D890AADBBF2BF86315F15857AE505DB7A1DB31EC02CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE4CC9 Relevance: .3, Instructions: 267COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8738fb761c3b12055b675d998d884305c19d79ddebd83b50356e3d01ce794283
                • Instruction ID: 71b110257b3297abb99b9410b4b6015300987300db96fc05c36994d4c13850d2
                • Opcode Fuzzy Hash: 8738fb761c3b12055b675d998d884305c19d79ddebd83b50356e3d01ce794283
                • Instruction Fuzzy Hash: 2EB14878A001489FD785EBA0D958FBEB7B3EF89305F1180B8D6056B795CE35AC058F61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE4CD8 Relevance: .3, Instructions: 260COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3d7ed2f4445bd2af002dfee8bb637bad90fb02b95475fab78a71c2ed037ee894
                • Instruction ID: aab205761d4bba57979d0d6cb62782fbcd69b19206d2df038d251ad7a54508cb
                • Opcode Fuzzy Hash: 3d7ed2f4445bd2af002dfee8bb637bad90fb02b95475fab78a71c2ed037ee894
                • Instruction Fuzzy Hash: 9DB12778A001489FD785EBA0D958FBEB7B3EF89305F1180B8D6056B795CE36AC058F61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE3910 Relevance: .2, Instructions: 246COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 06e3805872f3025449bc21a084a8ef7e64525d67ac9664290f787f8b42ba2ced
                • Instruction ID: e5773520aab628c96c8d2f45716abae2d58d6ce48ecfff92300f4f071cd9f7c3
                • Opcode Fuzzy Hash: 06e3805872f3025449bc21a084a8ef7e64525d67ac9664290f787f8b42ba2ced
                • Instruction Fuzzy Hash: 4DA13774E012089FDB05DFA4C484AADBBF2FF89314F1484A9D806AB355DB75ED86CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBE7F0 Relevance: .2, Instructions: 228COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0b7a7afffed8f8a1d7f33b5b8aeb6e500b4f0bb7bfd8259707d0040cc69069c7
                • Instruction ID: 2e99661afb0d463c66c20c6480388a8ab8263e4af972c4c7848dc50513ac31e8
                • Opcode Fuzzy Hash: 0b7a7afffed8f8a1d7f33b5b8aeb6e500b4f0bb7bfd8259707d0040cc69069c7
                • Instruction Fuzzy Hash: 3A6168757082504FC7259B35D8546EA7BA6EFC1614F0A84BAE505CB3A2DB38DC0AC7A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBC100 Relevance: .2, Instructions: 226COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 919e64026d9843cf4aaab42d98a345c1437b759e94ec1f8a039d2aba63390536
                • Instruction ID: 43bcfc3a8ed94f5a2e98d320d01209978c6b29b0de80898c71a821ec2cba34d4
                • Opcode Fuzzy Hash: 919e64026d9843cf4aaab42d98a345c1437b759e94ec1f8a039d2aba63390536
                • Instruction Fuzzy Hash: BC61037560C3458FC724DB64E8509ABBBA2EFC1214F05897EE645CB691DB34AC0ACB71
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07D11B48 Relevance: .2, Instructions: 215COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.543666975.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7d10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0b5687db9ed0eb4a573f52a0ca18eafa2dfb6fa278c9e13e6af9a8d57b61d44b
                • Instruction ID: 316927f26b1eec534f8bee291c8eb1c9c1d91c4ae854dcef7d66a4675688f1a0
                • Opcode Fuzzy Hash: 0b5687db9ed0eb4a573f52a0ca18eafa2dfb6fa278c9e13e6af9a8d57b61d44b
                • Instruction Fuzzy Hash: CF71C0B4A082089FCB15DB78E4446EDFBF2EF8A310F05846AD941EB791DB359845CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBB5C0 Relevance: .2, Instructions: 181COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 354f95e1deb280e4660e7730fc38889246114735b4a4756794bfb4b46b4e8849
                • Instruction ID: c00b39b0a37955c4fa4d55a02dcfc55d8ee0bb84b43148450f96cc3258fe6cd2
                • Opcode Fuzzy Hash: 354f95e1deb280e4660e7730fc38889246114735b4a4756794bfb4b46b4e8849
                • Instruction Fuzzy Hash: E061A174E006099FCB14DFA9D480ADEBBF2FF89314F108569E505AB754DB70AE46CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BEFB2F Relevance: .2, Instructions: 174COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 93f5402d0e640e3c0fb42d1cd539f7de1bea8ad191b58f9f86f631053559ac1a
                • Instruction ID: a3c70aecef231498350ab0830bb0edabae446fe59ea4e7b4d59b41a91613f3a0
                • Opcode Fuzzy Hash: 93f5402d0e640e3c0fb42d1cd539f7de1bea8ad191b58f9f86f631053559ac1a
                • Instruction Fuzzy Hash: 2651A135B1025C9FDB169B94D810BAEBBB7EB8C300F1080A9E606A7395DF75AC019B95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBDA08 Relevance: .2, Instructions: 170COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ea992110b5a544c3990c38a66106cf5d3fa89de043e4ac01eeb30e0505e8eec5
                • Instruction ID: ed72014828049a7de5e14beb04569f6a6d2608e82290928bab6f3e219c92e1b9
                • Opcode Fuzzy Hash: ea992110b5a544c3990c38a66106cf5d3fa89de043e4ac01eeb30e0505e8eec5
                • Instruction Fuzzy Hash: 8D51FF75B082059FCB24DF64C8546EEBBB3EF80314F118869E506DB395EB749E09CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BEFB40 Relevance: .2, Instructions: 168COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7346bccafaf4b17127e5bc12af7114758927b60788ab1d7ce508b17c23420e97
                • Instruction ID: 433353bf337d83f582fa44937308a5c481e7d98e79b10bb37ac7c590d0b0fe04
                • Opcode Fuzzy Hash: 7346bccafaf4b17127e5bc12af7114758927b60788ab1d7ce508b17c23420e97
                • Instruction Fuzzy Hash: D2517035B1425C9BDB16DB94DC10BAEBAB7EBCC300F108069E606A7394DF75AC019BA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBA128 Relevance: .2, Instructions: 168COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 88783ff7dfead51461734c4a5d88d027344f4a134dd25b7a83040a2e4c152119
                • Instruction ID: cfc28b8be306c96af1eaf7b2b877edf7ea4d691162d3b78f879241226edd44e8
                • Opcode Fuzzy Hash: 88783ff7dfead51461734c4a5d88d027344f4a134dd25b7a83040a2e4c152119
                • Instruction Fuzzy Hash: 8B51F370B0424A9FCB11DFA8D884AAF7BF7AF84214F148029EA05D7351DB35DD06CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE0DBF Relevance: .2, Instructions: 159COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b63688ecf71ea287fa3139b417f3d1405851dca752052415f0e73768552b2bef
                • Instruction ID: 37f07f8278b76ab42c7a6bc28ebbbc3ccb99ff6a0ed363900f224a4e782f453c
                • Opcode Fuzzy Hash: b63688ecf71ea287fa3139b417f3d1405851dca752052415f0e73768552b2bef
                • Instruction Fuzzy Hash: 0B519330A00704CFDB05AB75C8587BEB7B2FF89305F1589A9E506AB291DF749C86CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE0DD0 Relevance: .2, Instructions: 155COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e4a4cb8c6e993565f8ff461ac4acba42893999ac459b017d1212945bc6b55fd7
                • Instruction ID: 1ad691e41ce6281193adc0abc3a34f76b1d0b34c6203dabc1ccc12b976868b2e
                • Opcode Fuzzy Hash: e4a4cb8c6e993565f8ff461ac4acba42893999ac459b017d1212945bc6b55fd7
                • Instruction Fuzzy Hash: 6C51B530A00704CFDB05AB75C8587AEB7B2FF88305F1089A9E506AB390EF759C85CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBC820 Relevance: .2, Instructions: 151COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ee1140e9e07dff02d62fe1c4938f555eed812d9afc504d5d5c44b62aff55ab48
                • Instruction ID: 9fbb534397dc9a0d1bbc80285bb8dcdac675315f79798b289d6898e6e36cdd95
                • Opcode Fuzzy Hash: ee1140e9e07dff02d62fe1c4938f555eed812d9afc504d5d5c44b62aff55ab48
                • Instruction Fuzzy Hash: 6551F6717083059FD724DB68E8809AEB7F6EFC1325F00892AE5098B761DB71AD45CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBA480 Relevance: .1, Instructions: 148COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2b7519328f70737811e44759ac0365bba5a2e4ed616d0a855623874fc21cd863
                • Instruction ID: 3d1fc27b5507fda7fda4d88b501b2a8ab599b98f4b0efac46078c8ba9af5846d
                • Opcode Fuzzy Hash: 2b7519328f70737811e44759ac0365bba5a2e4ed616d0a855623874fc21cd863
                • Instruction Fuzzy Hash: 0D4143B17082515FCF155F648854AEF3BA6EF85304F0580AAFA46CB391CB39DD06CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07C17D90 Relevance: .1, Instructions: 143COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.540767897.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7c10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 68ee3cf34f3295dbf9f2158663ed70dc4dd2f621b138374a4a9015e0ebdc0a0a
                • Instruction ID: c1023cc2104cf8b16509bca78ad63f25bb8fc3614db8553d23f7c3557668edf8
                • Opcode Fuzzy Hash: 68ee3cf34f3295dbf9f2158663ed70dc4dd2f621b138374a4a9015e0ebdc0a0a
                • Instruction Fuzzy Hash: 60518F703047419FD324AF39D844B6AB7A3AF82320F508A3DD5668BBD5CF75E8468B90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CB87F9 Relevance: .1, Instructions: 138COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4032472f2c1a18fb958188f5b1c9d3eb74b24c6dfc5e219f381ddb68e0d5d59c
                • Instruction ID: 0e7949fd527ea7db454fdf35cb8e0d444fa6c6789c4ebc4301fdf081f82f79bf
                • Opcode Fuzzy Hash: 4032472f2c1a18fb958188f5b1c9d3eb74b24c6dfc5e219f381ddb68e0d5d59c
                • Instruction Fuzzy Hash: AF514AB4E04209CFDB24DFA4D598BEEBBF6BF48305F148429E406A7290DB35A945CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07C17DA0 Relevance: .1, Instructions: 137COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.540767897.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7c10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 822d872d1f06ab1b2ffcad6a1f72a2a74e8866a5b05e3bcb34262d6c179fca16
                • Instruction ID: 3ee84a527548fe65b6076239d960e9f26df4dc94537e67d8dc43c0971f170d4b
                • Opcode Fuzzy Hash: 822d872d1f06ab1b2ffcad6a1f72a2a74e8866a5b05e3bcb34262d6c179fca16
                • Instruction Fuzzy Hash: 1C416D703047019FD324AB75D845B6AB7E3AF85320F508A3DD5268BBD4DF75E8468B90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBE618 Relevance: .1, Instructions: 134COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c5dc0d876d8796489aaf08c9f0d38273c8f000f3ab422243ee57efb8b28dbeb6
                • Instruction ID: dd8e7bc9e570ee52a27ad9d8475f131f1cbfc9c6ecddc27d91470537c1dee396
                • Opcode Fuzzy Hash: c5dc0d876d8796489aaf08c9f0d38273c8f000f3ab422243ee57efb8b28dbeb6
                • Instruction Fuzzy Hash: EB41D375A042099FCB50DF68D884AEEBBF6EFC8314F148569E509DB345EB319D06CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBC4BE Relevance: .1, Instructions: 134COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 67d8c43e5b027863b3e53ed72f35ce21e841bf437b3fa81f994f1e4d48fe8cbb
                • Instruction ID: c851f7dc5faa26c5141642c641465978167b3bd5cf71f5bcb3f08fe1988eba74
                • Opcode Fuzzy Hash: 67d8c43e5b027863b3e53ed72f35ce21e841bf437b3fa81f994f1e4d48fe8cbb
                • Instruction Fuzzy Hash: B0417F74E042499FDB18DFB5D854AAEBBB3EFC9300F118129E905AB340DF3468468BA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBFD70 Relevance: .1, Instructions: 134COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1e0411bb7043ea0b73a38a28fc6effafc3a2ac94452e40b45fc459128231a406
                • Instruction ID: 7995e5e2d182ad79e28e39eec5c977aa13e459dd369cf0b6096f257e60b81eec
                • Opcode Fuzzy Hash: 1e0411bb7043ea0b73a38a28fc6effafc3a2ac94452e40b45fc459128231a406
                • Instruction Fuzzy Hash: EC41A3B1A0425A9BDF25CFB5D880AEEB7F5EF88314F00846AE915E7340D7319A15CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBEC19 Relevance: .1, Instructions: 128COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 80051f347a0469e55177e133b077b068ea421b98cf554687cb560aed1bb09000
                • Instruction ID: 3612c1bed0a3ba599d9bd4ce5bae2f28c6c5e579444ee0e32845697dcfbcd3a3
                • Opcode Fuzzy Hash: 80051f347a0469e55177e133b077b068ea421b98cf554687cb560aed1bb09000
                • Instruction Fuzzy Hash: C85160B1E046099BCB15DF65C4809CEF7B2FF84300F15CA59E919AB715EB70A946CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07C16828 Relevance: .1, Instructions: 122COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.540767897.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7c10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 68f968d4b7fdd5c4d115c4594511c950fd743bd29a7f28bd739dc532b2cfbd1c
                • Instruction ID: efdaae5517118568a8f87462e27cf674fd2ceec2616347179ba5c0c6c5728a6d
                • Opcode Fuzzy Hash: 68f968d4b7fdd5c4d115c4594511c950fd743bd29a7f28bd739dc532b2cfbd1c
                • Instruction Fuzzy Hash: 4B418E757101149FDB08DF68D494A7EBBA7EB89314F14C0A9E906DB391CF35DD028BA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CB9F29 Relevance: .1, Instructions: 115COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fb589dd53e762058270f74479c0fd69b7ac92de1758b5d7494f2053c8cf87365
                • Instruction ID: 7abfd3eca0461781c1c5fe691fa0786ded7585e61d25175fb10d66b7bddd2666
                • Opcode Fuzzy Hash: fb589dd53e762058270f74479c0fd69b7ac92de1758b5d7494f2053c8cf87365
                • Instruction Fuzzy Hash: AC3107757083049FCB14CB64D850EAABBF6EF85311B0585AAE64ACB351DB74FD06CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE5721 Relevance: .1, Instructions: 114COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ff2fd64414b2703fc403f07bea9f39f9e3ea121c92565d88af21b398b4232705
                • Instruction ID: a7e6e74ee5468840ad29c14fb74aa20602cda81707a6f72a829729d6ae387ee2
                • Opcode Fuzzy Hash: ff2fd64414b2703fc403f07bea9f39f9e3ea121c92565d88af21b398b4232705
                • Instruction Fuzzy Hash: D44149743006008FC749EF38D4989197BF3FF89359B1585A9E50ACB361DF71AC468B90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBDC60 Relevance: .1, Instructions: 113COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 15b2429ae70a6dd6fde0ddd35b22ee3716ff444a51092d9ea1cb14b47b16fe3a
                • Instruction ID: bba4a848586b9467feff769f3ae6c764ce37aa96bf7d7df658a0837bb27638f9
                • Opcode Fuzzy Hash: 15b2429ae70a6dd6fde0ddd35b22ee3716ff444a51092d9ea1cb14b47b16fe3a
                • Instruction Fuzzy Hash: 7C418071E04209DFDB14DFA5D8406DEFBB6FF88310F20852AE916AB744DB30A946CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BEACF8 Relevance: .1, Instructions: 112COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 409111974a39fdcf3cb631f73310bf7618e8cde0e202c7c625d4b7e7558c1468
                • Instruction ID: a4435830bafa138f624ede63bfd9b982eb7cea436f9a6400983d586e858a3902
                • Opcode Fuzzy Hash: 409111974a39fdcf3cb631f73310bf7618e8cde0e202c7c625d4b7e7558c1468
                • Instruction Fuzzy Hash: 5741ABB0E042588FCF15DFA8C854BDEBBF5AF89314F1580AAD805BB351CB789905CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE5730 Relevance: .1, Instructions: 108COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9bdb7d3f46fee63234602ab1b295336c6745d82bd4fd6af9a566215da073636e
                • Instruction ID: ab71118fa4e4c4f8f989ca91ec91d0de5f2be464d9d4a76d470108dbcb4b362c
                • Opcode Fuzzy Hash: 9bdb7d3f46fee63234602ab1b295336c6745d82bd4fd6af9a566215da073636e
                • Instruction Fuzzy Hash: 9B4123747006008FC389EF39D448A29B7E3FF88359B1585A8E50ACB361DFB5EC428B90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CB9F38 Relevance: .1, Instructions: 106COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d445962a3aba8c0f210977c5e10ec40639c5a4c7cf7858d54ab88d7b778ec361
                • Instruction ID: 5f01dc4d296aa9270a81dcb2ebcd4cb1faf29e678a3e575dc5aaa6ce512dfe87
                • Opcode Fuzzy Hash: d445962a3aba8c0f210977c5e10ec40639c5a4c7cf7858d54ab88d7b778ec361
                • Instruction Fuzzy Hash: C531F2757043009FCB14CB65D850AAABBF6EF85310F018569EA4ACB391DB74FD05CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE9468 Relevance: .1, Instructions: 102COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2537ba31ac9dd9d153f00c15d2adf14b477c4cfe946d68d54d565d44b87b779c
                • Instruction ID: dca0cde3f70ce3c731314afcc070bc9490ef4800ea54cca29b490416c38db575
                • Opcode Fuzzy Hash: 2537ba31ac9dd9d153f00c15d2adf14b477c4cfe946d68d54d565d44b87b779c
                • Instruction Fuzzy Hash: DC31AF34704B128BEF19A630D4647BE77A3EFC0219F1481B9E50B8B7C6DF69994E8780
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBA340 Relevance: .1, Instructions: 97COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dabcf1fda49c110249fc766b851299a678e80f28a3b0ce9915159e0301a3c176
                • Instruction ID: d348b9c745b1385dbfec217162f291635ffb3126d9e672be49115cf14a0efcf0
                • Opcode Fuzzy Hash: dabcf1fda49c110249fc766b851299a678e80f28a3b0ce9915159e0301a3c176
                • Instruction Fuzzy Hash: 1F319471B00205ABC7109B75D844AAEB7A7EFC5361F50C129E9268B780DF31DD068B91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBF488 Relevance: .1, Instructions: 94COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b00ee12bfc515b3aff1eed11564c8abd7411e84b4d75efc79f00559ab6b0ec1b
                • Instruction ID: cba082478b6bb3707b804d6187741780aa48c304caef7a6dae568c7180ce1588
                • Opcode Fuzzy Hash: b00ee12bfc515b3aff1eed11564c8abd7411e84b4d75efc79f00559ab6b0ec1b
                • Instruction Fuzzy Hash: E831F074A006058FC724DF79D984A6ABBF6FF88211F15896CE109DB395DB30EE19CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CB9E38 Relevance: .1, Instructions: 94COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: aa0ffc550648b1c4c4d3fb329c6c99108bc33c544770aabe6b28073e6ae83564
                • Instruction ID: 10b55728abc5005b54ccbd12053b5d400bb0569188a4d8ba1a2b5d7b317e1e62
                • Opcode Fuzzy Hash: aa0ffc550648b1c4c4d3fb329c6c99108bc33c544770aabe6b28073e6ae83564
                • Instruction Fuzzy Hash: 3D3193B5704202DFCB24DFB5D480AA6B7B5FF88315F14896EEA1987641D731F941CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE9478 Relevance: .1, Instructions: 93COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 47b47a4374af21dd93bda12fe270dc488d4ab5d6c96bdaa7c51f849871520275
                • Instruction ID: bb36e6f36ca6b524770f1d3d17436702afbab29b4f8c46af68a46e88f7b54086
                • Opcode Fuzzy Hash: 47b47a4374af21dd93bda12fe270dc488d4ab5d6c96bdaa7c51f849871520275
                • Instruction Fuzzy Hash: 0D319F34710B118BEF18A621D4647BE66A3EBC0249F148178D5078B7C9DF79E94A8780
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBEC28 Relevance: .1, Instructions: 93COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 98471e6641e071f44be41834b1e1838328d2f5d53e932b40628bff4161e5f4bb
                • Instruction ID: 9e0edd02e3d3398452aea69439f651474f09c6d19bb580127fc156d8f359ee0d
                • Opcode Fuzzy Hash: 98471e6641e071f44be41834b1e1838328d2f5d53e932b40628bff4161e5f4bb
                • Instruction Fuzzy Hash: DC316DB0E146099FCB14DF65C480ACEBBF2EF84304F148969E915AB755DB70AD46CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE1770 Relevance: .1, Instructions: 90COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 17c283943371bb2ccb48d2f673faac18c6f6a3699e830716e61d01df65502597
                • Instruction ID: d24a5b291ed302ffd994b487aaa8d964223e0945162dcf5474e87e40428b571c
                • Opcode Fuzzy Hash: 17c283943371bb2ccb48d2f673faac18c6f6a3699e830716e61d01df65502597
                • Instruction Fuzzy Hash: B431C374B042458BEB14EBB8C4047AEBAE3AF48304F2444A9C517BB384DF799D05CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CB7FDD Relevance: .1, Instructions: 89COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a673e669a3b9648921b016efe594350de29c9750e5282f7413588df029160d6c
                • Instruction ID: 2ce859cee49e53b80c80fb189bf25cd934ff6836b07ac2d7cc21f58f1c81232a
                • Opcode Fuzzy Hash: a673e669a3b9648921b016efe594350de29c9750e5282f7413588df029160d6c
                • Instruction Fuzzy Hash: 0431CF70B042059FD7259B74D898BEEBBF6AF89311F184469E401E77A1CF359C48CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBEA48 Relevance: .1, Instructions: 88COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 63dac8b8ebcc5193383d0bf9e57a01fff8cec6fa1d238c78466a28b39e199a5b
                • Instruction ID: 7612e63cbb3512fe923f4f6a053935555c1433c23ee5bf1dd4ed183cec2a87f7
                • Opcode Fuzzy Hash: 63dac8b8ebcc5193383d0bf9e57a01fff8cec6fa1d238c78466a28b39e199a5b
                • Instruction Fuzzy Hash: E031CFB1E002099FCB14CFA5C480ADEBBB2FF84310F108669E905AB745DB70A946CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE1760 Relevance: .1, Instructions: 87COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: afc7531b745180c60f179cad25c27944bfc91cc6f05a1d6634faa91cddfb803d
                • Instruction ID: 9644ff0523b76430898ba133969870a9bfaabe8329e331195c7433c5cf45ea6e
                • Opcode Fuzzy Hash: afc7531b745180c60f179cad25c27944bfc91cc6f05a1d6634faa91cddfb803d
                • Instruction Fuzzy Hash: F331C274A042448BEB14DBB8C4457EEBBE2EF48304F2445A8C51BAB385DF75AD46CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBA117 Relevance: .1, Instructions: 85COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 31c62a893aa3f1a325474260ce69e23a68faf470fdd9a0521ec007a9e7952086
                • Instruction ID: 9300a440a711d982cb08f4556fbb446f8e5b545ee9c5df17485bc1ad6f18d192
                • Opcode Fuzzy Hash: 31c62a893aa3f1a325474260ce69e23a68faf470fdd9a0521ec007a9e7952086
                • Instruction Fuzzy Hash: 053184B190424AAFDF21CF95D840AFF7FBABF89300F14806AF954A3251D7358A15DBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07C1E4C8 Relevance: .1, Instructions: 84COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.540767897.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7c10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b323c980a01759ae3c1244571fb6d3cdede0515e4e2cb54e6af22123cc842d37
                • Instruction ID: fc864ae4bfc0c382de5333dec4651f501a86ce511db53479575b24ff91a9bb31
                • Opcode Fuzzy Hash: b323c980a01759ae3c1244571fb6d3cdede0515e4e2cb54e6af22123cc842d37
                • Instruction Fuzzy Hash: 27314B74A04219DFCB18DBA8D894E9DB7F2FF89615F158165E806EB761CB31EC01CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07C1E4CF Relevance: .1, Instructions: 84COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.540767897.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7c10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 200e696469a050964dba6e65a8d70614ce16da4f8a8760df27da4b0e8cbace4a
                • Instruction ID: fc864ae4bfc0c382de5333dec4651f501a86ce511db53479575b24ff91a9bb31
                • Opcode Fuzzy Hash: 200e696469a050964dba6e65a8d70614ce16da4f8a8760df27da4b0e8cbace4a
                • Instruction Fuzzy Hash: 27314B74A04219DFCB18DBA8D894E9DB7F2FF89615F158165E806EB761CB31EC01CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBA741 Relevance: .1, Instructions: 84COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c328b60d16b27327a1078ab61f237f42af6e8ba3e0fef890d336fa12d611535c
                • Instruction ID: 04895297175d426607c5695c2395e8a16307f9630e3a6b3918ae8f0bc8cbfdb9
                • Opcode Fuzzy Hash: c328b60d16b27327a1078ab61f237f42af6e8ba3e0fef890d336fa12d611535c
                • Instruction Fuzzy Hash: DB216D75B00209AFCB05DF69C881ABFBBB5FB89220F108169E90597741DA35ED56CBE0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07C1E4D6 Relevance: .1, Instructions: 83COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.540767897.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7c10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 68d9d7e85fd57f00f907e14d97d9af3c5fae974b2c3dc13e15b08330880c6e33
                • Instruction ID: d10de43320d4d075ae5be907fe6208524dc54efa2ec57adebd1314a182cf8a8f
                • Opcode Fuzzy Hash: 68d9d7e85fd57f00f907e14d97d9af3c5fae974b2c3dc13e15b08330880c6e33
                • Instruction Fuzzy Hash: 58314974A00219DFCB18DBA8D894E9DB7F2FF89715B158169E806EB761CB31EC01CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CB7FF0 Relevance: .1, Instructions: 78COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ddf3582bf70b29c3fcf94aaeb21d1b2c065f5938594acb53213713eca0068ac9
                • Instruction ID: fa09401453e52a69a7f2602a992d131570d4d599c1a8fb56d417fa8e91e576e8
                • Opcode Fuzzy Hash: ddf3582bf70b29c3fcf94aaeb21d1b2c065f5938594acb53213713eca0068ac9
                • Instruction Fuzzy Hash: 3A318D70B042059FD7249B74D498BEEBBF6AB88314F184468E405A77D1CF759C48CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBDB45 Relevance: .1, Instructions: 76COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4ab37526a24c0ea899a6ab214469fefd2219176cbbbb9fe1e0c416d2fc4229ab
                • Instruction ID: 4971ba6a16657adbee2bccbc6f026e67d7d597b6008a35cdc26f6259a262533e
                • Opcode Fuzzy Hash: 4ab37526a24c0ea899a6ab214469fefd2219176cbbbb9fe1e0c416d2fc4229ab
                • Instruction Fuzzy Hash: C3213634B083449FCB05DB74D85499E7BB3EF81304B158469D646CF392DB349C19C7A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BEAD83 Relevance: .1, Instructions: 70COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e35f32b50e6702fd82f4295cecabd74a1e121dd87ee3320acadd4e0407e039f8
                • Instruction ID: 2d16c2624b8f84384f97d3730f8c452b2e9f9a2ec6ac7530d6edb623f1b8ccb0
                • Opcode Fuzzy Hash: e35f32b50e6702fd82f4295cecabd74a1e121dd87ee3320acadd4e0407e039f8
                • Instruction Fuzzy Hash: 6D21ABB0D042588FCB01DFA8D49479EBFF5EF89304F1580AAD949EB341C7385905CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE4808 Relevance: .1, Instructions: 67COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0a8b2bac711e450b750d8ab96a35270aec8701bed0423393a7b8db0b47052005
                • Instruction ID: 2720941591d694fea5145136d907bf09db152616ef26522cb96eb3c73c64b31f
                • Opcode Fuzzy Hash: 0a8b2bac711e450b750d8ab96a35270aec8701bed0423393a7b8db0b47052005
                • Instruction Fuzzy Hash: 3511E1307046804FC318AB29D8849567BA6EFC5324B2185B9C26A8B796EF64E8068B80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CB652E Relevance: .1, Instructions: 67COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 82566fa02fbb689dfb111bc1a79652265f750a608357c9501cf1055f8493f552
                • Instruction ID: 92a4f79e0897ece6aa9c8af0b7196b9c8c4d21f8b768908d8ed947a70d287c5d
                • Opcode Fuzzy Hash: 82566fa02fbb689dfb111bc1a79652265f750a608357c9501cf1055f8493f552
                • Instruction Fuzzy Hash: 0621C3B0E081095BDB15CB64D4C0BFE7BF6AB88310F14807AD805BB385DB759949CBB0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07C1E193 Relevance: .1, Instructions: 66COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.540767897.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7c10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8c2714d4809e8aa698135b995d3787aeb7f3c7958a179d98fc75d81fcb600c80
                • Instruction ID: e1906cf7c116bca6f784ee114ff68aca8e0e9dc8430291eba1c55630f0723833
                • Opcode Fuzzy Hash: 8c2714d4809e8aa698135b995d3787aeb7f3c7958a179d98fc75d81fcb600c80
                • Instruction Fuzzy Hash: 241121B13083802FC306A7789C209AA3FA7DF8625574945EED649CF797CE614C0A87F2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBA330 Relevance: .1, Instructions: 65COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5934c66d6a32c7ab2ad6b2dfc9437608c929e41521f5494e0e28772de3946761
                • Instruction ID: a037cd5ec002e58eed13f0da0a9c13e1647c6d568a57e643982ea765e3c5d289
                • Opcode Fuzzy Hash: 5934c66d6a32c7ab2ad6b2dfc9437608c929e41521f5494e0e28772de3946761
                • Instruction Fuzzy Hash: EC11E9316052055FC7119B75D8409EEBB77EBC6211B508129D9159B381DB31D946CBE1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBFCA0 Relevance: .1, Instructions: 65COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 85b2b0a62db8a9ac3bcbeacd21918ac1181d0c12930829e90fc21f43f8070e87
                • Instruction ID: 90ba47e23d92254413431d7e5da03ebf1fdc115772f30e06aceb93e971063b71
                • Opcode Fuzzy Hash: 85b2b0a62db8a9ac3bcbeacd21918ac1181d0c12930829e90fc21f43f8070e87
                • Instruction Fuzzy Hash: B7117C357041599FCB109F69E844FAEBBABEBC8310F10802AEA09D7351CB319D158BA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE2080 Relevance: .1, Instructions: 64COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 298325f66ed181fad8ccd9c9a9a58e4d26528c001c6c5a667426e80de5eaaefe
                • Instruction ID: b7a3dff2d409c554ceda1d25c1c5895ed5334797a207c143d1987613939aff09
                • Opcode Fuzzy Hash: 298325f66ed181fad8ccd9c9a9a58e4d26528c001c6c5a667426e80de5eaaefe
                • Instruction Fuzzy Hash: A2211D306047088FC354EB39C454BAA77E2FF81319F12886CD19A8B265DF76AD11CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07C1E3D1 Relevance: .1, Instructions: 64COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.540767897.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7c10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d56967a2730b8a0ae61264c7cf41d8824b069d925706b89f53454431290581bf
                • Instruction ID: e611d329177618fc2359a2066b8c0a229438eee9b3d427560d290e5abe6bc3e3
                • Opcode Fuzzy Hash: d56967a2730b8a0ae61264c7cf41d8824b069d925706b89f53454431290581bf
                • Instruction Fuzzy Hash: 63216DB0D042199FCB04DFA9D9409EDBBF2FF89315F448479D908EB650EB30A945CBA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBB3C1 Relevance: .1, Instructions: 64COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 22ccf6d521fa797803981fb1d624636c99ff3310dad8c3786078c8eab30344da
                • Instruction ID: 5e2d3b7313160a0417a3f9ad8c02461928c216b837d521ec900f712a1b4a797c
                • Opcode Fuzzy Hash: 22ccf6d521fa797803981fb1d624636c99ff3310dad8c3786078c8eab30344da
                • Instruction Fuzzy Hash: DC2121B5B401099FCB249F65D898AEE7BB6EF8C315F14C46AE402A7390CA715D45CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CB9360 Relevance: .1, Instructions: 64COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1d4630edec1782ee6c05f9c5b8a633de6f6be9823a75fa69e58ff4b417e1e786
                • Instruction ID: 6e5d359f559563691221ad1d4a2a9228c6cda0a5cddc436609d6e71eb01bb333
                • Opcode Fuzzy Hash: 1d4630edec1782ee6c05f9c5b8a633de6f6be9823a75fa69e58ff4b417e1e786
                • Instruction Fuzzy Hash: 4A114F75E002099FCB54DFA9D4448EEBBFAEB8C310F10851AE90AE7340DB315D128FA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CB9E29 Relevance: .1, Instructions: 64COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f8ff71dfc998624353dfbae573166db47e9a609c433b5c33e23828547e927fee
                • Instruction ID: f4807de5306f5772f181a7e8e44811e7b44b869ef4f0aaa3e532a4ef8abff6ec
                • Opcode Fuzzy Hash: f8ff71dfc998624353dfbae573166db47e9a609c433b5c33e23828547e927fee
                • Instruction Fuzzy Hash: 96217FB4604346EFCB24CF65C880AA6BBB9FF89314F14C569E94887642D735E942CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE2C58 Relevance: .1, Instructions: 63COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 85eaf4ef6508fff00166d6e5b0d2d67029d7e13c63fddc46b1e11a15fcc4a294
                • Instruction ID: d9ef3a2374caba1f7b6491faf602a3a12b32a0ab21d08333dc38cf2c108aed9b
                • Opcode Fuzzy Hash: 85eaf4ef6508fff00166d6e5b0d2d67029d7e13c63fddc46b1e11a15fcc4a294
                • Instruction Fuzzy Hash: 53218130A042089FDF14DB64C855BEEB7F5FF88315F0044A9CA06AB394DB755A44CBB1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE2090 Relevance: .1, Instructions: 60COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: eb007594e7c0f5dfdd11d65fa51efebb2813aa474bc710fff7c97ae55507b144
                • Instruction ID: 55ca5c8d0f068b6486e00c630444c5c37f5a5c905d045776f24d7be0b451ed9a
                • Opcode Fuzzy Hash: eb007594e7c0f5dfdd11d65fa51efebb2813aa474bc710fff7c97ae55507b144
                • Instruction Fuzzy Hash: FD21F930604A088BC754EB39C454BAA73E2FF84319F52886CD19A8B364DF76AD11CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CB6538 Relevance: .1, Instructions: 60COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5681fdfbce5e2989806352770fce136fc231c499aa1647f0b16ebab6d6a69841
                • Instruction ID: 60cb3520c18440ead2a8430e26a51609839ce11e5ec05582c71bc2f7c2be10ba
                • Opcode Fuzzy Hash: 5681fdfbce5e2989806352770fce136fc231c499aa1647f0b16ebab6d6a69841
                • Instruction Fuzzy Hash: 691181B0E041095BDB15DBA4C4D0BFEBBF6AB89304F188079D905FB384DB759949CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE8EBC Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3e4e9d116cc6dac096a0fafb327b52cf73ff47a0238cdae6aac2ac817b0fcebb
                • Instruction ID: 04dc4fc731ac661ff208f66bef972ad8ee6551e23f7452987b3e32bee9b336d5
                • Opcode Fuzzy Hash: 3e4e9d116cc6dac096a0fafb327b52cf73ff47a0238cdae6aac2ac817b0fcebb
                • Instruction Fuzzy Hash: 0221F4B1D002189FCB50DF99D884B9EFBF8FB49714F14815AE909BB204D774A904CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07D11F18 Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.543666975.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7d10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4ff5b3178b8504500ee9743898bef5768ef743e743333743bc4b9ef959ce4e5f
                • Instruction ID: 29839f98c6c0a16f37b3c8af3819c4822d8bad50930427d3166e81f4e68015f2
                • Opcode Fuzzy Hash: 4ff5b3178b8504500ee9743898bef5768ef743e743333743bc4b9ef959ce4e5f
                • Instruction Fuzzy Hash: 9E1147B2C0461A9FCB10CF9AD4447EEFBF4FB48320F14812AE518A3640D378AA45CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07D11AB0 Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.543666975.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7d10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 26dbedad2deb641582723000a6cda9b2c15c8fe70470d3ea7480379ada157ae9
                • Instruction ID: 36b269d077901d0c1b761181966ff8ac8b84c78d1f4a39bdc1aa691902cef87d
                • Opcode Fuzzy Hash: 26dbedad2deb641582723000a6cda9b2c15c8fe70470d3ea7480379ada157ae9
                • Instruction Fuzzy Hash: AC0128B17546195BDB30DA79F6007B3BBD8CB41350F080475EA0DC7390E656EC418780
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBC918 Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5706c7650e840407b5f4f20a35af734b763dc1e4c170a06f00e9df1818435bb6
                • Instruction ID: 6eb2189c4d1a467cd7d67df1c2bb490147c9bb317dd7dec6bef1b1ee2b0fa644
                • Opcode Fuzzy Hash: 5706c7650e840407b5f4f20a35af734b763dc1e4c170a06f00e9df1818435bb6
                • Instruction Fuzzy Hash: B3110271608205AFD711CF64D884D8ABBB6EF84321F04C569E5088B365CB71AE85CBF1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE9348 Relevance: .1, Instructions: 55COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4ef396451d82f3949b1aca2440f971355c86721afd963da62f83b92866900378
                • Instruction ID: ab152adbf871a983e040d160038aa8949897563605b37025916d1de9991ff885
                • Opcode Fuzzy Hash: 4ef396451d82f3949b1aca2440f971355c86721afd963da62f83b92866900378
                • Instruction Fuzzy Hash: B301B121B18A515BFF35067684043BE25C6DB4175CF08C4FA9847CB6C2EBA9C8C8C352
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CB9268 Relevance: .1, Instructions: 55COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: faa826bd7265804b4561da708373910d5a50cc641e947bc1a0fedbf748a13797
                • Instruction ID: f1c32f678b65c3404852a8b535a43596c6f4a61c5e1600df2b56aeede635c8aa
                • Opcode Fuzzy Hash: faa826bd7265804b4561da708373910d5a50cc641e947bc1a0fedbf748a13797
                • Instruction Fuzzy Hash: 2D014C357043409BDB055B31AC599ABBFABDBC9221B05857AFA46CB381DF39DC0187A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07D11F20 Relevance: .1, Instructions: 54COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.543666975.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7d10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 24bf45c436525e0e5b3b5b5a230af5da38609a3362762e39394d024e0ec1467f
                • Instruction ID: 47680e3cf756a32e50f941e1ec3ea4563c22c7183a51dce1f2530ea7adcb5f79
                • Opcode Fuzzy Hash: 24bf45c436525e0e5b3b5b5a230af5da38609a3362762e39394d024e0ec1467f
                • Instruction Fuzzy Hash: 6F1126B1D0061A9FCB10CF9AD444BEEFBF4FB49320F04812AE918A3640D778A654CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBB3D0 Relevance: .1, Instructions: 54COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fc0eebda575eb7e82f2144d6dc87d5caee59b2a8ace5677d2113dda828ded472
                • Instruction ID: d59f5ba94fc381965017160ae8a24784824c3fa0612ca6eb74c1ea6178b6927f
                • Opcode Fuzzy Hash: fc0eebda575eb7e82f2144d6dc87d5caee59b2a8ace5677d2113dda828ded472
                • Instruction Fuzzy Hash: 8F111CB5A002098FCB249F65D498AEEBBB6EB8C324F14842AE406A7390CA715D45CF60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CB9370 Relevance: .1, Instructions: 54COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1d58815c4aa1e3a3bb9aee644db20471bf3e75eee81243b8f3007d67224a14a6
                • Instruction ID: 9eee249ebd95d54d0a401e4bd68a7b9f7cf8e8860340581777efee347f83c425
                • Opcode Fuzzy Hash: 1d58815c4aa1e3a3bb9aee644db20471bf3e75eee81243b8f3007d67224a14a6
                • Instruction Fuzzy Hash: 78112B75E002099FCB54DFA9D4449EEBBF6EB8C310B10842AEA0AE7340DB3099158FA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE2C48 Relevance: .1, Instructions: 52COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 02cfa0085abe6ae6bb710f13661089623d98e4386984b497cb70b499e231b158
                • Instruction ID: a5d9eda40417d05898bb9fa78bdcd80582dd918f695caed718ff07e3a63d2374
                • Opcode Fuzzy Hash: 02cfa0085abe6ae6bb710f13661089623d98e4386984b497cb70b499e231b158
                • Instruction Fuzzy Hash: 8211A9709002089FEF25DB64DC557EDB7F5EF48318F0049A5C90277394EB795A46CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBF47A Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 58bc25ed00157568270cba84e18971cfaab5247ad00fa464b0825ddc8718f5ee
                • Instruction ID: 8b8101fb3615d7e43360e94619ca671e5d256fa4e3e18d1914b812728c815e93
                • Opcode Fuzzy Hash: 58bc25ed00157568270cba84e18971cfaab5247ad00fa464b0825ddc8718f5ee
                • Instruction Fuzzy Hash: 06110430A046458FC710DF28D88499EBBF6EF85310F11456DD149EB365E770AE19CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CB6DF0 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a1fc8904522eee41a69cf0056c5817421f8bc0a970291f04af4408f268a80bc7
                • Instruction ID: d53c813dbdf4d3b77777d21ba766e3d86bfc7fed7daad01e5fbfbd2a27dfac55
                • Opcode Fuzzy Hash: a1fc8904522eee41a69cf0056c5817421f8bc0a970291f04af4408f268a80bc7
                • Instruction Fuzzy Hash: 2B012670B052905FD3118B68DC14BFFBF71AF81701F1440A6E104AF2C2CB755909C7A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CB76D9 Relevance: .0, Instructions: 49COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 34efc51bb3ef562b5d651b3419a9fd6ded760b5fdf5479ac91eb5fbbd39e17bc
                • Instruction ID: 0dfc78068b046f3a077927ed2fd5461a648cddf51b0ff517230f06dc0a6bd6d4
                • Opcode Fuzzy Hash: 34efc51bb3ef562b5d651b3419a9fd6ded760b5fdf5479ac91eb5fbbd39e17bc
                • Instruction Fuzzy Hash: D5112270A052946FD7128B68DC00BFF7FB6AF82700F1400A6E504AF3C2CB744909CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBC2E8 Relevance: .0, Instructions: 48COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ce98ef6e89781e78c7c17f343a7b374dac4ba47bef456d76db9634f16aa51e74
                • Instruction ID: 396390bc7dc7630c24b9337b1c91453f5636b2a63b41b79f62dc76bde79ba6bd
                • Opcode Fuzzy Hash: ce98ef6e89781e78c7c17f343a7b374dac4ba47bef456d76db9634f16aa51e74
                • Instruction Fuzzy Hash: 8E01D63220C6015FD355DB18E840D9BBBE3EF89320F15896EE288C7265CB315E198BB2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE4099 Relevance: .0, Instructions: 47COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5e0ddfcf30cf566c4a78ab2396365cdd2825fbaa055d08f0bb8e4afe32c2312f
                • Instruction ID: d936d75ca9900019757cc7f57b6ea9221c4b7dea680ae8e334cee1cd1f2889de
                • Opcode Fuzzy Hash: 5e0ddfcf30cf566c4a78ab2396365cdd2825fbaa055d08f0bb8e4afe32c2312f
                • Instruction Fuzzy Hash: 04F0F66220D281AFD76205BE6850AF37FBADB862A4B0541F7E14ACB583D65A8806D371
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CB76E8 Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 44c3249f581861427414b97fc305bbac96cb7e901b5ac48a1c898d97b107c51c
                • Instruction ID: be5592126ed4cfb6428447a89245ed469e16813ca43da2f06c22aea2d53efeb2
                • Opcode Fuzzy Hash: 44c3249f581861427414b97fc305bbac96cb7e901b5ac48a1c898d97b107c51c
                • Instruction Fuzzy Hash: F701F770B052546BD7119B989C00FFF7BA6EB81710F140076F6146B7C1CBB45905DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CB6E00 Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3712843ac238324715df8838b4778ade41799434f7fb29def0c4eeff3e518c29
                • Instruction ID: 6188c95d4f82233627d2c660a038da83d47846e19e76c9414bad438f3e18f9b3
                • Opcode Fuzzy Hash: 3712843ac238324715df8838b4778ade41799434f7fb29def0c4eeff3e518c29
                • Instruction Fuzzy Hash: 8101F770B052556BD7249B98DC04BFFBB76AB85700F244075F604AB3C1CB755905C7A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CB6D70 Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 62eabe9719af213f65c02256de3c169ee87368c567dada922854798720842bdb
                • Instruction ID: 6fdd089b9482c5f62c8213857e3cea39d9842d19b5eb57aea177b65c8ee50bad
                • Opcode Fuzzy Hash: 62eabe9719af213f65c02256de3c169ee87368c567dada922854798720842bdb
                • Instruction Fuzzy Hash: D2F02D5170D5D00F874A933464206AF2BD74F86159329C4AAD545CF7CACF3E8C4747E6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07C1E1C0 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.540767897.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7c10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1ab5f1f5b5db2b29a7ebf098b06d1b29093a92442f3eb40202e798769b407dfd
                • Instruction ID: 63098ff0fe767bc77dc2229f47b503912c3dbd8809f90055d7005b95c535f031
                • Opcode Fuzzy Hash: 1ab5f1f5b5db2b29a7ebf098b06d1b29093a92442f3eb40202e798769b407dfd
                • Instruction Fuzzy Hash: F9F0FFB57002006BC208F6A8D850A1F379BEBC4255B404A7DE20ACB785CFA1AC058BE0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBE898 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d03d620d0ad30979a378c3bf95bf249810ccc44fe2bec77faa1dc1afe716dfb6
                • Instruction ID: 2e1d3ffd7569f80943bc6d98791f8527df551803222dbf58ba72a1bac4003bf5
                • Opcode Fuzzy Hash: d03d620d0ad30979a378c3bf95bf249810ccc44fe2bec77faa1dc1afe716dfb6
                • Instruction Fuzzy Hash: F0F04C7670871647C330CA36D8805EABBAAAFC1650F04C53DE40983686EF75DA49C290
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBFB6A Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 37f945596e875a74e3b50534f9c744336d9c380591465426a2a5e0b13dfb8ab4
                • Instruction ID: 9b2d32c2fef16057cc05bbe8b1a7a8fb9f6f7a8f687595eba1948b9f553dd32a
                • Opcode Fuzzy Hash: 37f945596e875a74e3b50534f9c744336d9c380591465426a2a5e0b13dfb8ab4
                • Instruction Fuzzy Hash: 34F0F67210D3912FC7328729DC948D7BFA9DF82220F29449BF448C3152D320D855C372
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE5130 Relevance: .0, Instructions: 40COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1e8b4867fda431af90e18fbffc5e8648cd72b1517db4dcc64529ca33fa2f6bce
                • Instruction ID: efd4510c2aeb1023851c3b2b327e2b4f1d624f61f692540a828dca4669506b08
                • Opcode Fuzzy Hash: 1e8b4867fda431af90e18fbffc5e8648cd72b1517db4dcc64529ca33fa2f6bce
                • Instruction Fuzzy Hash: 8BF096357082984FCB45EBB8D4649AD7BE2EFC5609B0100FDD606CB761DF25DD068B91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBA0A0 Relevance: .0, Instructions: 40COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a907102bf3ea4c6eeaa03ab81d13c68afc6f486a3fd7813c7ce805b28256452f
                • Instruction ID: 27d617f89723c089527d624d5d918a027eee4fb67d849a4b597235a93a991095
                • Opcode Fuzzy Hash: a907102bf3ea4c6eeaa03ab81d13c68afc6f486a3fd7813c7ce805b28256452f
                • Instruction Fuzzy Hash: 52017871300704CFC7359A69E084BA7B3E6EB86361F85096DE1CA87650C730F945CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CB9258 Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c78e8e8135a0efd79f2cae99ad3027818b10653216ccd47cca0d0ca3b9fb2403
                • Instruction ID: c504d2264c5dbd8ae21876404044d02a6858e13c76e35414c7066c12e5fa4375
                • Opcode Fuzzy Hash: c78e8e8135a0efd79f2cae99ad3027818b10653216ccd47cca0d0ca3b9fb2403
                • Instruction Fuzzy Hash: 92F0C8317007509FD7158F259855A6BBFA6DB85621B15846AFD4AC7381CA39DC01C7A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BEFAD1 Relevance: .0, Instructions: 37COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 992cf026e13e228cfc99fd14f98b467809d7bdd36e2b1afe1ce927cd990e075d
                • Instruction ID: 1d0d4a9ac65fb2d5bd1657bc59197ae4d795aa71bf8d3aec325f331cc3caa56a
                • Opcode Fuzzy Hash: 992cf026e13e228cfc99fd14f98b467809d7bdd36e2b1afe1ce927cd990e075d
                • Instruction Fuzzy Hash: 85F0E932B102149BCB159B6CD8555EE77B6EBC9221B044079D509EBB00EF75CC17CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBFB20 Relevance: .0, Instructions: 35COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 93e9cb06635a4a9541bd41afbb7344c14728d1b5c85264b647b276c75af6939f
                • Instruction ID: c14ae55c4d354403b4a551c32105a00883239ed0c950052a80fd212b50d3f4f6
                • Opcode Fuzzy Hash: 93e9cb06635a4a9541bd41afbb7344c14728d1b5c85264b647b276c75af6939f
                • Instruction Fuzzy Hash: 3AF05E6650E3C16FDB138328CC21596BF755F93214B5A44CBE0C5CB5A3D2288949C772
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE5140 Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 66b562351f746c01c04917dc432f3a7d98d41d404d045ddff208b286f22b2e85
                • Instruction ID: 8e233e6b0c5d27b1797cf4ee6a910f857047d53d367d32511667ee568153a8f5
                • Opcode Fuzzy Hash: 66b562351f746c01c04917dc432f3a7d98d41d404d045ddff208b286f22b2e85
                • Instruction Fuzzy Hash: D6F082353041145FC748ABB8C428A2EB7D7EFC964970144B8E206CB760DE21DC014BD0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BEFAE0 Relevance: .0, Instructions: 30COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 109b198037ccd2a0417a8f636ecfd5e0365d279975f14109e57a6143dd5d8fab
                • Instruction ID: 100bce789e76a83a297cfacbb97c9fb22bb491b1f00174554c3d6dc9910cc79d
                • Opcode Fuzzy Hash: 109b198037ccd2a0417a8f636ecfd5e0365d279975f14109e57a6143dd5d8fab
                • Instruction Fuzzy Hash: 65E09B36B102189BCB185669D8145EE77FBEBC9221F040079D906E7B44DF75DC05CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE2178 Relevance: .0, Instructions: 28COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e0728c376c99c3a30ce7ca17bf5c480dd73f47c1e6c686294524eef1db983ee0
                • Instruction ID: a503033bdaa23b883ccc47e8c2e098367ccb7fe946e00b84ab9c6cd60383900f
                • Opcode Fuzzy Hash: e0728c376c99c3a30ce7ca17bf5c480dd73f47c1e6c686294524eef1db983ee0
                • Instruction Fuzzy Hash: 34F017B0D0434A8FDF45DFB988456EDBFF1FF48205F0485AAC409A6620E3384682CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE21F0 Relevance: .0, Instructions: 26COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 47777143284c4fadb198632b0aa86029b927a8e5b72177af5f6a8af604f9f557
                • Instruction ID: 0f5a42a8e3396bcd934dfe2058294cd19d3feb81ccb7e381812125d4dd724059
                • Opcode Fuzzy Hash: 47777143284c4fadb198632b0aa86029b927a8e5b72177af5f6a8af604f9f557
                • Instruction Fuzzy Hash: 41E0D8393013408FD7066B70F46A5FA7FA7FB95219B108064E10A8B363DE656D4B9B40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE48C8 Relevance: .0, Instructions: 26COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 792d28b74ae9d63bcfac9abc1f329c116fd245156f5bafee683b629c0b3f9858
                • Instruction ID: 21d231b6bd9eba75cef9a6b268188eedf20dab957131295715c324c7c1260357
                • Opcode Fuzzy Hash: 792d28b74ae9d63bcfac9abc1f329c116fd245156f5bafee683b629c0b3f9858
                • Instruction Fuzzy Hash: CBE026791062105FC3429B68F4899E13F6AEF49320B1240A1F60DC7323D6248C038B90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE21B8 Relevance: .0, Instructions: 25COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b6a9106385de1e3df250d084b21c7bdaa6a011ed1ea3cc99c5541d83164ec0dd
                • Instruction ID: 9a7b9a25b44159e8e08b1ca8b856e91be873e6eac1f72fd19c8007f996dc9e7c
                • Opcode Fuzzy Hash: b6a9106385de1e3df250d084b21c7bdaa6a011ed1ea3cc99c5541d83164ec0dd
                • Instruction Fuzzy Hash: 51E09271A1020D87CF249BA0E8063EC33B8FB0021FF044055DE0AA7340CF6959C586A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CB72B0 Relevance: .0, Instructions: 25COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 812410804df23307fb5e3ca1360e33a7366c2095f1676cddaacbbfb97b70d766
                • Instruction ID: beae025a4a31d64c38f3207fb7c1b40cff1e3488835985c67f1eb67dc71558ea
                • Opcode Fuzzy Hash: 812410804df23307fb5e3ca1360e33a7366c2095f1676cddaacbbfb97b70d766
                • Instruction Fuzzy Hash: C5E012765095A55F83564A15A8144A2FF7AEACA12131981C7E844CB243C129DD83D7E1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CB9221 Relevance: .0, Instructions: 25COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7f8d46b1e5769535fece86f281503245b1da3bd22254327ecde6876ad5019c6e
                • Instruction ID: 107a061252c44c4ce00470c38834fd16d6a20656e6530e3efef7ac1d4a90e245
                • Opcode Fuzzy Hash: 7f8d46b1e5769535fece86f281503245b1da3bd22254327ecde6876ad5019c6e
                • Instruction Fuzzy Hash: 90E04FB660421AAF97048F45E844C57FF7CFB892743148296F90887602C331EC81CBF0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CB727D Relevance: .0, Instructions: 24COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bf83baf61b582e78e6f0edbb450605eb2c762d9b5d997603c9ac58d078f2e09e
                • Instruction ID: bec14febd7951ad92f0b4b5090b436f0ece90cd4dcf64c15c8b2c2b4c4dae410
                • Opcode Fuzzy Hash: bf83baf61b582e78e6f0edbb450605eb2c762d9b5d997603c9ac58d078f2e09e
                • Instruction Fuzzy Hash: 1DE04F2520E3E05FC34787686C204E67FB99E8B12431D84CBE484CB5A3C5298D0BC7F2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE2188 Relevance: .0, Instructions: 23COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 29734c5504bf86d7962e2e232a1035550943ae16bcf688b8e65d288077915e37
                • Instruction ID: b8e6d69a7a2f640f935a869bed6817bd72d6290b7850d42b656775a318874b0a
                • Opcode Fuzzy Hash: 29734c5504bf86d7962e2e232a1035550943ae16bcf688b8e65d288077915e37
                • Instruction Fuzzy Hash: FEF09BB0D0431D9FDF58DFAAC8416EEBBF5BF48205F1081AAC819B2250E7384681CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07C1DFA8 Relevance: .0, Instructions: 21COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.540767897.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7c10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ccb39df12842f1913f32f683532124da1f517dad50fd617ffa666b834b37a293
                • Instruction ID: b4076be5c255804d433289065f2fcc77e41384bbaaa88560d0b69ab30f7784dd
                • Opcode Fuzzy Hash: ccb39df12842f1913f32f683532124da1f517dad50fd617ffa666b834b37a293
                • Instruction Fuzzy Hash: 12E086766045058FD310EB54E4417AEB3A3EFC4361F008839D15AC3A81DB75A9565B51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07C1DB42 Relevance: .0, Instructions: 21COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.540767897.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7c10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 72ea0d7a4a4c8139a0cb192165167f851e3d6b13f9dc8c47f34e7175fb3c2b70
                • Instruction ID: ab4eff39719e9b86765c77989b624a4137f1075ad1269ae32c3fd17b124510fd
                • Opcode Fuzzy Hash: 72ea0d7a4a4c8139a0cb192165167f851e3d6b13f9dc8c47f34e7175fb3c2b70
                • Instruction Fuzzy Hash: 89E086366041018FE310EB54E4457BEB3E3EFC4365F108939D15EC3A81DB75B9565B91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07C1DAFF Relevance: .0, Instructions: 21COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.540767897.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7c10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e4b4f50f2ea96ae62205e88fbd9594afea26336357b0dd7bb726aaa8e48ceba1
                • Instruction ID: 8247937f6e79f7655e90d150f428bdb6c4f69c9b9363eb4f8b757331c3d772f8
                • Opcode Fuzzy Hash: e4b4f50f2ea96ae62205e88fbd9594afea26336357b0dd7bb726aaa8e48ceba1
                • Instruction Fuzzy Hash: DDE0867A6045018FD310EB54E8457BEB3A3EF84365F008939D15EC3A81CF75B9569B51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07D139D9 Relevance: .0, Instructions: 20COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.543666975.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7d10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7988fa4b83faf6e261cc72cec25f58fbe8c8afa642296746b915acef4ef10740
                • Instruction ID: 07d9e9a8aa3df2348d602004ad2fe5007b50864f54a844e1a071d1aab2d8d072
                • Opcode Fuzzy Hash: 7988fa4b83faf6e261cc72cec25f58fbe8c8afa642296746b915acef4ef10740
                • Instruction Fuzzy Hash: ABE086756045019FD310DB54E445BBDB3A7DF84321F008839D15EC3A80CB75A9568B51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07D13BE2 Relevance: .0, Instructions: 20COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.543666975.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7d10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 64fc10cc27aa92cf7d29ca6d2e3dc102633700d11f102727c4609275171878da
                • Instruction ID: f2922588fe9440f05addd77897ed42b5b97e1923a1321ccc049c785a26b41ffc
                • Opcode Fuzzy Hash: 64fc10cc27aa92cf7d29ca6d2e3dc102633700d11f102727c4609275171878da
                • Instruction Fuzzy Hash: A8E086767145019FD310DB54E441BADB3A7DF84361F008839D15EC3A80CF74A9564B41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07D1729A Relevance: .0, Instructions: 20COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.543666975.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7d10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0e15777903c5793cb39163fdab38b9682a58083c98258fdd39326c3227c5aa1a
                • Instruction ID: 7b9a0e8a820fa219b67d4718b9fd3c44cff28ef6e1e6c1a24b3cbfeaddb2330d
                • Opcode Fuzzy Hash: 0e15777903c5793cb39163fdab38b9682a58083c98258fdd39326c3227c5aa1a
                • Instruction Fuzzy Hash: B6E0CD366141009FD750E794F4497BDB3A3EF80320F048429D25BC7680CB35E5154B81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07D13A9F Relevance: .0, Instructions: 20COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.543666975.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7d10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9831bdb5208b64e98c0bf1078de849b76105d135a7121f08026276cb57e4ee18
                • Instruction ID: 9c443d0e082829b5abb85486e13c4ec93ddcb8304d28b8731e9cfa9af54c6797
                • Opcode Fuzzy Hash: 9831bdb5208b64e98c0bf1078de849b76105d135a7121f08026276cb57e4ee18
                • Instruction Fuzzy Hash: 74E086756145019FD710DB54E441BBE73A3EF84321F448839D15FC3A80CF75A9568F41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07D13CAB Relevance: .0, Instructions: 20COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.543666975.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7d10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9bc72091edc7ba2f4a7138837f194784f6eccab390ccc53167fab294ba2201f3
                • Instruction ID: b20a54a629ba4f6b9fcb1a904e834815a86dcff24da4a489af29e7b61e3ce64c
                • Opcode Fuzzy Hash: 9bc72091edc7ba2f4a7138837f194784f6eccab390ccc53167fab294ba2201f3
                • Instruction Fuzzy Hash: 8CE08C7A2046019FD310EB94E441BBEB3A3EF84321F04886DD25BC3A84CB78A9569B91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07D1725A Relevance: .0, Instructions: 20COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.543666975.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7d10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b2053d45514f466447f4025e9ba7c88685694d64e817cb251d5f4586184cbf71
                • Instruction ID: 16e9be7f3ee397c036afb6c76fb537376341cb2d8539558111467118f97c6a7d
                • Opcode Fuzzy Hash: b2053d45514f466447f4025e9ba7c88685694d64e817cb251d5f4586184cbf71
                • Instruction Fuzzy Hash: C7E086766041009BD6509694E4497ADB3A2DB84360F408426D15A87680DB79A5154B81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07D13C68 Relevance: .0, Instructions: 20COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.543666975.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7d10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 140d8c84b2f00154bd2893cd45f14b2475350f2cde622d9961d2a8a93653e6bd
                • Instruction ID: 2a202431239736468813746a40a1eec695154ac547632ef92a2ac90116a946e3
                • Opcode Fuzzy Hash: 140d8c84b2f00154bd2893cd45f14b2475350f2cde622d9961d2a8a93653e6bd
                • Instruction Fuzzy Hash: B0E08C7A6045019FD314EB98E441BAEB3A3DFC4321F00883AD25EC3A80CF78A9569B81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07D13A1C Relevance: .0, Instructions: 20COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.543666975.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7d10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1298918de29254903eeba4e45004cfd029c3771f7f79f95eeb6741035c8840a3
                • Instruction ID: 1660cb2929cc431f92be2fe0730281dfaaf881ba466fc6334d88a9ede361a97f
                • Opcode Fuzzy Hash: 1298918de29254903eeba4e45004cfd029c3771f7f79f95eeb6741035c8840a3
                • Instruction Fuzzy Hash: F0E086766045019FD711DB54E441BADB3A7DF84361F048839D15EC3A80CB74B9964B91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07D13A5F Relevance: .0, Instructions: 19COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.543666975.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7d10000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e4310cf57d91ba3167820750a22fe1cb7b91316cf733be0f0df3180c4281a7d5
                • Instruction ID: fe890f2a253b773969f21581c6ab1f5460db81b11083bc4f9f90214f805a2708
                • Opcode Fuzzy Hash: e4310cf57d91ba3167820750a22fe1cb7b91316cf733be0f0df3180c4281a7d5
                • Instruction Fuzzy Hash: CCE0C2BAA045009FD710EB94E005BADB3A3DF80321F00883AD25EC3A80CB78E9564B91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CB768E Relevance: .0, Instructions: 18COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 08fd622c6d7db6ed3f0ea04c9c6e030454833445b4b4b93cbed432086c23751f
                • Instruction ID: e8ae1ef8aaf2d877d0ff4d998d633b3ed654139b7e9cb75eb49354a0c75b16c3
                • Opcode Fuzzy Hash: 08fd622c6d7db6ed3f0ea04c9c6e030454833445b4b4b93cbed432086c23751f
                • Instruction Fuzzy Hash: 85D017352092498FC705DB18E8808A1FBB5FF86321315C2C2E888CB253C630AC0ACB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE2200 Relevance: .0, Instructions: 17COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 02b8f92be658e76093fe35dffae0216ea41dac9a801492bcb1aaaf9033b4eef3
                • Instruction ID: 51178ba54e4e022c362c4260a3a6abdbdb3e98b45a5f0f50e27795e89a26a704
                • Opcode Fuzzy Hash: 02b8f92be658e76093fe35dffae0216ea41dac9a801492bcb1aaaf9033b4eef3
                • Instruction Fuzzy Hash: 1AE012383103448BD709AB61F81993A7BABF7C4305B148474E6099B366DE757C56AB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE48D8 Relevance: .0, Instructions: 16COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bfb5d79586ecd6ea67506484b4763a492ead421c2f2e2137eb067732a07291f7
                • Instruction ID: c74619659ced4d309ad63218748418d9630da1bb1239e463bc927b9abee6cb7a
                • Opcode Fuzzy Hash: bfb5d79586ecd6ea67506484b4763a492ead421c2f2e2137eb067732a07291f7
                • Instruction Fuzzy Hash: 5CD05E392102109FC745AB68F408DA57BAAEB49721B0240A5EA0D87322CA299C009B91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BEFE50 Relevance: .0, Instructions: 15COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a30950098adab430802d0002bb89d003bb400b24c1965755c996a9e708b7b5d0
                • Instruction ID: fe03d5a72271500ff4626fdaa8cc35419b173a1b32f0beac6b1695ff0178db3f
                • Opcode Fuzzy Hash: a30950098adab430802d0002bb89d003bb400b24c1965755c996a9e708b7b5d0
                • Instruction Fuzzy Hash: 7EC0123214E2E32FDB0346205C64D963F148702150B1400ABF040CB1C3C6494E5682F2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBDC30 Relevance: .0, Instructions: 15COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a79dc19a6947f93dc4377bf60665df028b10b9e3b8b1c646d3428cecb9fa8247
                • Instruction ID: 50eb215f2fb7ccbcca153aa674dc9e05f30b78279e132f7d7ce4d96fcd11b03f
                • Opcode Fuzzy Hash: a79dc19a6947f93dc4377bf60665df028b10b9e3b8b1c646d3428cecb9fa8247
                • Instruction Fuzzy Hash: 93D0A73510D3528FC701971CF8908897BB29FD22597264453E1418B976C7348DA7C7B6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE38EF Relevance: .0, Instructions: 13COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fdb74261c144701611951ef3ff792950dccd9be853ded776d2f8d0548542f10d
                • Instruction ID: 20457ebe0ed74214062067be51be394930fcb4eece2e413707face3a3b1983d2
                • Opcode Fuzzy Hash: fdb74261c144701611951ef3ff792950dccd9be853ded776d2f8d0548542f10d
                • Instruction Fuzzy Hash: 41C08CA804A2019FFB820AA192423E03B60EF90B00B018058E08A88C8260900C0B8E01
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBB743 Relevance: .0, Instructions: 12COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 62ad362b6876558dbb19ee80917d485988398723cd851e65492769e622f480eb
                • Instruction ID: f92dcd5f6b2cdf0ef71f0db2445f8ed0eb6d7e773e6c92cab30a5078554d5fab
                • Opcode Fuzzy Hash: 62ad362b6876558dbb19ee80917d485988398723cd851e65492769e622f480eb
                • Instruction Fuzzy Hash: E0D0CA3AA04018ABDF018BC4E840ACEFB32FB88321F008022E720AA150C2321662DB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CB67C0 Relevance: .0, Instructions: 11COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2f2e9cd5b79ea2693279bafd932241b1fb7a82c45e97e63b291cf0e039044404
                • Instruction ID: 7b5682b57915471978991aae2ef1c82b97f665f8b0efa52b9f0672bea469f26c
                • Opcode Fuzzy Hash: 2f2e9cd5b79ea2693279bafd932241b1fb7a82c45e97e63b291cf0e039044404
                • Instruction Fuzzy Hash: 10C0127114D3C06FD303477098159967FA06B47300F4581DBF1C0454A3C1265554E761
                Uniqueness

                Uniqueness Score: -1.00%

                Function 07CBE5E6 Relevance: .0, Instructions: 10COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.542670270.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7cb0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7ecbe31aec94cc19e47677b798bb70532113deb22aa82dedf3d4e521207a8fed
                • Instruction ID: e77a908a61120a14b6f21fcf4b38bebda163c12cadbc3991e7d1df29aec9616b
                • Opcode Fuzzy Hash: 7ecbe31aec94cc19e47677b798bb70532113deb22aa82dedf3d4e521207a8fed
                • Instruction Fuzzy Hash: 5BC08C71108100BF8604CB10C804D2FFFEB9BD4310F00C40DB198C1061C6308890CBB2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02BE3D30 Relevance: .0, Instructions: 8COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.514981632.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2be0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d22524795566881ca0aaa798d19f84f51dd70b1ce061bd5dde4978709df6fce3
                • Instruction ID: 7371701cac94b91661e527d504b89092179240fc5347d10de29ce5d350ce3642
                • Opcode Fuzzy Hash: d22524795566881ca0aaa798d19f84f51dd70b1ce061bd5dde4978709df6fce3
                • Instruction Fuzzy Hash: 11C0123940C3806FD3139B609B14545BF70AB03704B044486A29447056C2254859D726
                Uniqueness

                Uniqueness Score: -1.00%