Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1515080
MD5:	19b9de641a480be1236dd9712d9ccc10
SHA1:	a3cbbd66a0a3fbb2618c9283d44a0855059e9e6a
SHA256:	c558e126c64a89887115a45276d5a8751f90c399eb32ca103f6e50901abc7abd
Tags:	exeuser-Bitsight
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected RisePro Stealer

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to inject code into remote processes

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Found API chain indicative of debugger detection

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Modifies Windows Defender protection settings

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 7068 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 19B9DE641A480BE1236DD9712D9CCC10)

RegAsm.exe (PID: 6320 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

conhost.exe (PID: 3540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7196 cmdline: "powershell" Get-MpPreference -verbose MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7388 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7416 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7464 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7512 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7572 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7608 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7648 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7724 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7832 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7944 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8088 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8924 cmdline: "cmd.exe" /c schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 HR" /sc HOURLY /rl HIGHEST MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

schtasks.exe (PID: 8944 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 8960 cmdline: "cmd.exe" /c schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 LG" /sc ONLOGON /rl HIGHEST MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

schtasks.exe (PID: 8976 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

OfficeTrackerNMP2663.exe (PID: 9032 cmdline: C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)

conhost.exe (PID: 9064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

OfficeTrackerNMP2663.exe (PID: 9048 cmdline: C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)

conhost.exe (PID: 9072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MaxLoonaFest2663.exe (PID: 5400 cmdline: "C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

conhost.exe (PID: 6916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MaxLoonaFest2663.exe (PID: 1316 cmdline: "C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

conhost.exe (PID: 4308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

FANBooster2663.exe (PID: 6092 cmdline: "C:\Users\user\AppData\Local\Temp\FANBooster2663\FANBooster2663.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

conhost.exe (PID: 5792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 6320	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 6320	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 6320	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: powershell.exe PID: 7196	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "cmd.exe" /c schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 HR" /sc HOURLY /rl HIGHEST, CommandLine: "cmd.exe" /c schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 HR" /sc HOURLY /rl HIGHEST, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 6320, ParentProcessName: RegAsm.exe, ProcessCommandLine: "cmd.exe" /c schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 HR" /sc HOURLY /rl HIGHEST, ProcessId: 8924, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true, CommandLine|base64offset|contains: I~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 6320, ParentProcessName: RegAsm.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true, ProcessId: 7388, ProcessName: powershell.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 6320, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest2663

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 6320, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster2663.lnk

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" Get-MpPreference -verbose, CommandLine: "powershell" Get-MpPreference -verbose, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 6320, ParentProcessName: RegAsm.exe, ProcessCommandLine: "powershell" Get-MpPreference -verbose, ProcessId: 7196, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE RisePro TCP Heartbeat Packet

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-21T16:17:23.746997+0200	2049060	1	A Network Trojan was detected	192.168.2.7	49708	118.194.235.187	50500	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 83%
Source: file.exe	Virustotal: Detection: 82%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: RegAsm.pdb source: OfficeTrackerNMP2663.exe, 00000029.00000000.1519174884.00000000005F2000.00000002.00000001.01000000.00000009.sdmp, OfficeTrackerNMP2663.exe.8.dr, FANBooster2663.exe.8.dr, MaxLoonaFest2663.exe.8.dr
Source:	Binary string: RegAsm.pdb4 source: OfficeTrackerNMP2663.exe, 00000029.00000000.1519174884.00000000005F2000.00000002.00000001.01000000.00000009.sdmp, OfficeTrackerNMP2663.exe.8.dr, FANBooster2663.exe.8.dr, MaxLoonaFest2663.exe.8.dr

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_0085A797 FindFirstFileExW,

5_2_0085A797

Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2049060 - Severity 1 - ET MALWARE RisePro TCP Heartbeat Packet : 192.168.2.7:49708 -> 118.194.235.187:50500

Source: global traffic

TCP traffic: 192.168.2.7:49708 -> 118.194.235.187:50500

Source: Joe Sandbox View

IP Address: 118.194.235.187 118.194.235.187

Source: Joe Sandbox View

ASN Name: SINOYCLOUD-AS-APSinoycloudLimitedHK SINOYCLOUD-AS-APSinoycloudLimitedHK

Source: unknown	TCP traffic detected without corresponding DNS query: 118.194.235.187
Source: unknown	TCP traffic detected without corresponding DNS query: 118.194.235.187
Source: unknown	TCP traffic detected without corresponding DNS query: 118.194.235.187
Source: unknown	TCP traffic detected without corresponding DNS query: 118.194.235.187

Source: powershell.exe, 0000000B.00000002.1432686079.00000000061AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000B.00000002.1366723527.0000000005296000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000B.00000002.1366723527.0000000005296000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1366723527.0000000005141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000B.00000002.1366723527.0000000005296000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000B.00000002.1366723527.0000000005296000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000B.00000002.1366723527.0000000005141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.com/
Source: RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api64.ipify.org/?format=json
Source: powershell.exe, 0000000B.00000002.1432686079.00000000061AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.1432686079.00000000061AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.1432686079.00000000061AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=
Source: RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: powershell.exe, 0000000B.00000002.1366723527.0000000005296000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000B.00000002.1464831316.000000000795E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.L
Source: powershell.exe, 0000000B.00000002.1477941420.00000000079F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ion=v4.5
Source: RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/
Source: RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://maxmind.com/geoip/v2.1/city/me
Source: RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://maxmind.com/geoip/v2.1/city/me/https://www.maxmind.com/en/locate-my-ip-address
Source: powershell.exe, 0000000B.00000002.1432686079.00000000061AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_05126578 NtAllocateVirtualMemory,	8_2_05126578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_05126C30 NtQueryVolumeInformationFile,	8_2_05126C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_051264A0 NtProtectVirtualMemory,	8_2_051264A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_05126CF8 NtDeviceIoControlFile,	8_2_05126CF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_051268C0 NtOpenFile,	8_2_051268C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_051263F0 NtClose,	8_2_051263F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_05126570 NtAllocateVirtualMemory,	8_2_05126570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_05126C28 NtQueryVolumeInformationFile,	8_2_05126C28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_05126498 NtProtectVirtualMemory,	8_2_05126498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_05126CF3 NtDeviceIoControlFile,	8_2_05126CF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_051268BB NtOpenFile,	8_2_051268BB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_051263C8 NtClose,	8_2_051263C8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_05126CF8: NtDeviceIoControlFile,

8_2_05126CF8

Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0084C82C	5_2_0084C82C
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_008552C0	5_2_008552C0
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0084CB74	5_2_0084CB74
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0085CDCB	5_2_0085CDCB
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_008565D5	5_2_008565D5
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00850530	5_2_00850530
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0085E74F	5_2_0085E74F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00EFC0A8	8_2_00EFC0A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00EF1098	8_2_00EF1098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00EFD820	8_2_00EFD820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00EFE008	8_2_00EFE008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00EFA1CD	8_2_00EFA1CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00EF9940	8_2_00EF9940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00EFB3B8	8_2_00EFB3B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00EF8F98	8_2_00EF8F98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00EFA080	8_2_00EFA080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00EFA090	8_2_00EFA090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00EF106A	8_2_00EF106A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00EFF96A	8_2_00EFF96A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00EFF978	8_2_00EFF978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00EFBAB5	8_2_00EFBAB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00EFD583	8_2_00EFD583
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00EFDEE0	8_2_00EFDEE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00EF9E68	8_2_00EF9E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00EF9E58	8_2_00EF9E58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00EF8F88	8_2_00EF8F88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0512FD6C	8_2_0512FD6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0512093D	8_2_0512093D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_05123020	8_2_05123020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_05122D17	8_2_05122D17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_05123518	8_2_05123518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0512A540	8_2_0512A540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_05123C78	8_2_05123C78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_05123C68	8_2_05123C68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_05129F98	8_2_05129F98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_05129F8A	8_2_05129F8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_05128E30	8_2_05128E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_05128E40	8_2_05128E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_05126E90	8_2_05126E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_05126EA0	8_2_05126EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_05121981	8_2_05121981
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_051259D1	8_2_051259D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_051248E8	8_2_051248E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_05129BF8	8_2_05129BF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_05123A30	8_2_05123A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_05123A20	8_2_05123A20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_04DEA9B0	11_2_04DEA9B0
Source: C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe	Code function: 45_2_02CF09B0	45_2_02CF09B0

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 00846E20 appears 51 times

Source: file.exe, 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmp

Binary or memory string: OriginalFilenamePolymodXT.exe4 vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: .data ZLIB complexity 0.99768195263019

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@58/62@0/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\MaxLoonaFest2663

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7400:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\FANBooster2663\FANBooster2663.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7596:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4308:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7636:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6916:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7448:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7204:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9072:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8120:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7900:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Temp\FANBooster2663

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT name FROM sqlite_master WHERE type='table';
Source: RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT fieldname, value FROM moz_formhistory;

Source: file.exe	ReversingLabs: Detection: 83%
Source: file.exe	Virustotal: Detection: 82%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" Get-MpPreference -verbose
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 LG" /sc ONLOGON /rl HIGHEST
Source: unknown	Process created: C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe
Source: unknown	Process created: C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe
Source: C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe "C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe"
Source: C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe "C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe"
Source: C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\FANBooster2663\FANBooster2663.exe "C:\Users\user\AppData\Local\Temp\FANBooster2663\FANBooster2663.exe"
Source: C:\Users\user\AppData\Local\Temp\FANBooster2663\FANBooster2663.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" Get-MpPreference -verbose	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 LG" /sc ONLOGON /rl HIGHEST

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe	Section loaded: version.dll
Source: C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe	Section loaded: mscoree.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32

Jump to behavior

Source: FANBooster2663.lnk.8.dr

LNK file: ..\..\..\..\..\..\Local\Temp\FANBooster2663\FANBooster2663.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static file information: File size 1646592 > 1048576

Source: file.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x163400

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: RegAsm.pdb source: OfficeTrackerNMP2663.exe, 00000029.00000000.1519174884.00000000005F2000.00000002.00000001.01000000.00000009.sdmp, OfficeTrackerNMP2663.exe.8.dr, FANBooster2663.exe.8.dr, MaxLoonaFest2663.exe.8.dr
Source:	Binary string: RegAsm.pdb4 source: OfficeTrackerNMP2663.exe, 00000029.00000000.1519174884.00000000005F2000.00000002.00000001.01000000.00000009.sdmp, OfficeTrackerNMP2663.exe.8.dr, FANBooster2663.exe.8.dr, MaxLoonaFest2663.exe.8.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_008467F1 push ecx; ret	5_2_00846804
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00EF0941 push ebx; ret	8_2_00EF0942
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0512C1BB pushfd ; iretd	8_2_0512C231
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_07CB16EB push ss; retf	11_2_07CB16F6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_07CB161F push ss; retf	11_2_07CB162E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_07CB0488 push es; retf	11_2_07CB06A6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\FANBooster2663\FANBooster2663.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 HR" /sc HOURLY /rl HIGHEST

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster2663.lnk

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster2663.lnk

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MaxLoonaFest2663			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MaxLoonaFest2663			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7196, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 4BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 5130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 7130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 7370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 9370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 5250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe	Memory allocated: E70000 memory reserve \| memory write watch
Source: C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe	Memory allocated: 2880000 memory reserve \| memory write watch
Source: C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe	Memory allocated: 4880000 memory reserve \| memory write watch
Source: C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe	Memory allocated: 1250000 memory reserve \| memory write watch
Source: C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe	Memory allocated: 2CB0000 memory reserve \| memory write watch
Source: C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe	Memory allocated: 4CB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe	Memory allocated: 2C50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe	Memory allocated: 2D10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe	Memory allocated: 2C50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe	Memory allocated: 2FA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe	Memory allocated: 2DD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\FANBooster2663\FANBooster2663.exe	Memory allocated: F40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\FANBooster2663\FANBooster2663.exe	Memory allocated: 2B30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\FANBooster2663\FANBooster2663.exe	Memory allocated: 28C0000 memory reserve \| memory write watch

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 2198	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7220	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2478	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1201	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1447	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1271
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1483
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1231
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1655
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1631
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1874
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1210
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1467
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1100

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7268	Thread sleep count: 7220 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7272	Thread sleep count: 2478 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7300	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7916	Thread sleep count: 1201 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8492	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8352	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8544	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8124	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8172	Thread sleep count: 1271 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8536	Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8412	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8128	Thread sleep count: 1483 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8540	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8384	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7208	Thread sleep count: 1231 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8552	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7860	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8424	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8548	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8468	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7784	Thread sleep count: 1631 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8584	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8452	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7376	Thread sleep count: 1874 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8532	Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8396	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8228	Thread sleep count: 1210 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8564	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8484	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8308	Thread sleep count: 1467 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8572	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8512	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8332	Thread sleep count: 1100 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8568	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8520	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe TID: 9148	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe TID: 6836	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe TID: 1588	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_0085A797 FindFirstFileExW,

5_2_0085A797

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData

Source: RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxGuest
Source: RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SYSTEM\CurrentControlSet\Services\VBoxGuest
Source: RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxSFVBoxGuest
Source: RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: kernel32.dll(SYSTEM\CurrentControlSet\Services\vmhgfs+SYSTEM\CurrentControlSet\Services\VBoxGuest
Source: RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SYSTEM\CurrentControlSet\Services\vmhgfs+
Source: RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: RegAsm.exe, 00000008.00000002.3742181371.0000000000F76000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxSF

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\file.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_5-19151

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_0084E2CF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_0084E2CF

Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0085503C mov eax, dword ptr fs:[00000030h]	5_2_0085503C
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00855080 mov eax, dword ptr fs:[00000030h]	5_2_00855080
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0085196C mov ecx, dword ptr fs:[00000030h]	5_2_0085196C

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_0085DEE0 GetProcessHeap,

5_2_0085DEE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0084E2CF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_0084E2CF
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00846BFA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00846BFA
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00846D56 SetUnhandledExceptionFilter,	5_2_00846D56
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00846E65 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00846E65

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_00E2018D CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,

5_2_00E2018D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Modifies Windows Defender protection settings

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 4DC000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 536000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 538000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 69A000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 69C000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: ABF008	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" Get-MpPreference -verbose	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 LG" /sc ONLOGON /rl HIGHEST

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_008468EC cpuid

5_2_008468EC

Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	5_2_0085D980
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_0085DAA9
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	5_2_0085DBAF
Source: C:\Users\user\Desktop\file.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	5_2_0085D31A
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	5_2_00854476
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_0085DC7E
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	5_2_0085D5BC
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	5_2_0085D6A2
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	5_2_0085D607
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	5_2_00853F10
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	5_2_0085D72D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe	Queries volume information: C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe VolumeInformation
Source: C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe	Queries volume information: C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe VolumeInformation
Source: C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe	Queries volume information: C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe VolumeInformation
Source: C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe	Queries volume information: C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\FANBooster2663\FANBooster2663.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\FANBooster2663\FANBooster2663.exe VolumeInformation

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_00846AF4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

5_2_00846AF4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableRoutinelyTakingAction 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRawWriteNotification 1	Jump to behavior

Disables Windows Defender Tamper protection

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Registry value created: TamperProtection 0

Jump to behavior

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6320, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum\wallets
Source: RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectronCash\wallets
Source: RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: com.liberty.jaxx
Source: RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus\exodus.wallet
Source: RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum\wallets
Source: RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: MultiDoge\multidoge.wallet
Source: powershell.exe, 0000000B.00000002.1490752259.0000000007D70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sqlcolumnencryptionkeystoreprovider

Source: Yara match	File source: 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6320, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6320, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	411 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	21 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	31 Disable or Modify Tools	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	21 Registry Run Keys / Startup Folder	131 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	411 Process Injection	NTDS	131 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Bypass User Account Control	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	3 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	33 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Bypass User Account Control	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	83%	ReversingLabs	Win32.Ransomware.RedLine
file.exe	83%	Virustotal		Browse
file.exe	100%	Avira	TR/Crypt.Agent.qmlgz
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe	0%	ReversingLabs
C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\FANBooster2663\FANBooster2663.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\FANBooster2663\FANBooster2663.exe	0%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://ipinfo.io/	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Avira URL Cloud	safe
https://api.myip.com/	0%	Avira URL Cloud	safe
https://ion=v4.5	0%	Avira URL Cloud	safe
https://ipinfo.io/	0%	Virustotal		Browse
https://www.maxmind.com/en/locate-my-ip-address	0%	Avira URL Cloud	safe
https://api.myip.com/	0%	Virustotal		Browse
https://www.maxmind.com/en/locate-my-ip-address	0%	Virustotal		Browse
https://api64.ipify.org/?format=json	0%	Avira URL Cloud	safe
https://discord.com/api/v9/users/	0%	Avira URL Cloud	safe
https://api64.ipify.org/?format=json	0%	Virustotal		Browse
https://db-ip.com/demo/home.php?s=	0%	Avira URL Cloud	safe
https://maxmind.com/geoip/v2.1/city/me	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Virustotal		Browse
https://t.me/RiseProSUPPORT	0%	Avira URL Cloud	safe
https://ipinfo.io/widget/demo/	0%	Avira URL Cloud	safe
https://go.L	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
https://maxmind.com/geoip/v2.1/city/me/https://www.maxmind.com/en/locate-my-ip-address	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORT	0%	Virustotal		Browse
https://discord.com/api/v9/users/	0%	Virustotal		Browse
https://github.com/Pester/Pester	1%	Virustotal		Browse
https://maxmind.com/geoip/v2.1/city/me/https://www.maxmind.com/en/locate-my-ip-address	0%	Virustotal		Browse
https://ipinfo.io/widget/demo/	0%	Virustotal		Browse
https://db-ip.com/demo/home.php?s=	0%	Virustotal		Browse
https://maxmind.com/geoip/v2.1/city/me	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 0000000B.00000002.1432686079.00000000061AB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000B.00000002.1366723527.0000000005296000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ipinfo.io/	RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000B.00000002.1366723527.0000000005296000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 0000000B.00000002.1366723527.0000000005141000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.myip.com/	RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000B.00000002.1366723527.0000000005296000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ion=v4.5	powershell.exe, 0000000B.00000002.1477941420.00000000079F6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.maxmind.com/en/locate-my-ip-address	RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api64.ipify.org/?format=json	RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000B.00000002.1366723527.0000000005296000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 0000000B.00000002.1432686079.00000000061AB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 0000000B.00000002.1432686079.00000000061AB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 0000000B.00000002.1432686079.00000000061AB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://discord.com/api/v9/users/	RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000000B.00000002.1432686079.00000000061AB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://db-ip.com/demo/home.php?s=	RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://maxmind.com/geoip/v2.1/city/me	RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORT	RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ipinfo.io/widget/demo/	RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1366723527.0000000005141000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://go.L	powershell.exe, 0000000B.00000002.1464831316.000000000795E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000000B.00000002.1366723527.0000000005296000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://maxmind.com/geoip/v2.1/city/me/https://www.maxmind.com/en/locate-my-ip-address	RegAsm.exe, 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
118.194.235.187	unknown	China		134700	SINOYCLOUD-AS-APSinoycloudLimitedHK	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1515080
Start date and time:	2024-09-21 16:16:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	56
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@58/62@0/1
EGA Information:	Successful, ratio: 25%
HCA Information:	Successful, ratio: 99% Number of executed functions: 188 Number of non-executed functions: 60
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target FANBooster2663.exe, PID 6092 because it is empty
Execution Graph export aborted for target MaxLoonaFest2663.exe, PID 1316 because it is empty
Execution Graph export aborted for target MaxLoonaFest2663.exe, PID 5400 because it is empty
Execution Graph export aborted for target OfficeTrackerNMP2663.exe, PID 9032 because it is empty
Execution Graph export aborted for target OfficeTrackerNMP2663.exe, PID 9048 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7196 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:17:06	API Interceptor	345x Sleep call for process: powershell.exe modified
11:34:33	API Interceptor	2328788x Sleep call for process: RegAsm.exe modified
17:33:28	Task Scheduler	Run new task: OfficeTrackerNMP2663 HR path: C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe
17:33:28	Task Scheduler	Run new task: OfficeTrackerNMP2663 LG path: C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe
17:33:28	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MaxLoonaFest2663 C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe
17:33:36	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MaxLoonaFest2663 C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe
17:33:45	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster2663.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
118.194.235.187	file.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer	Browse
	cb67a188bafea0fd5f5e9725881c88a1c494763c094f76df73914bd8cadce170_dump.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer	Browse
	f8cbaeb306d1b88f79680d5abaa871541cdaecbe8f28fe6e7b4d1c6e808a97de_payload.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	SecuriteInfo.com.Win64.Evo-gen.4435.12354.exe	Get hash	malicious	CryptOne, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	7uQQ6rKGkN.exe	Get hash	malicious	RisePro Stealer	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SINOYCLOUD-AS-APSinoycloudLimitedHK	arm.elf	Get hash	malicious	Mirai	Browse	118.194.235.45
	gErAvW63Ax.elf	Get hash	malicious	Mirai	Browse	114.114.221.137
	5klOcqqL2D.elf	Get hash	malicious	Mirai	Browse	114.114.156.51
	file.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer	Browse	118.194.235.187
	cb67a188bafea0fd5f5e9725881c88a1c494763c094f76df73914bd8cadce170_dump.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer	Browse	118.194.235.187
	f8cbaeb306d1b88f79680d5abaa871541cdaecbe8f28fe6e7b4d1c6e808a97de_payload.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer	Browse	118.194.235.187
	file.exe	Get hash	malicious	RisePro Stealer	Browse	118.194.235.187
	SecuriteInfo.com.Win64.Evo-gen.4435.12354.exe	Get hash	malicious	CryptOne, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	118.194.235.187
	file.exe	Get hash	malicious	RisePro Stealer	Browse	118.194.235.187
	file.exe	Get hash	malicious	RisePro Stealer	Browse	118.194.235.187

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe	lgnasdfnds.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	rhTHyegj6G.exe	Get hash	malicious	LummaC	Browse
	Gn7YytVoCM.exe	Get hash	malicious	Unknown	Browse
	Gn7YytVoCM.exe	Get hash	malicious	Unknown	Browse
	Y666Gn09a1.exe	Get hash	malicious	XWorm	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse

Created / dropped Files

C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	65440
Entropy (8bit):	6.049806962480652
Encrypted:	false
SSDEEP:	768:X8XcJiMjm2ieHlPyCsSuJbn8dBhFwlSMF6Iq8KSYDKbQ22qWqO8w1R:rYMaNylPYSAb8dBnsHsPDKbQBqTY
MD5:	0D5DF43AF2916F47D00C1573797C1A13
SHA1:	230AB5559E806574D26B4C20847C368ED55483B0
SHA-256:	C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
SHA-512:	F96CF9E1890746B12DAF839A6D0F16F062B72C1B8A40439F96583F242980F10F867720232A6FA0F7D4D7AC0A7A6143981A5A130D6417EA98B181447134C7CFE2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: lgnasdfnds.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: rhTHyegj6G.exe, Detection: malicious, Browse Filename: Gn7YytVoCM.exe, Detection: malicious, Browse Filename: Gn7YytVoCM.exe, Detection: malicious, Browse Filename: Y666Gn09a1.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0.............^.... ........@.. ....................... .......F....`.....................................O.......8................A........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P.....0.."........(......-.r...p.rI..p(....s....z....0..........(....~P.....o........(....n(.....(..........%...(....~(.....(..........%...%...(.....(.....(..........%...%...%...(....V.(......}Q.....}R.....{Q.....{R......0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......

C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	65440
Entropy (8bit):	6.049806962480652
Encrypted:	false
SSDEEP:	768:X8XcJiMjm2ieHlPyCsSuJbn8dBhFwlSMF6Iq8KSYDKbQ22qWqO8w1R:rYMaNylPYSAb8dBnsHsPDKbQBqTY
MD5:	0D5DF43AF2916F47D00C1573797C1A13
SHA1:	230AB5559E806574D26B4C20847C368ED55483B0
SHA-256:	C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
SHA-512:	F96CF9E1890746B12DAF839A6D0F16F062B72C1B8A40439F96583F242980F10F867720232A6FA0F7D4D7AC0A7A6143981A5A130D6417EA98B181447134C7CFE2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0.............^.... ........@.. ....................... .......F....`.....................................O.......8................A........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P.....0.."........(......-.r...p.rI..p(....s....z....0..........(....~P.....o........(....n(.....(..........%...(....~(.....(..........%...%...(.....(.....(..........%...%...%...(....V.(......}Q.....}R.....{Q.....{R......0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FANBooster2663.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\FANBooster2663\FANBooster2663.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MaxLoonaFest2663.exe.log

Download File

Process:	C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OfficeTrackerNMP2663.exe.log

Download File

Process:	C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2228
Entropy (8bit):	5.374359297407224
Encrypted:	false
SSDEEP:	48:PWSU4y4RQmFoUeWmfgZ9tK8NPdYm7u1iMugeC/ZaOUyu0lhV:PLHyIFKL3IZ2KlROugg01
MD5:	EFDBF9F789D1CD2451259700F2C09E64
SHA1:	A354A17AEC8D67A69B47DF1D30D3B236B83607D0
SHA-256:	2DAFB3EDDDC599D1158394CC51336347C30FCCD1666A3DF9DFB6962695EE4122
SHA-512:	F24F2BADA78E52311009965871EE94652E4C82B9A3D7F77325BED2C137B3850A1B6AD48D3E69FA35E9C366CE925A7D1E948D37FB8C88FE44BC572EABCB22A079
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....m.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\FANBooster2663\FANBooster2663.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	65440
Entropy (8bit):	6.049806962480652
Encrypted:	false
SSDEEP:	768:X8XcJiMjm2ieHlPyCsSuJbn8dBhFwlSMF6Iq8KSYDKbQ22qWqO8w1R:rYMaNylPYSAb8dBnsHsPDKbQBqTY
MD5:	0D5DF43AF2916F47D00C1573797C1A13
SHA1:	230AB5559E806574D26B4C20847C368ED55483B0
SHA-256:	C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
SHA-512:	F96CF9E1890746B12DAF839A6D0F16F062B72C1B8A40439F96583F242980F10F867720232A6FA0F7D4D7AC0A7A6143981A5A130D6417EA98B181447134C7CFE2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0.............^.... ........@.. ....................... .......F....`.....................................O.......8................A........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P.....0.."........(......-.r...p.rI..p(....s....z....0..........(....~P.....o........(....n(.....(..........%...(....~(.....(..........%...%...(.....(.....(..........%...%...%...(....V.(......}Q.....}R.....{Q.....{R......0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0glaokhr.30r.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1aga23cs.pjf.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1w2sfdkc.gvm.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_23dmljal.dbl.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2br1ukrl.ql3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4czbpl1u.2fz.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4va2ro5t.2u3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4xa0om4w.eht.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_51zdcgil.0tq.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5dg45pi2.dqz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a3wj4rmo.al5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bhaabn42.5b1.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_buaxntsg.43e.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ejlvv503.usn.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ew2cj0xd.2sr.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ezjmxwhs.sgc.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iitlzu0l.ofp.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j01zpbfn.p5i.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jefzcpkj.wpv.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jo2jmpcw.zcy.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jyiygxxj.55e.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_khvhtcyk.5nn.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kofrvwje.dxu.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kpdeefvc.dfg.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l0ncuatr.hkn.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l1qz2ehr.xql.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l2nuatuv.acq.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mcvmaxwy.aop.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mtmva3vi.oyv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n0bprkgz.ydw.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o4csvh0y.njf.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_omuvxrkx.zsq.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pcbnlsf2.p3o.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_peuj2bi2.f2v.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rj4eeeug.nxd.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rju0ouis.pic.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ru0xvhov.bae.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sfsvdss3.rjc.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_svfl5xqn.l1d.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uqnejpd4.jp2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uv1knh4j.m1m.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_widja2cw.1b0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wj2xl5vs.zfn.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wv4nlc3s.hs0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xwuim123.fzn.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_za55xzna.hea.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zfhyf0zw.emd.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zxze2yic.s2k.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\rise2663M9Asphalt.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.5654483718208256
Encrypted:	false
SSDEEP:	3:LDcXVRPSn:vsMn
MD5:	AC365E1B4C8F1824667085B0A689A7BD
SHA1:	651E55C0F0927EE34903F4D27903B6E1E1451337
SHA-256:	FD01C16824E654C23CE66B6D2023AFF079E84624B31BEE4338E0B655EF80A85A
SHA-512:	BE39F797ED3177507058A194A2A638EC2832B276BC33037918F08A5BB031C881DFD934FFB81CA84A4122B2DA3382EC7C540FCD52179F1E5019228B7249AA3C79
Malicious:	false
Preview:	1726928242887

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster2663.lnk

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Archive, ctime=Sat Sep 21 14:33:26 2024, mtime=Sat Sep 21 14:33:26 2024, atime=Sat Dec 7 08:10:47 2019, length=65440, window=hide
Category:	dropped
Size (bytes):	1254
Entropy (8bit):	4.965238669960066
Encrypted:	false
SSDEEP:	24:8dRw24ZRvlgKw85olTAM0vt4m0JgJUwqygm:8dy24ZR9Gl0M0vtCJgJmyg
MD5:	D3FE37DFC6ED7437ED327E064C48A432
SHA1:	8A7D2144EC0EB3975DF46C4433A038E987B75B47
SHA-256:	4C3326357A123DE7E2D3EEA939FB12E5616FC19777EC4062DE340FFB32112422
SHA-512:	18D308D1A515A179F4A852206B475A5D052C9FBE8D032D99914C171FAA22BE5D63F6FBE4B156BFDCEFD389DC981FBBF8FA6FD248190DDE502A9ADCCA104A3D8B
Malicious:	false
Preview:	L..................F.... ...W..;...W..;...m..6...........................4.:..DG..Yr?.D..U..k0.&...&......Qg._...^...0....!.;.......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=5Y.r..........................3N.A.p.p.D.a.t.a...B.P.1.....5Y.r..Local.<......EW.=5Y.r..........................-Q..L.o.c.a.l.....N.1.....5Y)r..Temp..:......EW.=5Y)r............................".T.e.m.p.....f.1.....5Y.\|..FANBOO~1..N......5Y.\|5Y.\|............................,.F.A.N.B.o.o.s.t.e.r.2.6.6.3.....r.2......OXI .FANBOO~1.EXE..V......5Y.\|5Y.\|....3...........p...........R.F.A.N.B.o.o.s.t.e.r.2.6.6.3...e.x.e.......v...............-.......u....................C:\Users\user\AppData\Local\Temp\FANBooster2663\FANBooster2663.exe....F.A.N.B.o.o.s.t.e.r.2.6.6.3.>.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.T.e.m.p.\.F.A.N.B.o.o.s.t.e.r.2.6.6.3.\.F.A.N.B.o.o.s.t.e.r.2.6.6.3...e.x.e.........\|....I.J.H..K..:...`.......X.......302494...........hT..CrF.f4... .<../Tc..

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Local\Temp\FANBooster2663\FANBooster2663.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1049
Entropy (8bit):	4.286073681226177
Encrypted:	false
SSDEEP:	24:z3d3+DO/0XZd3Wo3opQ5ZKBQFYVgt7ovrNOYlK:zNODBXZxo4ABV+SrUYE
MD5:	402278578416001C915480C7040F2964
SHA1:	B4833865ECE3609EC213509D4AB7D7A195C00753
SHA-256:	86E0747C9B54AA9AACB788589E70E19279DF13F1393795E689342AF3302912E1
SHA-512:	473600FBC051B22E9E7A6FBE1694ED736CF90DE5A8DF92AF1FA9A85DDD97379CFF0E8A5DF89937AE083BEBEFC81C407A907D0FB5ED9019BEDF6FB4703838321B
Malicious:	false
Preview:	Microsoft .NET Framework Assembly Registration Utility version 4.8.4084.0..for Microsoft .NET Framework version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....Syntax: RegAsm AssemblyName [Options]..Options:.. /unregister Unregister types.. /tlb[:FileName] Export the assembly to the specified type library.. and register it.. /regfile[:FileName] Generate a reg file with the specified name.. instead of registering the types. This option.. cannot be used with the /u or /tlb options.. /codebase Set the code base in the registry.. /registered Only refer to already registered type libraries.. /asmpath:Directory Look for assembly references here.. /nologo Prevents RegAsm from displaying logo.. /silent Silent mode. Prevents displaying of success messages.. /verbose Displays extra information..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.948523262290906
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'646'592 bytes
MD5:	19b9de641a480be1236dd9712d9ccc10
SHA1:	a3cbbd66a0a3fbb2618c9283d44a0855059e9e6a
SHA256:	c558e126c64a89887115a45276d5a8751f90c399eb32ca103f6e50901abc7abd
SHA512:	7c86fa655d20e23bb67761367b8dd0512902c0f2d3c0801f480a63bd7d8287f16e8314f43de7a202495b17aab52f7ae2b4bc71b3f0973b4e3810c4ade4462010
SSDEEP:	49152:LzL+zEqvftsAyChHQTTu7XIP+WQ55KGRK04TYS:LzLYVdiCh6Cdb7RD4T
TLSH:	5F75230139D48072D5633A350DF2A6B54A3FF8710B266E9FA3941F7B8F74582D321A6B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a),.%HB.%HB.%HB..:A.)HB..:G..HB..:F.0HB...F.7HB...A.0HB..:C. HB.%HC.ZHB...G.pHB...K.$HB...@.$HB.Rich%HB.................PE..L..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x406516
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66598236 [Fri May 31 07:54:30 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	fec98778e46bf1d6aed3f9ad74a5bb8d

Entrypoint Preview

Instruction
call 00007F1EE4EAD9BBh
jmp 00007F1EE4EAD209h
cmp ecx, dword ptr [00430040h]
jne 00007F1EE4EAD393h
ret
jmp 00007F1EE4EADCF4h
jmp 00007F1EE4EADEC7h
push ebp
mov ebp, esp
jmp 00007F1EE4EAD39Fh
push dword ptr [ebp+08h]
call 00007F1EE4EBA0B7h
pop ecx
test eax, eax
je 00007F1EE4EAD3A1h
push dword ptr [ebp+08h]
call 00007F1EE4EB693Bh
pop ecx
test eax, eax
je 00007F1EE4EAD378h
pop ebp
ret
cmp dword ptr [ebp+08h], FFFFFFFFh
je 00007F1EE4EA8041h
jmp 00007F1EE4EAB0E9h
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007F1EE4EADE8Ch
pop ecx
pop ebp
ret
push ebp
mov ebp, esp
test byte ptr [ebp+08h], 00000001h
push esi
mov esi, ecx
mov dword ptr [esi], 004261D8h
je 00007F1EE4EAD39Ch
push 0000000Ch
push esi
call 00007F1EE4EAD36Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007F1EE4EAD3ABh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007F1EE4EAD39Ch
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007F1EE4EAD39Eh
add edx, 28h
cmp edx, esi
jne 00007F1EE4EAD37Ch
xor eax, eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2ea58	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x195000	0x1bf8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2ce18	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2cd58	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x25000	0x164	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x221e7	0x22200	2ffb860bc06cfe917ea7ed7bf7ddf324	False	0.5788332760989011	data	6.636821659901964	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.BSS	0x24000	0x459	0x600	b4c2a1beaf0c0765ad1632a0898bbd69	False	0.615234375	data	5.346821656834738	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x25000	0xa282	0xa400	b3b9f7782c2d7f6a3967f05534ee11aa	False	0.4330935594512195	data	4.952696529071435	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x30000	0x164208	0x163400	0196b6dbbf14dc5b193f07dc2ca77590	False	0.99768195263019	data	7.999250559624117	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x195000	0x1bf8	0x1c00	79fc0e2ad9363ceedd9a95d5c7d12fdf	False	0.7586495535714286	data	6.536443289277378	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

ADVAPI32.dll

GetNumberOfEventLogRecords

KERNEL32.dll

VirtualAlloc, WaitForSingleObjectEx, CloseHandle, FreeConsole, CreateThread, QueryPerformanceCounter, QueryPerformanceFrequency, WideCharToMultiByte, GetCurrentThreadId, ReleaseSRWLockExclusive, Sleep, GetExitCodeThread, InitializeCriticalSectionEx, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, EncodePointer, DecodePointer, MultiByteToWideChar, LCMapStringEx, WakeAllConditionVariable, GetStringTypeW, GetCPInfo, IsProcessorFeaturePresent, GetCurrentProcessId, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, CreateFileW, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, HeapSize, WriteConsoleW

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-21T16:17:23.746997+0200	2049060	ET MALWARE RisePro TCP Heartbeat Packet	1	192.168.2.7	49708	118.194.235.187	50500	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 21, 2024 16:17:23.647083044 CEST	49708	50500	192.168.2.7	118.194.235.187
Sep 21, 2024 16:17:23.652306080 CEST	50500	49708	118.194.235.187	192.168.2.7
Sep 21, 2024 16:17:23.652596951 CEST	49708	50500	192.168.2.7	118.194.235.187
Sep 21, 2024 16:17:23.746997118 CEST	49708	50500	192.168.2.7	118.194.235.187
Sep 21, 2024 16:17:23.752032995 CEST	50500	49708	118.194.235.187	192.168.2.7
Sep 21, 2024 16:17:45.034359932 CEST	50500	49708	118.194.235.187	192.168.2.7
Sep 21, 2024 16:17:45.034591913 CEST	49708	50500	192.168.2.7	118.194.235.187

Target ID:	5
Start time:	10:17:00
Start date:	21/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x840000
File size:	1'646'592 bytes
MD5 hash:	19B9DE641A480BE1236DD9712D9CCC10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:17:01
Start date:	21/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x110000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.3743374835.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	10:17:02
Start date:	21/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	10:17:06
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell" Get-MpPreference -verbose
Imagebase:	0x570000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:17:06
Start date:	21/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:17:08
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
Imagebase:	0x570000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	10:17:09
Start date:	21/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:17:09
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
Imagebase:	0x570000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	10:17:09
Start date:	21/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	10:17:09
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
Imagebase:	0x570000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	10:17:09
Start date:	21/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	10:17:09
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
Imagebase:	0x570000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	10:17:09
Start date:	21/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	10:17:09
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
Imagebase:	0x570000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	10:17:09
Start date:	21/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	10:17:09
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
Imagebase:	0x570000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	10:17:09
Start date:	21/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	10:17:09
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
Imagebase:	0x570000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	10:17:09
Start date:	21/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	10:17:09
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
Imagebase:	0x570000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	10:17:09
Start date:	21/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	10:17:09
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
Imagebase:	0x570000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	10:17:09
Start date:	21/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	10:17:10
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
Imagebase:	0x570000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	10:17:10
Start date:	21/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	10:17:10
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
Imagebase:	0x570000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	10:17:10
Start date:	21/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	11:33:26
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 HR" /sc HOURLY /rl HIGHEST
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	11:33:26
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 HR" /sc HOURLY /rl HIGHEST
Imagebase:	0x990000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	11:33:26
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 LG" /sc ONLOGON /rl HIGHEST
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	11:33:26
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 LG" /sc ONLOGON /rl HIGHEST
Imagebase:	0x990000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	11:33:28
Start date:	21/09/2024
Path:	C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe
Imagebase:	0x5f0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	11:33:28
Start date:	21/09/2024
Path:	C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe
Imagebase:	0xb10000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	11:33:28
Start date:	21/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	11:33:28
Start date:	21/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	11:33:36
Start date:	21/09/2024
Path:	C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe"
Imagebase:	0xb50000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	11:33:36
Start date:	21/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	11:33:45
Start date:	21/09/2024
Path:	C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe"
Imagebase:	0xdc0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	11:33:45
Start date:	21/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	11:34:03
Start date:	21/09/2024
Path:	C:\Users\user\AppData\Local\Temp\FANBooster2663\FANBooster2663.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\FANBooster2663\FANBooster2663.exe"
Imagebase:	0x6b0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	11:34:03
Start date:	21/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	53

Executed Functions

Function 00E2018D Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00E202FC
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00E2030F
Wow64GetThreadContext.KERNEL32(?,00000000), ref: 00E2032D
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E20351
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 00E2037C
WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 00E203D4
WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 00E2041F
WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E2045D
Wow64SetThreadContext.KERNEL32(?,?), ref: 00E20499
ResumeThread.KERNELBASE(?), ref: 00E204A8

Strings

aryA, xrefs: 00E201D3
GetP, xrefs: 00E2020F
Load, xrefs: 00E201CB
ress, xrefs: 00E20217

Memory Dump Source

Source File: 00000005.00000002.1293150889.0000000000E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e20000_file.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: GetP$Load$aryA$ress
API String ID: 2687962208-977067982
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: c328f4c28e41ef8e39e517d03f178177459d8191a2896582562c032126e4d23c
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 2EB1F67260024AAFDB60CF68CC80BDA77A5FF88714F158524EA0CEB342D774FA518B94

Function 0085503C Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ec6fce6b7bd29b454c69d8250e9f5f10a3b32f08736243a7260ed219140a07f
Instruction ID: e1c2c72b3dd214c2de1866e6441de46d83c6e440cd799e7312316c595ce0eef1
Opcode Fuzzy Hash: 8ec6fce6b7bd29b454c69d8250e9f5f10a3b32f08736243a7260ed219140a07f
Instruction Fuzzy Hash: 80F06531665B24DFCB26D78CD405A5973ACFB45B52F114056F901E7291C770DD44CBD1

Function 008540D9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,CE39C80F,?,008541E6,?,?,?,00000000), ref: 0085419A

Strings

api-ms-, xrefs: 00854130
ext-ms-, xrefs: 00854144

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: c8ac6923dd1fee947cd9d9548ca9036315a0a3ad0ab6baf1dcbab7eb0c5dc2fe
Instruction ID: 1f7f98448f1f6da92db4320d83e43d00bc18fd356f80691535d54f5866965b4d
Opcode Fuzzy Hash: c8ac6923dd1fee947cd9d9548ca9036315a0a3ad0ab6baf1dcbab7eb0c5dc2fe
Instruction Fuzzy Hash: 12213D71A81A11BBDB229B24EC44A5A3768FF513BAF251110FD15E72D0DB70EEC8CAD1

Function 00864363 Relevance: 8.6, APIs: 5, Instructions: 1099
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNEL32 ref: 0086436A
GetCurrentThreadId.KERNEL32 ref: 008643A8
std::_Throw_Cpp_error.LIBCPMT ref: 0086444E

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: ConsoleCpp_errorCurrentFreeThreadThrow_std::_
String ID:
API String ID: 1679527187-0
Opcode ID: 10169c2a3d4a997d9c33debdc522537eaa55b4bd342c93136637336d1cd97fc3
Instruction ID: 03cba825695c7cdffcacca3b979972df62acdab97e69e6b77fc4a69829a58d49
Opcode Fuzzy Hash: 10169c2a3d4a997d9c33debdc522537eaa55b4bd342c93136637336d1cd97fc3
Instruction Fuzzy Hash: 6D3181B1E0120DAFDB149FA88D87BAEBB78FF04314F115139E501E6681DA715A44CA62

Function 00843B81 Relevance: 4.6, APIs: 3, Instructions: 54
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00843BCD
Sleep.KERNEL32(00000000,00000000,?,000F4240,00000000,?,?,000F4240,00000000,05265C00,00000000,00000000,?,00000000), ref: 00843BF2
Sleep.KERNEL32(05265C00,00000000,00000000,?,00000000), ref: 00843C02

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: Sleep$Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 240202187-0
Opcode ID: 3a25587fb190b88d63c181b04fc118112d0198d79b84116f7d42701c8895d46e
Instruction ID: 74dd0fc540e8561afad8c49baa6fd57278dfa0a981c5ddb687d6af61e3351f8b
Opcode Fuzzy Hash: 3a25587fb190b88d63c181b04fc118112d0198d79b84116f7d42701c8895d46e
Instruction Fuzzy Hash: DC01B53264470C5AD610FE0D8CC3B2E7655FB91330F95082EF540E61A7E5626F4846A7

Function 0084ADAA Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,?,Function_0000AC4E,00000000,?,?), ref: 0084ADF3
GetLastError.KERNEL32 ref: 0084ADFF
__dosmaperr.LIBCMT ref: 0084AE06

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 3527433ea6c6cc8ab6ad38ec52d356c8ee0a1d78af5891e43f55fa432c4cd898
Instruction ID: cd909e2c0bc1538b077feb4effc125e318cfe7e361a400077f55b85b5327d14c
Opcode Fuzzy Hash: 3527433ea6c6cc8ab6ad38ec52d356c8ee0a1d78af5891e43f55fa432c4cd898
Instruction Fuzzy Hash: A7019A7294121DAFCF19AFA4DC06AEE3BA4FF00365F014028F811DA190EB70CA50DBE2

Function 0084AD03 Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00854EA2: GetLastError.KERNEL32(00000000,?,00850493,00853934,?,?,00854D9E,00000001,00000364,?,00000003,000000FF,?,0084AC73,0086E368,0000000C), ref: 00854EA6
Part of subcall function 00854EA2: SetLastError.KERNEL32(00000000), ref: 00854F48

CloseHandle.KERNEL32(?,?,?,0084AE3A,?,?,0084ACAC,00000000), ref: 0084AD34
FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,0084AE3A,?,?,0084ACAC,00000000), ref: 0084AD4A
ExitThread.KERNEL32 ref: 0084AD53

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary
String ID:
API String ID: 1991824761-0
Opcode ID: 4ba0cc406cc8a27edb8d68a2b0e195d89e1dbf089c0522812cdd0beb1bc6af1b
Instruction ID: 323f730aa846fae8cab70be98c673863fc5f26e03c42b4c3645fb23516311ed0
Opcode Fuzzy Hash: 4ba0cc406cc8a27edb8d68a2b0e195d89e1dbf089c0522812cdd0beb1bc6af1b
Instruction Fuzzy Hash: 3AF0BE30900A086BEB381F798C08B1A7A98FF01322F084A00F825CB9B0CB31DC848693

Function 008518F8 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000002,?,008518F2,0084E626,0084E626,?,00000002,CE39C80F,0084E626,00000002), ref: 00851909
TerminateProcess.KERNEL32(00000000,?,008518F2,0084E626,0084E626,?,00000002,CE39C80F,0084E626,00000002), ref: 00851910
ExitProcess.KERNEL32 ref: 00851922

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 7ede0f665c43d09c77d3f6f63e7f3bd682b8adaa372e5b98b80bac5ded6ee6e0
Instruction ID: e895ea8ce01958c4cab9e155d9deb07017b5b8963adbb7ed58cbba698b23e6ae
Opcode Fuzzy Hash: 7ede0f665c43d09c77d3f6f63e7f3bd682b8adaa372e5b98b80bac5ded6ee6e0
Instruction Fuzzy Hash: 07D06C32400948AFCF112F64DC2DA5D7F2AFA40382B959114F9099A136CBB1D9969AA2

Function 0084AC4E Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(0086E368,0000000C), ref: 0084AC61
ExitThread.KERNEL32 ref: 0084AC68

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 751fbbf9080e9028eea1cee10ee9b14d95436876792fe39e85fc28237ecb92bd
Instruction ID: 153fb9661576e81f715b9f1e09f1de8c8fd425cc2491ea8c98e3de4d799df737
Opcode Fuzzy Hash: 751fbbf9080e9028eea1cee10ee9b14d95436876792fe39e85fc28237ecb92bd
Instruction Fuzzy Hash: 73F0C271940A08EFDB05AF74C99AA6E3B75FF01712F210049F811DB2A2CB749940CFA3

Function 008541A4 Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0987bb34f47e410090caf84004cc9c5d52d348cd8e94fda42a3e848c9a62f305
Instruction ID: 807a107e38d26bafa91ec84111f90e3998214668c7f02331ae855fb14e703acb
Opcode Fuzzy Hash: 0987bb34f47e410090caf84004cc9c5d52d348cd8e94fda42a3e848c9a62f305
Instruction Fuzzy Hash: 8C014533700925AF9F258E29FC00A5A33D6FB8133AB249020FE19CB088DA31C8C98790

Function 008538E2 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,00854D9E,00000001,00000364,?,00000003,000000FF,?,0084AC73,0086E368,0000000C), ref: 00853923

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 60bfcfa127c912f844571e7e2429d7835c9a75288f612e9f000ff68b2ad1094d
Instruction ID: 453e7135c3734bad60b33e00bbce47a1805bf6742a071a1bbfe916c3cb8f7fb9
Opcode Fuzzy Hash: 60bfcfa127c912f844571e7e2429d7835c9a75288f612e9f000ff68b2ad1094d
Instruction Fuzzy Hash: C7F0B471109A2467DF225A6A9C01B5A7F48FF427E3F148021FC09E6194DAA0DF0886E1

Non-executed Functions

Function 0085E74F Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0085E933

Strings

1#SNAN, xrefs: 0085E85B
1#INF, xrefs: 0085E885
1#QNAN, xrefs: 0085E862
1#IND, xrefs: 0085E854

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 0eb4d24e66b39a10acc3f64d3b5a5eb6065ebbec514b583b5a77367332db5c30
Instruction ID: d76513cd9a93ee442968fbd42441db8c5a71c5ac89716f0fe51bb16d45ceef92
Opcode Fuzzy Hash: 0eb4d24e66b39a10acc3f64d3b5a5eb6065ebbec514b583b5a77367332db5c30
Instruction Fuzzy Hash: 97D23A72E086288FDB25CE28CD407EAB7B5FB44306F1441EAD94DE7241E738AE858F41

Function 0085DAA9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,0085DDC7,00000002,00000000,?,?,?,0085DDC7,?,00000000), ref: 0085DB42
GetLocaleInfoW.KERNEL32(?,20001004,0085DDC7,00000002,00000000,?,?,?,0085DDC7,?,00000000), ref: 0085DB6B
GetACP.KERNEL32(?,?,0085DDC7,?,00000000), ref: 0085DB80

Strings

OCP, xrefs: 0085DAFD
ACP, xrefs: 0085DAC7

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: da00cb37360d43dfa749605c5b47f6ef09fc4f0f8e07bcff1c6434360ee2fa59
Instruction ID: 0ea38df198bc760e7072e2891805097c41d509b55492ae84d4e724645de76699
Opcode Fuzzy Hash: da00cb37360d43dfa749605c5b47f6ef09fc4f0f8e07bcff1c6434360ee2fa59
Instruction Fuzzy Hash: A6219A76A00205EADB358F64C901A9773A7FB50B76B578464EE0ADB110F732DE49C392

Function 0085DC7E Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00854D51: GetLastError.KERNEL32(?,?,0084AC73,0086E368,0000000C), ref: 00854D55
Part of subcall function 00854D51: SetLastError.KERNEL32(00000000), ref: 00854DF7

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0085DD8A
IsValidCodePage.KERNEL32(00000000), ref: 0085DDD3
IsValidLocale.KERNEL32(?,00000001), ref: 0085DDE2
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0085DE2A
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0085DE49

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 6f2fa3afef536c68bbcf428c20e090ced67ff51288cf344efbc5ab8e2d37cb9f
Instruction ID: 3b7d437474da47f1d056ba947322be2e228057d4dbfcb64fc50d703063658946
Opcode Fuzzy Hash: 6f2fa3afef536c68bbcf428c20e090ced67ff51288cf344efbc5ab8e2d37cb9f
Instruction Fuzzy Hash: 38518E71A00709ABDB20DFA9CC45ABE77B8FF04702F154429FD15E7190EBB09948CB61

Function 0085D31A Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00854D51: GetLastError.KERNEL32(?,?,0084AC73,0086E368,0000000C), ref: 00854D55
Part of subcall function 00854D51: SetLastError.KERNEL32(00000000), ref: 00854DF7

GetACP.KERNEL32(?,?,?,?,?,?,008522AB,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0085D3DB
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,008522AB,?,?,?,00000055,?,-00000050,?,?), ref: 0085D406
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0085D569

Strings

utf8, xrefs: 0085D4D8

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: 391f8f61c10e0b99a8ded0ce93def72660657cca1169650700f7b1ec74597428
Instruction ID: 215f918ccc2121c9c64ef983d73171ed0f9f6e3dfac6221b8c998d89136e6dd0
Opcode Fuzzy Hash: 391f8f61c10e0b99a8ded0ce93def72660657cca1169650700f7b1ec74597428
Instruction Fuzzy Hash: 62710771600706AAEB34AB78CC86FAA77A8FF44716F144029FD05D7281FB71E949C762

Function 008552C0 Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0085534D

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 1072c5e6e1c16b752ba31c9af8bb0539825a8b68ef300b8e92e05e0def2a22cc
Instruction ID: 7ad3aef1f7a2183a0a59e3e64f2b4d7fc21162a864cd2035d5496893c8940ac3
Opcode Fuzzy Hash: 1072c5e6e1c16b752ba31c9af8bb0539825a8b68ef300b8e92e05e0def2a22cc
Instruction Fuzzy Hash: 35B18A72900A499FDB11CF28C8A17FEBBA6FF55341F1481AAEC05EB341D2749D49CBA1

Function 00846BFA Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00846C06
IsDebuggerPresent.KERNEL32 ref: 00846CD2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00846CEB
UnhandledExceptionFilter.KERNEL32(?), ref: 00846CF5

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: fc47e0e41605fef286645b1c8662e86f8af9532a2bf34d2018df020102a9ac40
Instruction ID: 7fbf864eba07ac5e71450a15451d729072535f04153d1d1981f765d08d7b9389
Opcode Fuzzy Hash: fc47e0e41605fef286645b1c8662e86f8af9532a2bf34d2018df020102a9ac40
Instruction Fuzzy Hash: 5831F7B5D0561C9BDF20DFA4D9497CDBBB8FF18700F1041AAE50DAB250EB719A848F46

Function 0085D72D Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00854D51: GetLastError.KERNEL32(?,?,0084AC73,0086E368,0000000C), ref: 00854D55
Part of subcall function 00854D51: SetLastError.KERNEL32(00000000), ref: 00854DF7

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0085D781
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0085D7CB
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0085D891

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 349bfeb22cd50de029176eb4fb7bd137fe652abd04563b777361eb1e861a3c47
Instruction ID: 7b188435c8cfe9b429fd4775493b1fd8cf99f742511da2bbf2f04cf2452b7da4
Opcode Fuzzy Hash: 349bfeb22cd50de029176eb4fb7bd137fe652abd04563b777361eb1e861a3c47
Instruction Fuzzy Hash: 1461AD7190031B9BDB389F28CC82BAA77A8FF04316F1441B9ED15D7285EB35D989CB51

Function 0084E2CF Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000010), ref: 0084E3C7
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000010), ref: 0084E3D1
UnhandledExceptionFilter.KERNEL32(0086E0A0,?,?,?,?,?,00000010), ref: 0084E3DE

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 81e70d00954ed7a55623428bfe8a342b83e7be0e4c4251e63334f17b401f023a
Instruction ID: 335761e71e6ff4c4445e35a743951b59b49d05642ede20d47f16989fe9ed0141
Opcode Fuzzy Hash: 81e70d00954ed7a55623428bfe8a342b83e7be0e4c4251e63334f17b401f023a
Instruction Fuzzy Hash: 1731A27490162CABCB21DF68D889B8DBBB8FF18710F5041EAE41CA7250EB749B858F55

Function 00850530 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f16e2d6336bb1e657f2e6f78f4751b26da7cdb430e08984ee6e89854f7e844
Instruction ID: 5e17e634f7ff2758c6d71b7c1b086ce2bb34b01a8a8d99c82b227aa10e4ee003
Opcode Fuzzy Hash: a5f16e2d6336bb1e657f2e6f78f4751b26da7cdb430e08984ee6e89854f7e844
Instruction Fuzzy Hash: 3EF12B71E012199FDF14CFA8C980AAEBBB1FF88325F158269E815E7385D731A905CF90

Function 008565D5 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,008565D0,?,?,00000008,?,?,00862545,00000000), ref: 00856802

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 11e5e4a1061e7220f749593fba1cff8814956371988a28249184a69696084bf6
Instruction ID: f649af41e8aee1f70d0607165fbca8a0d9720dfebf5fb3077720dbddf32f3fc1
Opcode Fuzzy Hash: 11e5e4a1061e7220f749593fba1cff8814956371988a28249184a69696084bf6
Instruction Fuzzy Hash: 5CB16F35610609CFDB18CF28C486B647BE0FF04369F658668E899CF2A1D335E9A5CB40

Function 008468EC Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00846902

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: b8bd462c9ba284fa3526c093c24d9ee066b0b3cb435198e95998d636f0770046
Instruction ID: 54c44b8c6a06a440402bc3201513c652bd213a7fba03eb849d916423b0c49e49
Opcode Fuzzy Hash: b8bd462c9ba284fa3526c093c24d9ee066b0b3cb435198e95998d636f0770046
Instruction Fuzzy Hash: 6451CBB1A11A19CFEB14CFA8D9857AABBF0FB59310F14C02AC505EB251E374D950CF92

Function 0085A797 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78ecfd2e0fa523f0bde800bca0dc4795e44f4018b460d57d146de96bb73850e2
Instruction ID: 0af89481755027e47209f7ea8e655b4998f03994e7e8c188bf3e95e72a983e77
Opcode Fuzzy Hash: 78ecfd2e0fa523f0bde800bca0dc4795e44f4018b460d57d146de96bb73850e2
Instruction Fuzzy Hash: 8B41C4B5800218AEDB24DF69CCC9AAABBB9FF45305F1442D9E848E3201D6319E898F11

Function 0084CB74 Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 0084CD02

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 5255fe73dc041f9d78705bba9afc736d452d52d3a4dd3443421545d5089ba935
Instruction ID: 57ac67455ffca524a710389861db806ee1b0233ab7c4b88c05fe659f504867b9
Opcode Fuzzy Hash: 5255fe73dc041f9d78705bba9afc736d452d52d3a4dd3443421545d5089ba935
Instruction Fuzzy Hash: BEC1FF70A0264E8FCBA4CF68C4916BABBB9FF05314F244A1DD856DB291C730ED45CB51

Function 0085D980 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00854D51: GetLastError.KERNEL32(?,?,0084AC73,0086E368,0000000C), ref: 00854D55
Part of subcall function 00854D51: SetLastError.KERNEL32(00000000), ref: 00854DF7

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0085D9D4

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 0c37c0491bf6de6014d467ba2c2b001820e91ed9fc9f862675c4dcbbcb7162b3
Instruction ID: 54fc9fc201ea5721dd531650020f6835200e363ba978a8dfc6cf203191c207c1
Opcode Fuzzy Hash: 0c37c0491bf6de6014d467ba2c2b001820e91ed9fc9f862675c4dcbbcb7162b3
Instruction Fuzzy Hash: 4721CF32619226ABDF29DA29CC82ABB73ACFF44316F10007AFD05D7145EB74ED488B51

Function 0084C82C Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

0, xrefs: 0084C9B6

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: eff21bea70c5507a757a54ba7f30cd75e48617a96796ca5763eccc7ac6e0c55c
Instruction ID: 11f1fca904f2e5f7275e14c7fd47be3ad1c909e7da7d4228f66b6db21d96f1f3
Opcode Fuzzy Hash: eff21bea70c5507a757a54ba7f30cd75e48617a96796ca5763eccc7ac6e0c55c
Instruction Fuzzy Hash: 54B1E370A0270E9BCFA8CF68C4916BEBBA9FF44314F14062ED492E7691D731E941CB56

Function 0085D607 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00854D51: GetLastError.KERNEL32(?,?,0084AC73,0086E368,0000000C), ref: 00854D55
Part of subcall function 00854D51: SetLastError.KERNEL32(00000000), ref: 00854DF7

EnumSystemLocalesW.KERNEL32(0085D72D,00000001,00000000,?,-00000050,?,0085DD5E,00000000,?,?,?,00000055,?), ref: 0085D679

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: eb6c510bae352066d623d943181a41ccd3b229577c0d0be3022c9341a49e72d7
Instruction ID: 63fec953a830a573e1573ffd2f3b235ab8d4647a3a8e98d717457feb29259e56
Opcode Fuzzy Hash: eb6c510bae352066d623d943181a41ccd3b229577c0d0be3022c9341a49e72d7
Instruction Fuzzy Hash: B311C23A2007019FDB289F3988916BAB792FB9435AB15442CED9A87B40D775A947CB80

Function 0085DBAF Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00854D51: GetLastError.KERNEL32(?,?,0084AC73,0086E368,0000000C), ref: 00854D55
Part of subcall function 00854D51: SetLastError.KERNEL32(00000000), ref: 00854DF7

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0085D949,00000000,00000000,?), ref: 0085DBDB

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: edec29c577274f612adb40a45e1e5c5afcf1c8d84e15d5c980275a44f54cb051
Instruction ID: b449b6574708cc66dd069fa7ad4aee23cea959f684b42357369ffdce8b0721ce
Opcode Fuzzy Hash: edec29c577274f612adb40a45e1e5c5afcf1c8d84e15d5c980275a44f54cb051
Instruction Fuzzy Hash: 9FF02D36900322BBDB385B65CC46BFA7768FB40395F150424EC16E3280EAB0FD85C5D0

Function 0085D6A2 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00854D51: GetLastError.KERNEL32(?,?,0084AC73,0086E368,0000000C), ref: 00854D55
Part of subcall function 00854D51: SetLastError.KERNEL32(00000000), ref: 00854DF7

EnumSystemLocalesW.KERNEL32(0085D980,00000001,?,?,-00000050,?,0085DD22,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0085D6EC

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 406e8161f0d60aeca8202356306d02f0ab9c21d11bb5c8a69ce36e9b7b406ee7
Instruction ID: fc3d6df4e1ae3cf575eb870bd9e0d30f30bb158eaf7156afa24e9299f19a5516
Opcode Fuzzy Hash: 406e8161f0d60aeca8202356306d02f0ab9c21d11bb5c8a69ce36e9b7b406ee7
Instruction Fuzzy Hash: FAF0F6362003045FDB245F3998D1A7A7BD1FF80769F16842CFD49CB690D6B1AC46CA90

Function 00853F10 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0084E56D: EnterCriticalSection.KERNEL32(?,?,00854A29,?,0086E6D8,00000008,00854BED,?,?,?), ref: 0084E57C

EnumSystemLocalesW.KERNEL32(00853F03,00000001,0086E678,0000000C,00854372,00000000), ref: 00853F48

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 9cd3c36ad9f4d286fcef9f356f2f509a26ecfccbf542b8a36943f9ae1a7af9f9
Instruction ID: 355f44f751ffee74a1de4b38e2912b38a282c6805fa0ff1b433c078e5d9ceb68
Opcode Fuzzy Hash: 9cd3c36ad9f4d286fcef9f356f2f509a26ecfccbf542b8a36943f9ae1a7af9f9
Instruction Fuzzy Hash: DDF03C76A50204DFDB00DFA8E842B5977F1FB15721F10411AF415DB2E0DBB54A44CF51

Function 0085D5BC Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00854D51: GetLastError.KERNEL32(?,?,0084AC73,0086E368,0000000C), ref: 00854D55
Part of subcall function 00854D51: SetLastError.KERNEL32(00000000), ref: 00854DF7

EnumSystemLocalesW.KERNEL32(0085D515,00000001,?,?,?,0085DD80,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0085D5F3

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 96b7a3f4817ca91d9c76799065e954578027f1cc2c7f0d1c17751ca664a25feb
Instruction ID: f0e0adc51612dce0cca676d2744408ebc079a15e5fb3e7f51e963c3a7f8ca779
Opcode Fuzzy Hash: 96b7a3f4817ca91d9c76799065e954578027f1cc2c7f0d1c17751ca664a25feb
Instruction Fuzzy Hash: 22F0553630030457CB14AF39C84576A7FA0FFC1716F060058EE09CB650DAB1D846C790

Function 00854476 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00852E11,?,20001004,00000000,00000002,?,?,00852413), ref: 008544AA

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d0c1229b9f6f1f55fdf031c30a2d26bf5adc52578aef3cd6fb17bc938b7d5f23
Instruction ID: 4af0caca4facbea46b54ea37a955a8356423be5caa3479161796f6f6c0b1b2f5
Opcode Fuzzy Hash: d0c1229b9f6f1f55fdf031c30a2d26bf5adc52578aef3cd6fb17bc938b7d5f23
Instruction Fuzzy Hash: 44E0DF32400A18BBCF122F60EC04FAE3E16FF04766F015010FD05A5160CB728964AAD9

Function 00846D56 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00006D62,00846387), ref: 00846D5B

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6eb59ff1ddaeaced96c575af61daef6711ed8cba213193813b13be50a056754e
Instruction ID: 93edf241e4e05d58bf1f8524038b722b591182865594b9af5f86f26f60b979e1
Opcode Fuzzy Hash: 6eb59ff1ddaeaced96c575af61daef6711ed8cba213193813b13be50a056754e
Instruction Fuzzy Hash:

Function 0085DEE0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0085DEE0

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 5da5d90a6df93a28e6d8e6bfb565c64ade89b2535ba5c7b0562a58ecbc0bcd9f
Instruction ID: 22f3a80261811f11a03668cbb63be8865c1756c35f78b91597fa23801489166a
Opcode Fuzzy Hash: 5da5d90a6df93a28e6d8e6bfb565c64ade89b2535ba5c7b0562a58ecbc0bcd9f
Instruction Fuzzy Hash: DCA012702091008F43004F315A0830937D86513180701401D9004C4120E67440909F00

Function 0085CDCB Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 3471368781-0
Opcode ID: 946790ee97899bc4eff35218b7adb15a53e122e3c5219af8652178f889d5c904
Instruction ID: 9cbbc886414d75b2796813a71d2fd256725008f0c532779e9ef8ebc6c535368e
Opcode Fuzzy Hash: 946790ee97899bc4eff35218b7adb15a53e122e3c5219af8652178f889d5c904
Instruction Fuzzy Hash: 80B1F7355007059FDB389B28CC82BB7B3E9FB4470AF54452DED83C6580EAB5E98ACB11

Function 00855080 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40462530d1634de5f1ed506cdc9d9bcd32bdc8a5f714ca53be199472989dfe9
Instruction ID: 4f3a804c4f74d748d5c9d0975146fbdf6bf9a088964496ac56ab0b342a5b5194
Opcode Fuzzy Hash: c40462530d1634de5f1ed506cdc9d9bcd32bdc8a5f714ca53be199472989dfe9
Instruction Fuzzy Hash: BDE08C32A15638EBCB24DB8CC90498AF3ECFB85B12B150496B901D3140C270DE04C7D1

Function 0085196C Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65364d3200f27164b2687277c73e936126ef5f1e13391596fd0bee30aa55541d
Instruction ID: 68268b5365c91b87a0a523a9f4c408e3a6723c992a2adf8306b814c2174f9440
Opcode Fuzzy Hash: 65364d3200f27164b2687277c73e936126ef5f1e13391596fd0bee30aa55541d
Instruction Fuzzy Hash: ECC08C34100D005ACE29892482F57A573A4F392783FC8048CCC438B782C51FAC8BD781

Function 00845E3F Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00845E45
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00845E53
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00845E64
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00845E75

Strings

GetSystemTimePreciseAsFileTime, xrefs: 00845E59
GetTempPath2W, xrefs: 00845E6A
kernel32.dll, xrefs: 00845E40
GetCurrentPackageId, xrefs: 00845E4D

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: 849399a3732e5192a47497140d8a3daab5f1265c7fd007ac107ced4a3c3b40f9
Instruction ID: 25b81ea9da28f5bf436344ffb1545bfbfd05b0751618dc8da780148a43565ecd
Opcode Fuzzy Hash: 849399a3732e5192a47497140d8a3daab5f1265c7fd007ac107ced4a3c3b40f9
Instruction Fuzzy Hash: 7BE0EC71AAAF10FF83006F70FD0D8493BA8FA05702B035112F595DA260DEFC85408B92

Function 00849A58 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00849B77
___TypeMatch.LIBVCRUNTIME ref: 00849C85
_UnwindNestedFrames.LIBCMT ref: 00849DD7
CallUnexpected.LIBVCRUNTIME ref: 00849DF2

Strings

csm, xrefs: 00849B02
csm, xrefs: 00849BAE
csm, xrefs: 00849A95

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 90d8116cb173bdee408e1a1a65e9a7ce04a6ee61baba5c81101fe17b0e49e685
Instruction ID: 52f39969dd695522a07f741cd212fb49cace7117d70fe01e31a434a9963da2bb
Opcode Fuzzy Hash: 90d8116cb173bdee408e1a1a65e9a7ce04a6ee61baba5c81101fe17b0e49e685
Instruction Fuzzy Hash: B4B17771C0021DEFCF28DFA8C8819AFBBB5FF14314B11415AE895AB212D735DA51CB92

Function 00858D00 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 00858F79

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 4946d0c2da0f56b1c588b02a5447cbf49bf1b8af144ed9880d2b7bae31b551ac
Instruction ID: c62b46cb25875ed5ce6d606d65d081b342c92e6d7e973a48e67db33be9146db0
Opcode Fuzzy Hash: 4946d0c2da0f56b1c588b02a5447cbf49bf1b8af144ed9880d2b7bae31b551ac
Instruction Fuzzy Hash: 71B1F370A04609EFDB11CF98C881BAE7BB2FF49306F14405AED45F7292CB749949CB61

Function 0086140A Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00F7FE78,00F7FE78,?,7FFFFFFF,?,008616DA,00F7FE78,00F7FE78,?,00F7FE78,?,?,?,?,00F7FE78,?), ref: 008614B0
__alloca_probe_16.LIBCMT ref: 0086156B
__alloca_probe_16.LIBCMT ref: 008615FA
__freea.LIBCMT ref: 00861645
__freea.LIBCMT ref: 0086164B
__freea.LIBCMT ref: 00861681
__freea.LIBCMT ref: 00861687
__freea.LIBCMT ref: 00861697

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 6ebcde06eb7d96260848ddd36b50cb984d6fd4f6adcbd4858c604ba77dd83f8f
Instruction ID: 519f578dcaaa91affcbd60babf66655615ef9fb006283d30cb7d4b778c7fb935
Opcode Fuzzy Hash: 6ebcde06eb7d96260848ddd36b50cb984d6fd4f6adcbd4858c604ba77dd83f8f
Instruction Fuzzy Hash: B1710776900209ABDF219E68CC99FAE77BAFF55314F1E0459E805E7283EB35CC048796

Function 008460B3 Relevance: 12.2, APIs: 8, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 008460FC
__alloca_probe_16.LIBCMT ref: 00846128
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00846167
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00846184
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 008461C3
__alloca_probe_16.LIBCMT ref: 008461E0
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00846222
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00846245

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: ba09ac13abdfa70ec8eae60ecb099bc1cd2a5dacf36f518388e9c4bcf4c18858
Instruction ID: abdeca005be85b8c6996cc2049ba2f36e652412c6a581f4ff9b56e847749c533
Opcode Fuzzy Hash: ba09ac13abdfa70ec8eae60ecb099bc1cd2a5dacf36f518388e9c4bcf4c18858
Instruction Fuzzy Hash: 0251927290022EBBDB209F64CC45FAB7BA9FF42744F154425F915E6150F7B4DC208B92

Function 00844428 Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0084442F
std::_Lockit::_Lockit.LIBCPMT ref: 00844439
int.LIBCPMT ref: 00844450

Part of subcall function 00841684: std::_Lockit::_Lockit.LIBCPMT ref: 00841695
Part of subcall function 00841684: std::_Lockit::~_Lockit.LIBCPMT ref: 008416AF

codecvt.LIBCPMT ref: 00844473
std::_Facet_Register.LIBCPMT ref: 0084448A
std::_Lockit::~_Lockit.LIBCPMT ref: 008444AA
Concurrency::cancel_current_task.LIBCPMT ref: 008444B7

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: 08988c0f011c93e2f6754820a4b979ce1ccf58eed4569281200107a4118ff28d
Instruction ID: 101fb7f9c0199333cc7aef85e9be2579d02229159b4eb8fee5d85d1ceafff48b
Opcode Fuzzy Hash: 08988c0f011c93e2f6754820a4b979ce1ccf58eed4569281200107a4118ff28d
Instruction Fuzzy Hash: 4901C03190161D8BCF15EBACC846BAEB7B0FF90720F694409E411EB292DF749E058B82

Function 008496EA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,008496E1,00847E01,00846DA6), ref: 008496F8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00849706
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0084971F
SetLastError.KERNEL32(00000000,008496E1,00847E01,00846DA6), ref: 00849771

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: b8c2bd37df53fb6959e3a97cd8a300f12f44473105ae7cbcbd6e451133bab67f
Instruction ID: fa3f85c9387d5516d87053f2c7a98d02fd13b23392f0f998ecc48d2cd9d22323
Opcode Fuzzy Hash: b8c2bd37df53fb6959e3a97cd8a300f12f44473105ae7cbcbd6e451133bab67f
Instruction Fuzzy Hash: F101D83615DB1A9DD6381EB87CC9B672F85FB01779B200239F124C90E1EE518C41DB42

Function 0085198E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,CE39C80F,?,?,00000000,008630BF,000000FF,?,0085191E,00000002,?,008518F2,0084E626), ref: 008519C3
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 008519D5
FreeLibrary.KERNEL32(00000000,?,?,00000000,008630BF,000000FF,?,0085191E,00000002,?,008518F2,0084E626), ref: 008519F7

Strings

CorExitProcess, xrefs: 008519CD
mscoree.dll, xrefs: 008519BC

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 324bd7e75ad9f0bf4b1050700635911a5c390129a2dd82b23b9934cef21605a4
Instruction ID: da743dab55a37e3e8e8ee99cc718c8f643ab68bd7049101c842525c0d4ad67a2
Opcode Fuzzy Hash: 324bd7e75ad9f0bf4b1050700635911a5c390129a2dd82b23b9934cef21605a4
Instruction Fuzzy Hash: 66016231A00E19EBDB119F50DC19FAEBBB9FB04B15F010629F821E2390DBB99904CA91

Function 00859DAB Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00859E32
__alloca_probe_16.LIBCMT ref: 00859EF3
__freea.LIBCMT ref: 00859F5A

Part of subcall function 008550B1: HeapAlloc.KERNEL32(00000000,0085B047,?,?,0085B047,00000220,?,00000010,?), ref: 008550E3

__freea.LIBCMT ref: 00859F6F
__freea.LIBCMT ref: 00859F7F

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 656d8dc59baaa778ef57e0405dd54e76662148ca2f91edfb8c2d588d2c2a971d
Instruction ID: 5ebe72ecf08628fa9091c58a9302968139a3031026c44bd8fd1f3b8d1440c306
Opcode Fuzzy Hash: 656d8dc59baaa778ef57e0405dd54e76662148ca2f91edfb8c2d588d2c2a971d
Instruction Fuzzy Hash: 6F51A17260021AEBEF249F64CC82EAF3AADFF05756F150128FD49D6251EB71CC5887A1

Function 00843137 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00843143
int.LIBCPMT ref: 00843156

Part of subcall function 00841684: std::_Lockit::_Lockit.LIBCPMT ref: 00841695
Part of subcall function 00841684: std::_Lockit::~_Lockit.LIBCPMT ref: 008416AF

std::_Facet_Register.LIBCPMT ref: 00843189
std::_Lockit::~_Lockit.LIBCPMT ref: 0084319F
Concurrency::cancel_current_task.LIBCPMT ref: 008431AA

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 8944a86bf42e3379b52eb9263f2cbb02f83cc75f8d276628f24ef2121c2b2f99
Instruction ID: f186c0a3a8d11f797a268327073c44a8fb48f8aefbee461e0b0d76a072f2d8dc
Opcode Fuzzy Hash: 8944a86bf42e3379b52eb9263f2cbb02f83cc75f8d276628f24ef2121c2b2f99
Instruction Fuzzy Hash: 50018F7290451CABCB14AB58DC0999E7B68FF91760B15015AF805EB291EF30EF81CB81

Function 00842EC9 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00842ED5
int.LIBCPMT ref: 00842EE8

Part of subcall function 00841684: std::_Lockit::_Lockit.LIBCPMT ref: 00841695
Part of subcall function 00841684: std::_Lockit::~_Lockit.LIBCPMT ref: 008416AF

std::_Facet_Register.LIBCPMT ref: 00842F1B
std::_Lockit::~_Lockit.LIBCPMT ref: 00842F31
Concurrency::cancel_current_task.LIBCPMT ref: 00842F3C

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 474ca32fc313a7c8da173b20eb77077de66d31a8cbc5ea67c2d2e4b8919f2c91
Instruction ID: 2fcce74502071fa22ed62bb1265a60a7868912dd8657e3784f67c4be4ed8eac7
Opcode Fuzzy Hash: 474ca32fc313a7c8da173b20eb77077de66d31a8cbc5ea67c2d2e4b8919f2c91
Instruction Fuzzy Hash: B501F73690851CABCF25EB58D80989D7B78FF50760B610155F801E7291EF30AE81C791

Function 0084366B Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00843677
int.LIBCPMT ref: 0084368A

Part of subcall function 00841684: std::_Lockit::_Lockit.LIBCPMT ref: 00841695
Part of subcall function 00841684: std::_Lockit::~_Lockit.LIBCPMT ref: 008416AF

std::_Facet_Register.LIBCPMT ref: 008436BD
std::_Lockit::~_Lockit.LIBCPMT ref: 008436D3
Concurrency::cancel_current_task.LIBCPMT ref: 008436DE

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: b664ee74824c9d1c1deae5545877ae9d9b44fd7694a337061a50434358251b89
Instruction ID: 06906d45b1b7ab89a881058c4c1d13fc2fc989fe8362a328b6fb945e89589f2a
Opcode Fuzzy Hash: b664ee74824c9d1c1deae5545877ae9d9b44fd7694a337061a50434358251b89
Instruction Fuzzy Hash: 8201F772A0411CBBCF14AB5CD80599E7B68FFA0360B160145F805D7391EF30AF819781

Function 0084582A Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00845831
std::_Lockit::_Lockit.LIBCPMT ref: 0084583C
std::_Lockit::~_Lockit.LIBCPMT ref: 008458AA

Part of subcall function 0084598D: std::locale::_Locimp::_Locimp.LIBCPMT ref: 008459A5

std::locale::_Setgloballocale.LIBCPMT ref: 00845857
_Yarn.LIBCPMT ref: 0084586D

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 6a6bc915347e7c6e4853273156e189d6da1bd87e54da9f7927f8686c8a7fd86a
Instruction ID: 0da4768b9fc6ea74713328ec9099807bda97073fc5a956ebb7ceb9d814d08dce
Opcode Fuzzy Hash: 6a6bc915347e7c6e4853273156e189d6da1bd87e54da9f7927f8686c8a7fd86a
Instruction Fuzzy Hash: 3B01DF75A01A189BC706EF24D851A7D7BB1FF85340B194019E80297392CF786E46DBC7

Function 0084A832 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,0084A7E3,00000000,00000001,009D3A6C,?,?,?,0084A986,00000004,InitializeCriticalSectionEx,00866CA8,InitializeCriticalSectionEx), ref: 0084A83F
GetLastError.KERNEL32(?,0084A7E3,00000000,00000001,009D3A6C,?,?,?,0084A986,00000004,InitializeCriticalSectionEx,00866CA8,InitializeCriticalSectionEx,00000000,?,0084A73D), ref: 0084A849
LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,00849653), ref: 0084A871

Strings

api-ms-, xrefs: 0084A856

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: fce0699f34b5a1afdc79bd60330acc51dc186065940dd6775eacdfdf046fd5f9
Instruction ID: d8bed66560d4d1611997dfae453d3f2d7bc0a801c14a2e4120e0ea6b950fa109
Opcode Fuzzy Hash: fce0699f34b5a1afdc79bd60330acc51dc186065940dd6775eacdfdf046fd5f9
Instruction Fuzzy Hash: FDE01A74284A08BAEB141B60EC16B193E55FB00B91F514030F90DE80E1E7A2D911C6C6

Function 0085724F Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(CE39C80F,00000010,00000000,?), ref: 008572B2

Part of subcall function 0085A138: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00859F50,?,00000000,-00000008), ref: 0085A1E4

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0085750D
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00857555
GetLastError.KERNEL32 ref: 008575F8

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: e72f39b6d9765b7bc35d6026c3f2dba6b4b1a1b748ee56ce52ffa512e87db46f
Instruction ID: bb8dcedbdbecf2e056d51486d07668da441628932bde50c1779e2ab4dacf68ee
Opcode Fuzzy Hash: e72f39b6d9765b7bc35d6026c3f2dba6b4b1a1b748ee56ce52ffa512e87db46f
Instruction Fuzzy Hash: 65D179B5D04648AFCF15CFA8D8809EDBBB5FF09315F18812AE856EB351E730A945CB50

Function 00849801 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 008498C8
___AdjustPointer.LIBCMT ref: 008498EB
___AdjustPointer.LIBCMT ref: 00849987

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: df836b92c930068441a6d2dc2ecb04fa8ec5695e1192d6736da3f6b1e487703a
Instruction ID: d8cd5293fe78fe08969b7097e14b6ae9db7ffe86ec1571d6ac2426c2b24af639
Opcode Fuzzy Hash: df836b92c930068441a6d2dc2ecb04fa8ec5695e1192d6736da3f6b1e487703a
Instruction Fuzzy Hash: D451AD72A0520EAFEB398F58D841B7BBBA4FF08710F14452EE895C6691E731AC41CB91

Function 00841985 Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 00843F59: QueryPerformanceFrequency.KERNEL32(?), ref: 00843F77

Part of subcall function 00843F42: QueryPerformanceCounter.KERNEL32(?), ref: 00843F4B

__alldvrm.LIBCMT ref: 008419D9
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008419F9
__alldvrm.LIBCMT ref: 00841A17
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00841A34

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: PerformanceQueryUnothrow_t@std@@@__alldvrm__ehfuncinfo$??2@$CounterFrequency
String ID:
API String ID: 1598812886-0
Opcode ID: 1d0e73637f35ddf281190aaa8f5faee661cb8c94e72157474018c3c12658a33e
Instruction ID: 02d951a00aeee089df7d4d6cd523a0c015c229aec3ff2b6ec1cc3114a22435c4
Opcode Fuzzy Hash: 1d0e73637f35ddf281190aaa8f5faee661cb8c94e72157474018c3c12658a33e
Instruction Fuzzy Hash: 7E21D7717053282F9B28DA2D9C85F3BAEEDEBC8790F06417DF54EEB301E5609C0446A5

Function 0085A554 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 0085A138: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00859F50,?,00000000,-00000008), ref: 0085A1E4

GetLastError.KERNEL32 ref: 0085A5B8
__dosmaperr.LIBCMT ref: 0085A5BF
GetLastError.KERNEL32(?,?,?,?), ref: 0085A5F9
__dosmaperr.LIBCMT ref: 0085A600

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 67c7316cea77a0ec0d67d9e4c865825c515fadc3530595494580d9a74ee8d63c
Instruction ID: 483ed3a0053dd0f5995ceccc76df06b521dc98d9ea136431d3e51680618a14f1
Opcode Fuzzy Hash: 67c7316cea77a0ec0d67d9e4c865825c515fadc3530595494580d9a74ee8d63c
Instruction Fuzzy Hash: CA21C571600605AF9B28AFA9C8C0C6BBBA9FF543AA7148618FD15D7141E730EC48CB93

Function 00850A96 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5accf09b1d7e733995cfe6c4b881c002c70f5366ca6c49fc471c2e37968efdff
Instruction ID: af60916c6320d9408f0ffa712cdb4d3ff460b915b5e865362968cea865d5a2bc
Opcode Fuzzy Hash: 5accf09b1d7e733995cfe6c4b881c002c70f5366ca6c49fc471c2e37968efdff
Instruction Fuzzy Hash: F1219D31200619AF9B20AF69D89196A77A9FF0037EB148655FD55D7141EB30EC48CFA2

Function 0085B4EA Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0085B4F2

Part of subcall function 0085A138: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00859F50,?,00000000,-00000008), ref: 0085A1E4

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0085B52A
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0085B54A

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: caa5c8fb828f4be38338fc8fa75e3e423c3b1d1d47ec05a0edea9d2ab95f7756
Instruction ID: 833aea3e4a6b2b403b69234448dd2288b342d72904285fe7564b5bd741b5b2ab
Opcode Fuzzy Hash: caa5c8fb828f4be38338fc8fa75e3e423c3b1d1d47ec05a0edea9d2ab95f7756
Instruction Fuzzy Hash: 0811C4E1901919BF6B152B79ACCAD6F7D9CFE953E6B110125FD01D1101FB60CE0845B2

Function 00861196 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000010,00000000,0086E3C8,00000000,00000010,?,0085FF3C,00000010,00000001,00000010,?,?,0085764C,?,00000010,00000000), ref: 008611AD
GetLastError.KERNEL32(?,0085FF3C,00000010,00000001,00000010,?,?,0085764C,?,00000010,00000000,?,?,?,00857BD3,00000010), ref: 008611B9

Part of subcall function 0086117F: CloseHandle.KERNEL32(FFFFFFFE,008611C9,?,0085FF3C,00000010,00000001,00000010,?,?,0085764C,?,00000010,00000000,?,?), ref: 0086118F

___initconout.LIBCMT ref: 008611C9

Part of subcall function 00861141: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00861170,0085FF29,?,?,0085764C,?,00000010,00000000,?), ref: 00861154

WriteConsoleW.KERNEL32(00000010,00000000,0086E3C8,00000000,?,0085FF3C,00000010,00000001,00000010,?,?,0085764C,?,00000010,00000000,?), ref: 008611DE

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: ed392d45c65798ddf38b355c7f9366645d180cec62573fe34962988c022f76ca
Instruction ID: 8b92b219823d42905ba953f2a6d27eb44785abb36eb2a5c8a414ad52f9554914
Opcode Fuzzy Hash: ed392d45c65798ddf38b355c7f9366645d180cec62573fe34962988c022f76ca
Instruction Fuzzy Hash: B5F01C36504668BBCF221FD5EC0CA8A7F26FB4A3A0F465011FB19D5221C632C920DB91

Function 00842F42 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00842F49
_strlen.LIBCMT ref: 00842F61

Strings

Open Cards, xrefs: 00842F5C, 00843027

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: H_prolog3_catch_strlen
String ID: Open Cards
API String ID: 3133806014-999811899
Opcode ID: 114f1d2a3c97172e149891d3e5fb0903636e769c61ce0a8c646eee53120746e1
Instruction ID: f5ef1d9369d1692bb0be4ca2537718c2f1d6e4f759282d694c9cfd6d07c3ad4c
Opcode Fuzzy Hash: 114f1d2a3c97172e149891d3e5fb0903636e769c61ce0a8c646eee53120746e1
Instruction Fuzzy Hash: F6417331A4460C9FCB24DB5CC98096CB7B1FF48B25BA4835AF524DB2D1CA729E81CB52

Function 008494F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0084952F
__IsNonwritableInCurrentImage.LIBCMT ref: 008495E3

Strings

csm, xrefs: 008495CD

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 56276117651c01b89edb94b45ac8b3155b4d117380860581e43cc2123c9afa20
Instruction ID: 3ca4e54e02cd77bb8a55da70eb8f0f162941dd04a9b485cabaa001fe636646e8
Opcode Fuzzy Hash: 56276117651c01b89edb94b45ac8b3155b4d117380860581e43cc2123c9afa20
Instruction Fuzzy Hash: 0141A134A0021C9BCF21DF68C884A9FBBB5FF45324F168195E958DB392D735DA11CB92

Function 00849DFD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00849E22

Strings

RCC, xrefs: 00849E3C
MOC, xrefs: 00849E34

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: e99057ab4fbe09dd824fcc6c404fc9a453c71b9418e5dd9e558d7e8b051485bc
Instruction ID: a3d21e477519657e8810f89362ade5ebba4a389cb670ccad2f8784348f21131e
Opcode Fuzzy Hash: e99057ab4fbe09dd824fcc6c404fc9a453c71b9418e5dd9e558d7e8b051485bc
Instruction Fuzzy Hash: 3541567190020DAFCF26CF98D981AEEBBB5FF48300F198059F944A7261E776AD50DB91

Function 008415AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 008415B6
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 008415EE

Part of subcall function 00845928: _Yarn.LIBCPMT ref: 00845947
Part of subcall function 00845928: _Yarn.LIBCPMT ref: 0084596B

Strings

bad locale name, xrefs: 008415FC

Memory Dump Source

Source File: 00000005.00000002.1291552512.0000000000841000.00000020.00000001.01000000.00000004.sdmp, Offset: 00840000, based on PE: true

Associated: 00000005.00000002.1291365902.0000000000840000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1291776860.0000000000865000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292001883.0000000000870000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1292316063.00000000009D5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_840000_file.jbxd

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: 56e182c2ea93ab346aed10c49401d6d1d92209f840293495682b8505d5284111
Instruction ID: 7246439ebcb34736cf530c91a3d9e1d9dc715452406cfeaaedbb36cd63011beb
Opcode Fuzzy Hash: 56e182c2ea93ab346aed10c49401d6d1d92209f840293495682b8505d5284111
Instruction Fuzzy Hash: 70F01771545B449E83309F6E9481847FBE4FE28320390CE2FE1DEC3A12D734A508CBAA

Analysis Process: RegAsm.exePID: 6320, Parent PID: 7068COMMON

Execution Graph

Execution Coverage:	7.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	18
Total number of Limit Nodes:	0

Executed Functions

Function 00EF106A Relevance: 21.0, Strings: 11, Instructions: 7206COMMON

Download Yara Rule

Strings

<|#`, xrefs: 00EF54B9
$t&, xrefs: 00EF4A1B
=l', xrefs: 00EF70C3
?i06, xrefs: 00EF2B59
`A(, xrefs: 00EF1B62
<G,;, xrefs: 00EF6F9C
7?):, xrefs: 00EF7E79
3Q35, xrefs: 00EF37F7
KUM, xrefs: 00EF17E1, 00EF20BA, 00EF273C, 00EF1518, 00EF2AF9, 00EF3AED, 00EF295B, 00EF230F, 00EF16B0, 00EF1C4B, 00EF24FF, 00EF3245, 00EF3551, 00EF120A, 00EF257E, 00EF12CE, 00EF2129, 00EF2765, 00EF1E31, 00EF3BD0, 00EF1841, 00EF3B02, 00EF1F62, 00EF17CF, 00EF1FE7, 00EF23E3, 00EF1A7F, 00EF3D13, 00EF2DB3, 00EF1909, 00EF1D2F, 00EF2BD1, 00EF29BD, 00EF1B23, 00EF1E81, 00EF2788, 00EF21B2, 00EF318F, 00EF3412, 00EF2342, 00EF1DD1, 00EF17B3, 00EF2181, 00EF1889, 00EF1A14, 00EF1721, 00EF2416, 00EF28DE, 00EF3CFD, 00EF1995, 00EF3045, 00EF3870, 00EF19F5, 00EF150D, 00EF3140, 00EF1478, 00EF2708, 00EF2558, 00EF223C, 00EF3CD6, 00EF1CF8, 00EF2B53, 00EF3308, 00EF3A8D, 00EF1E9B, 00EF3827, 00EF225D, 00EF22AB, 00EF1AF5, 00EF11E3, 00EF326A, 00EF2C61, 00EF24E9, 00EF15E7, 00EF294D, 00EF3182, 00EF3C19, 00EF1897, 00EF11CE, 00EF1AB8, 00EF18E4, 00EF3054, 00EF1AD6, 00EF3BF8, 00EF280F, 00EF3B89, 00EF315D, 00EF162C, 00EF1A5B, 00EF2F55, 00EF2BF9, 00EF3B7A, 00EF3C88, 00EF2219, 00EF206A, 00EF1E73, 00EF1215, 00EF24C3, 00EF1A06, 00EF1F9B, 00EF3581, 00EF2B78, 00EF34AA, 00EF271E, 00EF2143, 00EF1F34, 00EF1D5C, 00EF1253, 00EF31D1, 00EF371E, 00EF38EC, 00EF3444, 00EF33B0, 00EF1C8D, 00EF2114, 00EF2FD7, 00EF2002, 00EF31ED, 00EF3983, 00EF13E1, 00EF24DB, 00EF1659, 00EF1DAB, 00EF1268, 00EF131B, 00EF140A, 00EF279E, 00EF2FEC, 00EF2DDC, 00EF149F, 00EF27AD, 00EF1C3D, 00EF26EA, 00EF3710, 00EF390B, 00EF1FD1, 00EF1D71, 00EF2D77, 00EF18B0, 00EF2A80, 00EF2CDA, 00EF36DD, 00EF1D8A, 00EF2869, 00EF1576, 00EF1750, 00EF14CF, 00EF2453, 00EF15BA, 00EF16F0, 00EF1396, 00EF1560, 00EF3595, 00EF3545, 00EF1835, 00EF3A78, 00EF16FB, 00EF32F2, 00EF16A5, 00EF2334, 00EF2C7E, 00EF30DE, 00EF247E, 00EF114C, 00EF391A, 00EF1DE0, 00EF1EC7, 00EF25FF, 00EF1640, 00EF3A0F, 00EF148A, 00EF12A9, 00EF2078, 00EF378D, 00EF307C, 00EF1943, 00EF1354, 00EF37F4, 00EF3695, 00EF10F3, 00EF21FF, 00EF3991, 00EF350A, 00EF12FE, 00EF137A, 00EF3328, 00EF3A01, 00EF2E6A, 00EF2D57, 00EF2EB2, 00EF20DD, 00EF2C49, 00EF1A72, 00EF267C, 00EF1F42, 00EF23AD, 00EF3684, 00EF1F17, 00EF13A2, 00EF13FF, 00EF259B, 00EF1925, 00EF2A1F, 00EF379B, 00EF3896, 00EF178D, 00EF339B, 00EF35AD, 00EF1E5A, 00EF1B4E, 00EF15D2, 00EF33EC, 00EF3431, 00EF11F9, 00EF3364, 00EF2408, 00EF25F1, 00EF235E, 00EF3CEC, 00EF1CA1, 00EF269A, 00EF438A, 00EF472C, 00EF4C3F, 00EF45D8, 00EF48D3, 00EF3F5A, 00EF3E7C, 00EF4040, 00EF4643, 00EF46CB, 00EF4467, 00EF540E, 00EF44DC, 00EF4FEB, 00EF5049, 00EF40E0, 00EF4BC1, 00EF42A5, 00EF42C8, 00EF4973, 00EF4A0D, 00EF3DF1, 00EF43B7, 00EF49AC, 00EF47B8, 00EF52AB, 00EF4FBF, 00EF4EC5, 00EF4843, 00EF3FEC, 00EF4331, 00EF474F, 00EF50B5, 00EF45F6, 00EF4550, 00EF4F55, 00EF4D4F, 00EF455E, 00EF4474, 00EF51AF, 00EF4B1E, 00EF4F42, 00EF48B5, 00EF408C, 00EF3EE1, 00EF5235, 00EF3FCD, 00EF4242, 00EF4FCD, 00EF4C5D, 00EF50D4, 00EF4DB1, 00EF4B4B, 00EF3E2F, 00EF43C4, 00EF414D, 00EF4BAC, 00EF4E33, 00EF5215, 00EF4DC7, 00EF4234, 00EF43DC, 00EF3F68, 00EF3D8A, 00EF5424, 00EF47A1, 00EF41E5, 00EF4E4D, 00EF4EE0, 00EF5439, 00EF473A, 00EF4CC1, 00EF4A9B, 00EF4D18, 00EF53D6, 00EF499D, 00EF505B, 00EF41AC, 00EF51A1, 00EF4651, 00EF42D6, 00EF47C6, 00EF4B8D, 00EF40C8, 00EF4F63, 00EF4A22, 00EF4E94, 00EF4286, 00EF5290, 00EF4429, 00EF5128, 00EF5172, 00EF41BA, 00EF53FE, 00EF4351, 00EF44EA, 00EF491C, 00EF5476, 00EF43F0, 00EF4835, 00EF530C, 00EF5164, 00EF5380, 00EF4D34
9Z1l, xrefs: 00EF24EC
)!9, xrefs: 00EF825E

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID: $t&$)!9$3Q35$7?):$9Z1l$<G,;$<|#`$=l'$?i06$KUM$`A(
API String ID: 0-3830134425
Opcode ID: 7337430ff6bf7243af96e367e3545ab9049ed0a2c857ed751705a4cbfb6599f4
Instruction ID: 2df42081eff04c51ef9cb5ed75cdf936f4d7b08c47bcaf21a43a56b95226230b
Opcode Fuzzy Hash: 7337430ff6bf7243af96e367e3545ab9049ed0a2c857ed751705a4cbfb6599f4
Instruction Fuzzy Hash: A1F3F7B4E006298FCB69DF68C8516AEB7B2FF89300F4049A9D519B7341DB75AE81CF44

Function 00EF1098 Relevance: 20.9, Strings: 11, Instructions: 7196COMMON

Download Yara Rule

Strings

<|#`, xrefs: 00EF54B9
$t&, xrefs: 00EF4A1B
=l', xrefs: 00EF70C3
?i06, xrefs: 00EF2B59
`A(, xrefs: 00EF1B62
<G,;, xrefs: 00EF6F9C
7?):, xrefs: 00EF7E79
3Q35, xrefs: 00EF37F7
KUM, xrefs: 00EF17E1, 00EF20BA, 00EF273C, 00EF1518, 00EF2AF9, 00EF3AED, 00EF295B, 00EF230F, 00EF16B0, 00EF1C4B, 00EF24FF, 00EF3245, 00EF3551, 00EF120A, 00EF257E, 00EF12CE, 00EF2129, 00EF2765, 00EF1E31, 00EF3BD0, 00EF1841, 00EF3B02, 00EF1F62, 00EF17CF, 00EF1FE7, 00EF23E3, 00EF1A7F, 00EF3D13, 00EF2DB3, 00EF1909, 00EF1D2F, 00EF2BD1, 00EF29BD, 00EF1B23, 00EF1E81, 00EF2788, 00EF21B2, 00EF318F, 00EF3412, 00EF2342, 00EF1DD1, 00EF17B3, 00EF2181, 00EF1889, 00EF1A14, 00EF1721, 00EF2416, 00EF28DE, 00EF3CFD, 00EF1995, 00EF3045, 00EF3870, 00EF19F5, 00EF150D, 00EF3140, 00EF1478, 00EF2708, 00EF2558, 00EF223C, 00EF3CD6, 00EF1CF8, 00EF2B53, 00EF3308, 00EF3A8D, 00EF1E9B, 00EF3827, 00EF225D, 00EF22AB, 00EF1AF5, 00EF11E3, 00EF326A, 00EF2C61, 00EF24E9, 00EF15E7, 00EF294D, 00EF3182, 00EF3C19, 00EF1897, 00EF11CE, 00EF1AB8, 00EF18E4, 00EF3054, 00EF1AD6, 00EF3BF8, 00EF280F, 00EF3B89, 00EF315D, 00EF162C, 00EF1A5B, 00EF2F55, 00EF2BF9, 00EF3B7A, 00EF3C88, 00EF2219, 00EF206A, 00EF1E73, 00EF1215, 00EF24C3, 00EF1A06, 00EF1F9B, 00EF3581, 00EF2B78, 00EF34AA, 00EF271E, 00EF2143, 00EF1F34, 00EF1D5C, 00EF1253, 00EF31D1, 00EF371E, 00EF38EC, 00EF3444, 00EF33B0, 00EF1C8D, 00EF2114, 00EF2FD7, 00EF2002, 00EF31ED, 00EF3983, 00EF13E1, 00EF24DB, 00EF1659, 00EF1DAB, 00EF1268, 00EF131B, 00EF140A, 00EF279E, 00EF2FEC, 00EF2DDC, 00EF149F, 00EF27AD, 00EF1C3D, 00EF26EA, 00EF3710, 00EF390B, 00EF1FD1, 00EF1D71, 00EF2D77, 00EF18B0, 00EF2A80, 00EF2CDA, 00EF36DD, 00EF1D8A, 00EF2869, 00EF1576, 00EF1750, 00EF14CF, 00EF2453, 00EF15BA, 00EF16F0, 00EF1396, 00EF1560, 00EF3595, 00EF3545, 00EF1835, 00EF3A78, 00EF16FB, 00EF32F2, 00EF16A5, 00EF2334, 00EF2C7E, 00EF30DE, 00EF247E, 00EF114C, 00EF391A, 00EF1DE0, 00EF1EC7, 00EF25FF, 00EF1640, 00EF3A0F, 00EF148A, 00EF12A9, 00EF2078, 00EF378D, 00EF307C, 00EF1943, 00EF1354, 00EF37F4, 00EF3695, 00EF10F3, 00EF21FF, 00EF3991, 00EF350A, 00EF12FE, 00EF137A, 00EF3328, 00EF3A01, 00EF2E6A, 00EF2D57, 00EF2EB2, 00EF20DD, 00EF2C49, 00EF1A72, 00EF267C, 00EF1F42, 00EF23AD, 00EF3684, 00EF1F17, 00EF13A2, 00EF13FF, 00EF259B, 00EF1925, 00EF2A1F, 00EF379B, 00EF3896, 00EF178D, 00EF339B, 00EF35AD, 00EF1E5A, 00EF1B4E, 00EF15D2, 00EF33EC, 00EF3431, 00EF11F9, 00EF3364, 00EF2408, 00EF25F1, 00EF235E, 00EF3CEC, 00EF1CA1, 00EF269A, 00EF438A, 00EF472C, 00EF4C3F, 00EF45D8, 00EF48D3, 00EF3F5A, 00EF3E7C, 00EF4040, 00EF4643, 00EF46CB, 00EF4467, 00EF540E, 00EF44DC, 00EF4FEB, 00EF5049, 00EF40E0, 00EF4BC1, 00EF42A5, 00EF42C8, 00EF4973, 00EF4A0D, 00EF3DF1, 00EF43B7, 00EF49AC, 00EF47B8, 00EF52AB, 00EF4FBF, 00EF4EC5, 00EF4843, 00EF3FEC, 00EF4331, 00EF474F, 00EF50B5, 00EF45F6, 00EF4550, 00EF4F55, 00EF4D4F, 00EF455E, 00EF4474, 00EF51AF, 00EF4B1E, 00EF4F42, 00EF48B5, 00EF408C, 00EF3EE1, 00EF5235, 00EF3FCD, 00EF4242, 00EF4FCD, 00EF4C5D, 00EF50D4, 00EF4DB1, 00EF4B4B, 00EF3E2F, 00EF43C4, 00EF414D, 00EF4BAC, 00EF4E33, 00EF5215, 00EF4DC7, 00EF4234, 00EF43DC, 00EF3F68, 00EF3D8A, 00EF5424, 00EF47A1, 00EF41E5, 00EF4E4D, 00EF4EE0, 00EF5439, 00EF473A, 00EF4CC1, 00EF4A9B, 00EF4D18, 00EF53D6, 00EF499D, 00EF505B, 00EF41AC, 00EF51A1, 00EF4651, 00EF42D6, 00EF47C6, 00EF4B8D, 00EF40C8, 00EF4F63, 00EF4A22, 00EF4E94, 00EF4286, 00EF5290, 00EF4429, 00EF5128, 00EF5172, 00EF41BA, 00EF53FE, 00EF4351, 00EF44EA, 00EF491C, 00EF5476, 00EF43F0, 00EF4835, 00EF530C, 00EF5164, 00EF5380, 00EF4D34
9Z1l, xrefs: 00EF24EC
)!9, xrefs: 00EF825E

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID: $t&$)!9$3Q35$7?):$9Z1l$<G,;$<|#`$=l'$?i06$KUM$`A(
API String ID: 0-3830134425
Opcode ID: 99d6d6f58b50f9c5f7630d9c15a7f127dce56cb4442cd036433215d4d57bbc14
Instruction ID: 35c7117ebac68a33f52e083201ed8e28621fdb780a1d2a08aa42fafe3c2dbc48
Opcode Fuzzy Hash: 99d6d6f58b50f9c5f7630d9c15a7f127dce56cb4442cd036433215d4d57bbc14
Instruction Fuzzy Hash: 7EF3E7B4E006298FCB69DF68C8516AEB7B2FF89300F4049A9D519B7341DB75AE81CF44

Function 00EFE008 Relevance: 5.3, Strings: 4, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(oq, xrefs: 00EFE14C
Hq, xrefs: 00EFE2ED
\sq, xrefs: 00EFE180
;q, xrefs: 00EFE2C8

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID: (oq$Hq$\sq$;q
API String ID: 0-2495020057
Opcode ID: 307467a4196645911b9cade9f096d57a698e592ad4d5180602548907d5e1e216
Instruction ID: 59379e880b761ccd2b3ffb4391bf88b32460b8b6452a10600d766ac65ec2de35
Opcode Fuzzy Hash: 307467a4196645911b9cade9f096d57a698e592ad4d5180602548907d5e1e216
Instruction Fuzzy Hash: 6381D136F012288FCB18EB7DD8555ADB7E6AFC921071941AAE909FB361DE309C06C790

Function 00EFA1CD Relevance: 2.8, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

7E"7, xrefs: 00EFA51D
2g., xrefs: 00EFA387

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID: 2g.$7E"7
API String ID: 0-2029250814
Opcode ID: 845f55857d6293f0cb75062c90764e372f7ff0f5b5d72e6767509cd74ea79498
Instruction ID: cb62c3d1b089d27434f240155b15eda6ee44706a196d0f73617c84170480960d
Opcode Fuzzy Hash: 845f55857d6293f0cb75062c90764e372f7ff0f5b5d72e6767509cd74ea79498
Instruction Fuzzy Hash: 8CA190B6E102298FCB14DFA8C4845AEB7F2AB58310B1A857AD959FB351D730DC42CBD1

Function 00EF8F98 Relevance: 1.7, Strings: 1, Instructions: 489
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

f|VS, xrefs: 00EF92B1

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID: f|VS
API String ID: 0-2086739051
Opcode ID: 6921a26ed39a4a3f1af7a23cfe63bc9e1154c042cd48dba8738d3da8f3991e44
Instruction ID: 3a23b91df7bac01089d8767e0bda4f00b8eb5b0c4fd8e5c03ff2217cb3cd65a3
Opcode Fuzzy Hash: 6921a26ed39a4a3f1af7a23cfe63bc9e1154c042cd48dba8738d3da8f3991e44
Instruction Fuzzy Hash: 0D226B75E0021A8FDB14DFA9C9816AEB7F1BF88304F15816AD925FB251D738AD06CF90

Function 05126498 Relevance: 1.6, APIs: 1, Instructions: 67
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 05126529

Memory Dump Source

Source File: 00000008.00000002.3748622337.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5120000_RegAsm.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 75b52233b44f1e16e571ee180b9dbb0d35c0bf8c7db4e696d2dc3bd1d6bf1cb5
Instruction ID: f575155e3fa111cc552304449715ffd6973d02f2074ed428a67b3dff0a01fa42
Opcode Fuzzy Hash: 75b52233b44f1e16e571ee180b9dbb0d35c0bf8c7db4e696d2dc3bd1d6bf1cb5
Instruction Fuzzy Hash: 892115B1D013499FCB10CFAAD980AEEFBF1BF48314F20842EE419A3240C7759915CB65

Function 051268BB Relevance: 1.6, APIs: 1, Instructions: 66
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtOpenFile.NTDLL(?,?,?,?,?,?), ref: 05126949

Memory Dump Source

Source File: 00000008.00000002.3748622337.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5120000_RegAsm.jbxd

Similarity

API ID: FileOpen
String ID:
API String ID: 2669468079-0
Opcode ID: 4aeb61353addb7fb439757bebcffbac35b5a727f75aa72e8dc2a22c370b81213
Instruction ID: 1432f070c49c41eb31ac0b5f862ed68dbeaf335f4e2df197e9c6768d0939d6f6
Opcode Fuzzy Hash: 4aeb61353addb7fb439757bebcffbac35b5a727f75aa72e8dc2a22c370b81213
Instruction Fuzzy Hash: 762127B1D01259AFCF10CFAAD980AEEFBB4FF48314F10801AE518A7240CB755915CFA4

Function 05126570 Relevance: 1.6, APIs: 1, Instructions: 64
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 051265FB

Memory Dump Source

Source File: 00000008.00000002.3748622337.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5120000_RegAsm.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: bad41ffab7d5e4b63c7377d59d181fad5d4efb070577964cfec6f8b99215522a
Instruction ID: ceec538ac66474fc97068532cd71f6e044c70bc2d86d7842a0768efa86beca89
Opcode Fuzzy Hash: bad41ffab7d5e4b63c7377d59d181fad5d4efb070577964cfec6f8b99215522a
Instruction Fuzzy Hash: 202124B1D002589FCF10CFAAC881AEEFBF1BF48214F10841AE919A3250CB359954CBA4

Function 051263C8 Relevance: 1.6, APIs: 1, Instructions: 64
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL ref: 05126452

Memory Dump Source

Source File: 00000008.00000002.3748622337.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5120000_RegAsm.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: f865befa7029d19096f7075d4d07b6be63bbcd6e590212d953624ace3ebb0cb2
Instruction ID: 42176adc797cd1efe8e2e040426f924cbb287ac2a5c2fdd90a80d43ca5484682
Opcode Fuzzy Hash: f865befa7029d19096f7075d4d07b6be63bbcd6e590212d953624ace3ebb0cb2
Instruction Fuzzy Hash: 0A215871C043988FDB21DFAAC8447EEBBF4EF89224F14845AD055AB241CB385845CBA9

Function 051264A0 Relevance: 1.6, APIs: 1, Instructions: 63
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 05126529

Memory Dump Source

Source File: 00000008.00000002.3748622337.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5120000_RegAsm.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: ddf64d49687a9392b05e0cb85e639fad88e32d6e0d93650173cd1453fdbc8e1e
Instruction ID: 4b147f63ac19cef0ba3d0f88b1c51204c36ae79741b7c33ad6dbdbde0f47b0c3
Opcode Fuzzy Hash: ddf64d49687a9392b05e0cb85e639fad88e32d6e0d93650173cd1453fdbc8e1e
Instruction Fuzzy Hash: BD21F0B1D013499FDB10CFAAD980AAEFBF5BF48314F20842EE519A7240C7759910CBA5

Function 05126CF3 Relevance: 1.6, APIs: 1, Instructions: 63
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDeviceIoControlFile.NTDLL(?,?,?,?,00000000,?,?,?,?,?), ref: 05126D7E

Memory Dump Source

Source File: 00000008.00000002.3748622337.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5120000_RegAsm.jbxd

Similarity

API ID: ControlDeviceFile
String ID:
API String ID: 3512290074-0
Opcode ID: 8cace33747c01a519257c2ab8d85da0226ea8c4cc2afecd22eeba1ba9ceb4f53
Instruction ID: 95bc10d283d5df50331d8f7ad16a82e16c4c99ffb2d4d0955017f117ee9488ae
Opcode Fuzzy Hash: 8cace33747c01a519257c2ab8d85da0226ea8c4cc2afecd22eeba1ba9ceb4f53
Instruction Fuzzy Hash: C3212376C002489FDF21CFAAC840AEEBBF1FF48314F14841AE959A7250CB399955CFA4

Function 051268C0 Relevance: 1.6, APIs: 1, Instructions: 63
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtOpenFile.NTDLL(?,?,?,?,?,?), ref: 05126949

Memory Dump Source

Source File: 00000008.00000002.3748622337.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5120000_RegAsm.jbxd

Similarity

API ID: FileOpen
String ID:
API String ID: 2669468079-0
Opcode ID: e475bb7368d0f5d8f52b0089738757bcb0b12bc439ee054046facdc9e687741e
Instruction ID: 6c13ba0d3e6359588f5776e8ec81f170d83fdec4c7994c84964e6f1180a716ba
Opcode Fuzzy Hash: e475bb7368d0f5d8f52b0089738757bcb0b12bc439ee054046facdc9e687741e
Instruction Fuzzy Hash: D42103B1D01219AFDF10CFAAD980ADEFBF4FF08314F10842AE918A7240CB759954CBA5

Function 05126CF8 Relevance: 1.6, APIs: 1, Instructions: 62
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDeviceIoControlFile.NTDLL(?,?,?,?,00000000,?,?,?,?,?), ref: 05126D7E

Memory Dump Source

Source File: 00000008.00000002.3748622337.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5120000_RegAsm.jbxd

Similarity

API ID: ControlDeviceFile
String ID:
API String ID: 3512290074-0
Opcode ID: 8ea875a5e74a8d1e08a9f4a4350bbcbe45f4614bf4bc2d05398cf51550e3915b
Instruction ID: 822feeabe0f097c4e69411fb687810d7af38d85a067d71ccbaa6bd109074c7d8
Opcode Fuzzy Hash: 8ea875a5e74a8d1e08a9f4a4350bbcbe45f4614bf4bc2d05398cf51550e3915b
Instruction Fuzzy Hash: 322134768002089FDF10CFAAC840AEEBBF5FF48314F14841AE919A3210CB39A950CFA5

Function 05126578 Relevance: 1.6, APIs: 1, Instructions: 61
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 051265FB

Memory Dump Source

Source File: 00000008.00000002.3748622337.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5120000_RegAsm.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: cf9b00da8311188fdc69ad652a659685daf2a41d880d4b1c2c1b27fbc9dd5e95
Instruction ID: 750ceb6295741739e5d0446199e8c8b66ae9c9db8efc73be3a6138543ef27d92
Opcode Fuzzy Hash: cf9b00da8311188fdc69ad652a659685daf2a41d880d4b1c2c1b27fbc9dd5e95
Instruction Fuzzy Hash: 012112B1D003589FDF10CFAAC880ADEFBF5BF48314F10842AE919A7250CB799954CBA5

Function 05126C28 Relevance: 1.6, APIs: 1, Instructions: 59filenativeCOMMON

Download Yara Rule

APIs

NtQueryVolumeInformationFile.NTDLL(?,?,?,?,?), ref: 05126CA7

Memory Dump Source

Source File: 00000008.00000002.3748622337.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5120000_RegAsm.jbxd

Similarity

API ID: FileInformationQueryVolume
String ID:
API String ID: 634242254-0
Opcode ID: 6cc90fed1880bb5721e76e26f3f863ac62e795ecfa9b7db581a78040c47ff2ad
Instruction ID: 84e59d68efc63a3d041abee8d4e1ebc0d9c53f48b47051b64db7d6ac13d6bdd5
Opcode Fuzzy Hash: 6cc90fed1880bb5721e76e26f3f863ac62e795ecfa9b7db581a78040c47ff2ad
Instruction Fuzzy Hash: 4F213475C002488FDB14DFAAC940BEEBBF4AF48324F14842AE819A7650CB799940CFA5

Function 05126C30 Relevance: 1.6, APIs: 1, Instructions: 57filenativeCOMMON

Download Yara Rule

APIs

NtQueryVolumeInformationFile.NTDLL(?,?,?,?,?), ref: 05126CA7

Memory Dump Source

Source File: 00000008.00000002.3748622337.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5120000_RegAsm.jbxd

Similarity

API ID: FileInformationQueryVolume
String ID:
API String ID: 634242254-0
Opcode ID: 985907eff7de091f4d4b5c94e4346622209e85f905dcbd6f206ac5aaa4c8a7d5
Instruction ID: 9b6b99348baa4c5849deb7914a14d715d082cbc1babb32c09875da7318664be1
Opcode Fuzzy Hash: 985907eff7de091f4d4b5c94e4346622209e85f905dcbd6f206ac5aaa4c8a7d5
Instruction Fuzzy Hash: F2210471D002489FDB14DFAAC840BAEBBF4AF48214F14841AE419A7250CB799954CBA5

Function 051263F0 Relevance: 1.5, APIs: 1, Instructions: 49nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL ref: 05126452

Memory Dump Source

Source File: 00000008.00000002.3748622337.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5120000_RegAsm.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 8c0a73f8cfc31af39329e1ed78b0eab10f131bf9edc3be5a3a08c6cd6db8f48c
Instruction ID: 85604d7cdac7e82041a2e28e48ce943432c360a4a059d6e78666a6527acceecb
Opcode Fuzzy Hash: 8c0a73f8cfc31af39329e1ed78b0eab10f131bf9edc3be5a3a08c6cd6db8f48c
Instruction Fuzzy Hash: 171128B1D003488FDB24DFAAC8447AEFBF4AB48224F24841AD459A7640CB79A944CBA5

Function 00EFD820 Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

Hq, xrefs: 00EFD9CB

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID: Hq
API String ID: 0-1594803414
Opcode ID: 4a3ef993fbf3b6af38ec84bc09f5b85907846aa8aceb8a0b040cc1751f90844d
Instruction ID: dc744677300f65fabedfa8290b17651fce1e7ff650f5934ad927ae352dc3b7a7
Opcode Fuzzy Hash: 4a3ef993fbf3b6af38ec84bc09f5b85907846aa8aceb8a0b040cc1751f90844d
Instruction Fuzzy Hash: ED81C436F052598FC704DF78C8544ADBBF2EF8A31471540AAE949EB362DB359C06CB91

Function 00EFB3B8 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efd71bdbcd41d1ccbd0609ae1de03221d8304ae7c2ee1f9b2524de0680fd9c36
Instruction ID: aa1836ab0cdd6ccedb2b8c53a2a369d624cc71dc32ed6abad386b670875391a9
Opcode Fuzzy Hash: efd71bdbcd41d1ccbd0609ae1de03221d8304ae7c2ee1f9b2524de0680fd9c36
Instruction Fuzzy Hash: F4D1AE39B405248F8B58EB3DD89857EB6E6AFCC75031554A9EA0AFB361DF70DC058B80

Function 00EFC0A8 Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b39fcd8662c0a33626879bf358fad52630f24fc27ab17af1893b78a2dc292c9
Instruction ID: d4f32b991fcbf1f467f4e796e26834a88854cba94859ad0f3c032d3436d768bf
Opcode Fuzzy Hash: 3b39fcd8662c0a33626879bf358fad52630f24fc27ab17af1893b78a2dc292c9
Instruction Fuzzy Hash: D6C1F632F4012D8B8B18AA3D496527EA5D39FC870033A6579EE0BFB381EE61CC1647C1

Function 00EF9940 Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 064121763ecdd247138b7b2e17fe999d879d2ed01119b60d6ce50bff634ddf51
Instruction ID: 84bc154363f6b74a948f798675b5dc828c50c26a1ab94241986fea14ef4503ab
Opcode Fuzzy Hash: 064121763ecdd247138b7b2e17fe999d879d2ed01119b60d6ce50bff634ddf51
Instruction Fuzzy Hash: 93C18F71B003098FCB18DFB9C8D46ADBBF2AF89304B659169E505EB362DB709C46CB50

Function 00EF8F88 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 812f6514247967616e13588a69905789d53c5bbd10ddeddb76c6d046f9ae0293
Instruction ID: a02281ff6db4b84a027416d6d20b77303e4f7074a6721ce627595b96331daea0
Opcode Fuzzy Hash: 812f6514247967616e13588a69905789d53c5bbd10ddeddb76c6d046f9ae0293
Instruction Fuzzy Hash: DAB1E875E0020A8FDB54DFAAD9916EEBBF1FF88304F108069D425EB251D7389A46CF90

Function 00EFC980 Relevance: 2.7, Strings: 2, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

78j, xrefs: 00EFC991
Hq, xrefs: 00EFC9F3

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID: 78j$Hq
API String ID: 0-36752102
Opcode ID: 1d000a1bd459ed1672c394771b6ad30b4731b4d5f0cfa8399d45d3d802d7e9dc
Instruction ID: 4428cbf90a19d93d00d8343db2acbea9e400ed305767ce516803bf1966794ced
Opcode Fuzzy Hash: 1d000a1bd459ed1672c394771b6ad30b4731b4d5f0cfa8399d45d3d802d7e9dc
Instruction Fuzzy Hash: 8941782770061C1BDA1CA678A86117EA6D79BC5350338957EE70BFB781DE149D0A83D1

Function 00EFA830 Relevance: 2.6, Strings: 2, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\;q, xrefs: 00EFA8E4
\;q, xrefs: 00EFA8D4

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID: \;q$\;q
API String ID: 0-1260801691
Opcode ID: ae005eb9f8e1af144183ed424570aeabd97ea500bb1d93847781256189308071
Instruction ID: d5e5b0f7dd2767de63a7bc494720e2010daf04cbb15924848544a00639747c48
Opcode Fuzzy Hash: ae005eb9f8e1af144183ed424570aeabd97ea500bb1d93847781256189308071
Instruction Fuzzy Hash: 3931E3B1E1021D9BDB15DA99C444BBEBBF2AB88344F195079D505FF350DAB09D01CB91

Function 062A0BA8 Relevance: 2.2, Strings: 1, Instructions: 990COMMON

Download Yara Rule

Strings

$q, xrefs: 062A18FB

Memory Dump Source

Source File: 00000008.00000002.3749859669.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62a0000_RegAsm.jbxd

Similarity

API ID:
String ID: $q
API String ID: 0-1301096350
Opcode ID: 651de7ff973020d165de78e2ab33dd0ac4832a5c55b24fc101e157353983802d
Instruction ID: 2ca590cae1a257d524605b2e13fe487ff13214c48f69e62295a94a081af00b84
Opcode Fuzzy Hash: 651de7ff973020d165de78e2ab33dd0ac4832a5c55b24fc101e157353983802d
Instruction Fuzzy Hash: 43929034A20201CFD755DB58D599A69B7F2FF89314F19C4A9E85A8F396CB72EC02CB40

Function 00EF8C44 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

8@%^, xrefs: 00EF8C9B

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID: 8@%^
API String ID: 0-6368902
Opcode ID: 3424d6721ba97de3462fe7ec31dc422aa271fe36d807111a0017a666ec53e739
Instruction ID: ad6510d346381e74d42d7c5f7f857f9be7ba36949d3a045a2e9db743095c66d3
Opcode Fuzzy Hash: 3424d6721ba97de3462fe7ec31dc422aa271fe36d807111a0017a666ec53e739
Instruction Fuzzy Hash: 18110A347013188FC728DFB9C994A6CB7B1AF88318B194569D905EB725DB71EC42CB11

Function 00EFC970 Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

78j, xrefs: 00EFC991

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID: 78j
API String ID: 0-810992010
Opcode ID: b2ee767cc923baf03ed81676b2065f66a68717f904e79c1f76daaa23b2630ff1
Instruction ID: b2796bbeaac0f19290c24ef7ac48f8adf58f2581319db2bfacbfb1bc16fa43f7
Opcode Fuzzy Hash: b2ee767cc923baf03ed81676b2065f66a68717f904e79c1f76daaa23b2630ff1
Instruction Fuzzy Hash: 6E019E33E016681BE72097659CC08B9F7E56DC672036A437ACE58BB251CE80CC05C7D0

Function 062A24B8 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3749859669.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62a0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4d272e1f063dea2264d9ddb68ef58b95ea2dc85d4cb18eccb2990df1be71c64
Instruction ID: d34f9be9892fca2374fde65a118e2063f3208cf1bfa58bf26a454836fc55af33
Opcode Fuzzy Hash: b4d272e1f063dea2264d9ddb68ef58b95ea2dc85d4cb18eccb2990df1be71c64
Instruction Fuzzy Hash: 4C024C34A10201DFD744DB54CA95EA9B7F2FB88314F19C099E949AB392CBB2ED42CB50

Function 00EFF2A8 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b322c610f6d9084a17db009e75600019db2c4f9ebdef3328be3ee56465041900
Instruction ID: d74d70e00ea2da8ece5bdc6c92dec6458654268189bd15926c4dc5380f371f7d
Opcode Fuzzy Hash: b322c610f6d9084a17db009e75600019db2c4f9ebdef3328be3ee56465041900
Instruction Fuzzy Hash: EB512A307002159BD714EB34C591AAE77A6FF80324B909634D525BFAE0DF34AE06C7D1

Function 00EFBE30 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9295782d8daaba0dfc4c67d99e9a803e15a33830dc120873689f6e643525cf96
Instruction ID: 8e0b91b22c625a2668bba44ec44a5156812c811f15410c9eb6f544e50c1fc263
Opcode Fuzzy Hash: 9295782d8daaba0dfc4c67d99e9a803e15a33830dc120873689f6e643525cf96
Instruction Fuzzy Hash: 00518136F001298F8B08DF69D8845ADB7F6BF88310B5590AAE905FB361DB31DD01CB90

Function 062A06F8 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3749859669.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62a0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d125d139ba151a9eb8528e1184e7b4d60b1ba8f6d971de8cdb1d3d41dc81c5a
Instruction ID: b0dd33f97be4a9f378e10d20fe1cd9e7c745bc1ac3fe1f9e6a18a2bf47609a35
Opcode Fuzzy Hash: 7d125d139ba151a9eb8528e1184e7b4d60b1ba8f6d971de8cdb1d3d41dc81c5a
Instruction Fuzzy Hash: F151C134B202058FEB94DF64D955AAEBBF2EB88314F048429E806DB390DB70AD46CB51

Function 00EFF67A Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e67a3fcb494078315ff3fa1bda589e37d1722b90c55f5bb6bed1e97e5d10c19
Instruction ID: 7beff009a6cca011440da31921f5b66ae41754dc391f96970b87bf1f324f0d36
Opcode Fuzzy Hash: 1e67a3fcb494078315ff3fa1bda589e37d1722b90c55f5bb6bed1e97e5d10c19
Instruction Fuzzy Hash: E1416B71F092958FCB05CB68C9852BEBFF2AF89200F2954ABD945EB292D674CC058791

Function 062A0730 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3749859669.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62a0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ab775a8a36bd7a3ecfc3bd49e3dc8eddb082fcb84fca28f9b48d940c85485c0
Instruction ID: 241b66bb9e9664c2df2f5f8e7a23d3ea23002cfba3966854926c51d7ae02c3ab
Opcode Fuzzy Hash: 2ab775a8a36bd7a3ecfc3bd49e3dc8eddb082fcb84fca28f9b48d940c85485c0
Instruction Fuzzy Hash: 78418334B202059FEB94DF64D955BAEBBF2EB88714F048425E806EB394DB70AD41CF91

Function 00EFDBB3 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 068019881cdb54b5a5b0e72b864fc8c36fcd1553159350cd9da5e056eb7064db
Instruction ID: 08c32c80a0097c0752ce5375c33e005681f7b479857fecc06652d7381a4bc670
Opcode Fuzzy Hash: 068019881cdb54b5a5b0e72b864fc8c36fcd1553159350cd9da5e056eb7064db
Instruction Fuzzy Hash: 6431F23BB101204F87089F79D8914ADB7E6EFC926435A50EAE909EF362DF31DC058B90

Function 00EF8BB0 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a29e7f7c940382e16ddd16efb106a9bcfe2f3b5a110293b2cc4d5a1e8d446ca3
Instruction ID: 00132500848e29b5e799f973dee19dbc236ca342a701cb7b84824bb4e35386ca
Opcode Fuzzy Hash: a29e7f7c940382e16ddd16efb106a9bcfe2f3b5a110293b2cc4d5a1e8d446ca3
Instruction Fuzzy Hash: 45412A34A00309CFCB18CF65D594AAEBBB6AF89314F254569E905BB361DB71EC86CF40

Function 00EF8E70 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ff1454e46ebf2aba13dca328136386f6d13cea91834d2f5fc44242faa2bb56
Instruction ID: f6a8860ad4262392717970437dda66aa2a9decf8d1d97104706034c9bf828c62
Opcode Fuzzy Hash: 58ff1454e46ebf2aba13dca328136386f6d13cea91834d2f5fc44242faa2bb56
Instruction Fuzzy Hash: C6314B73E146694FC711CB6DC8406A9BBF5AF49210B0B41EADC45FB7A2D2209C1AC7D0

Function 00EFF668 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b81203b7dce35ac9576f4c9788358f3be86ff16f666c58ce35ad99e40adde9e2
Instruction ID: 380e5ada4d33eaf1848769df923dd20bdb247c4ed51014d3db06a01b6fb21b90
Opcode Fuzzy Hash: b81203b7dce35ac9576f4c9788358f3be86ff16f666c58ce35ad99e40adde9e2
Instruction Fuzzy Hash: 4D31B1B5F142198BCB04DA99C9404BEFBF2AFCD300F25956BEA05E7390DA74DE018B94

Function 00EF8EA0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbc962335a98826b7d168b5fe5426f48940cccef7c8207b6bcb5328c643e6fef
Instruction ID: bb25b09df39dbd47cfc25dda496842a087e57ef6660793d74a3997179b50cd9b
Opcode Fuzzy Hash: dbc962335a98826b7d168b5fe5426f48940cccef7c8207b6bcb5328c643e6fef
Instruction Fuzzy Hash: 6221C277E105294FC710CA5DD8845AAB7E6AF8825074B82AADC09FB3A1E6709D15CBD0

Function 00EFEBFF Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2a335ec84b7b815b93e5b5e930acadb3c227b0b18ddf87c1313c60bc8b4d14f
Instruction ID: 361d4e57c2c47760e6e2dd5fe4895ccb4673028b2472fa2a64293685cdfc5f3d
Opcode Fuzzy Hash: e2a335ec84b7b815b93e5b5e930acadb3c227b0b18ddf87c1313c60bc8b4d14f
Instruction Fuzzy Hash: BE217A316006098FDB15CF56D8C0979F7B2FB84314708892AEA29AB760C730FC11CB90

Function 00EF9FA0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d85eab199373ac61dd9cacb5e1c2176ad8909840648ec9d0574c3375a7e43218
Instruction ID: 0fef0322dcc894065f6d8de00fafffdd331359c565ed3b5bddd11217f3d90c53
Opcode Fuzzy Hash: d85eab199373ac61dd9cacb5e1c2176ad8909840648ec9d0574c3375a7e43218
Instruction Fuzzy Hash: A5213573D0022A9FCB14AFB1C8444AEB7B2FB413143864669ED18B7702C739AC91CBC1

Function 062A0AD8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3749859669.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62a0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f8cbe252fa0888cb1531f8a70ec810cbcc10a513ec8c86a55d26609420b366
Instruction ID: 3d4ffdf51631ba593a2c912cdb7a4eef4cd60ef449ab8c5417b6fb92c0e32e6f
Opcode Fuzzy Hash: d3f8cbe252fa0888cb1531f8a70ec810cbcc10a513ec8c86a55d26609420b366
Instruction Fuzzy Hash: BD21D631604245AFC702CF54E951F95BBB5EF89314F0884AAE5488F252CB76EC16C7A0

Function 00EFAAD0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66c95486cf5e5cb8d91cd5c55e3c2ad214aef80b63064878b3655e30f916ab3f
Instruction ID: a015c9898ff3a4782d2e03e11940c67b4d780098d8fbe28929e7260a299a0171
Opcode Fuzzy Hash: 66c95486cf5e5cb8d91cd5c55e3c2ad214aef80b63064878b3655e30f916ab3f
Instruction Fuzzy Hash: 5111B232B01A149FC7149B38D4549B87BF1BF8A36035A41FAE94ADB772CB21DC46CB80

Function 00EF8BA0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 501d0b32f0909cd21821967c3e028a3c1f1da5e8cf2bcf7f95493e378732f190
Instruction ID: d0e6faa3f211cc1f3faa4ffcb149e80db621fe9ba962ea61300a6ff852a9545c
Opcode Fuzzy Hash: 501d0b32f0909cd21821967c3e028a3c1f1da5e8cf2bcf7f95493e378732f190
Instruction Fuzzy Hash: 42210D387012149FCB18DF78C495959BBF6EF8D320B1985A9E80AEB761CB71EC46CB50

Function 062A28E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3749859669.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62a0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6fd0733db5f82f469912a100b656cb9bfb5239d7895140210ab516bda387727
Instruction ID: 72cf9d4eaf368a272a60bbc06af9de1e181a5ade1c47c16c3d5e22f42c83172e
Opcode Fuzzy Hash: e6fd0733db5f82f469912a100b656cb9bfb5239d7895140210ab516bda387727
Instruction Fuzzy Hash: 48210034B11206DFEB44CB54C645FA9B3F1FB48714F29C499E949AB261C7B1EE41CB90

Function 00EFC029 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a08371d81484233e1f8e3e079922e25beaedadeadcf0949f8f3b62fa06541d
Instruction ID: 5323eee28c0a4cb14d3f680b915c51cc77440c29153d873b67d2a515f539e320
Opcode Fuzzy Hash: 12a08371d81484233e1f8e3e079922e25beaedadeadcf0949f8f3b62fa06541d
Instruction Fuzzy Hash: 24018931B0824D8BCB241A794A9517AFBF5EFC531073850BACA05EB713DE20CC1A8392

Function 00EFAAE0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1097b63bb9ee38fe89462fb679e741aefb0e518c5b878ebcd3697528504568e4
Instruction ID: bd610feda65f730ad71a00ecbf883c4d0255bcf985a517ab07f51fd4783f19a2
Opcode Fuzzy Hash: 1097b63bb9ee38fe89462fb679e741aefb0e518c5b878ebcd3697528504568e4
Instruction Fuzzy Hash: 5011E133B006249F8718DB39C84496977E6BF893A035A41B9E90ADB372CB32DC45CB90

Function 00EFCE98 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9d8ce460911a812722301a441e1c99194da7ac439ba39041048b8c7efb559ae
Instruction ID: 06307f094c233a1e29110566288228abbbaf5b594855cbccaac2e18998313e69
Opcode Fuzzy Hash: e9d8ce460911a812722301a441e1c99194da7ac439ba39041048b8c7efb559ae
Instruction Fuzzy Hash: B4119E35B005089FCB44DB79D4918ADBBF2EF8921071480E9E509EB362DE31AD02CB40

Function 00EFF8A4 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab5f9ef54072be4d7ce83591d9942e41585e2eef4d51528e85cb81f44c416bd
Instruction ID: 43f15becbe964b511b661c12688fe049d76b14a723a3161db437a3f74a57047b
Opcode Fuzzy Hash: 1ab5f9ef54072be4d7ce83591d9942e41585e2eef4d51528e85cb81f44c416bd
Instruction Fuzzy Hash: 78012631A0D7896FC3098E2A5881662BAEABFC5320759C27BD209D7651CA60DA14C7E2

Function 00EFC098 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7d878a6cf38b9f6ce3f2ff047d517ddf7f2e5a52f8be2e37ee8e8de4ac97f92
Instruction ID: c9c765f67e9bb1c62eaa1e60af5e89e34ea0289d3f84543c0ffa2cfe59f37120
Opcode Fuzzy Hash: d7d878a6cf38b9f6ce3f2ff047d517ddf7f2e5a52f8be2e37ee8e8de4ac97f92
Instruction Fuzzy Hash: 34012431B0824D8B8B251969599057AFBF5EEC931033550BADB06EB313DE60CC5A8391

Function 00EFF7A8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96a702b2762e4163b933e87895f3071d7ca5da76300d9860475b37c099749f5b
Instruction ID: b39b016c51893704d4deb033f1385a7c05ec2cf0e5b013b21810cb027aa4f070
Opcode Fuzzy Hash: 96a702b2762e4163b933e87895f3071d7ca5da76300d9860475b37c099749f5b
Instruction Fuzzy Hash: 7C118E35720284CFD3589A25DA95926BBE7FBC9315B68987FD50ACBB90C770F881CB40

Function 00EFF8C0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb8fb6d8e92293244049154afe56e08e4351d4dfaaaa63a47d5a26d0ba8fae8
Instruction ID: bab6d7b7d548e059175728d066d1641edc6d35a804b1fd05f87ecbd0674b7353
Opcode Fuzzy Hash: ebb8fb6d8e92293244049154afe56e08e4351d4dfaaaa63a47d5a26d0ba8fae8
Instruction Fuzzy Hash: 2201F931B0C7596B834C8E6B58815B6E6DABFC4360315D33BD209D3610DB70DA50C7E1

Function 00EFDB30 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daf3183dc3e446bdb590de6ca904e6057502d1f7e818223ece20885a6f1374f4
Instruction ID: 28bc20640b38ae39d6bca0f050c2631e322ddc91457ad684cb4f6fff07c4c76b
Opcode Fuzzy Hash: daf3183dc3e446bdb590de6ca904e6057502d1f7e818223ece20885a6f1374f4
Instruction Fuzzy Hash: EC01A276F012198B8B58DF75DC404AEB7B7EBD5364B2586BAD508EB302EB319C01C7A0

Function 00EFCFB3 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e646d791b03f11e3ab8aecd3ee40f3c5ff2e98fe431e02895f402e840dd4fa0f
Instruction ID: 59edbafcda3239c832195a5384ba9522b8988df14674e7779b05d2f0d55d4a05
Opcode Fuzzy Hash: e646d791b03f11e3ab8aecd3ee40f3c5ff2e98fe431e02895f402e840dd4fa0f
Instruction Fuzzy Hash: DB01D136B001588FCB04EBACD4914AAF7F6DF8D22471494BBE60CE7352DA31EC068B80

Function 00EFB968 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02389a9a052eb19cb22f35b916e984fdc26159212ebad8504ce8de8318ecdd0
Instruction ID: 64252361809bf01e5ff81b2238917355f252f6a3844b10b6aa33e70a9c817e28
Opcode Fuzzy Hash: f02389a9a052eb19cb22f35b916e984fdc26159212ebad8504ce8de8318ecdd0
Instruction Fuzzy Hash: 69F049353052448FC3188B29C4A5962BBF5EFCA72431A94EAE689DFB32C760DC42CB51

Function 00EFCDB0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a497a08bb9bc6da120132ff99132206edfe51ae837a16fe16f90f8f108c2bc2
Instruction ID: f7dfd08fb442ed7735d98f1f72f55c025e26698bf401c92121579aa0a0c523f9
Opcode Fuzzy Hash: 9a497a08bb9bc6da120132ff99132206edfe51ae837a16fe16f90f8f108c2bc2
Instruction Fuzzy Hash: 49F017357412048FC759AB28D095869B7F1EF8A22432580E9E549DFB32DA32EC42CB00

Function 00EFDE83 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a681fb7ed6de19008839aaf6df2b789426fe45af34625b9d7d6df76797c7a3ce
Instruction ID: d03f336eb54e2cb79c043701d8ad9ff65af2b59322a400fb1c755e9f2eaaf763
Opcode Fuzzy Hash: a681fb7ed6de19008839aaf6df2b789426fe45af34625b9d7d6df76797c7a3ce
Instruction Fuzzy Hash: B0F02B32709294AFC71A673484504B9BFB1FF8B32035585BED4466B652CB31DC12C790

Function 00EFB978 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9757eebdb968d3b3e3fc009537fc788fa67131b3afbe493a6d51c5bafe59e5b
Instruction ID: 5803756b27f06d3eb258013260f150ea7748a373db04a253253e2d35d839211e
Opcode Fuzzy Hash: e9757eebdb968d3b3e3fc009537fc788fa67131b3afbe493a6d51c5bafe59e5b
Instruction Fuzzy Hash: BBF030343002148FC358DB1AC454D22B7E9EFCA72432995A9D609DF331CB70EC01CB51

Function 00EFC04D Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eda51ff504570caf2d41ec068133cca9d170530a5ec44a52398788eb61210dff
Instruction ID: d12a75a7e71eb3ac7005da21c448b8edc5703d4cf2a519451ffdf79abd503c3a
Opcode Fuzzy Hash: eda51ff504570caf2d41ec068133cca9d170530a5ec44a52398788eb61210dff
Instruction Fuzzy Hash: A1F09A36F001288BCF04CAACE8844DCB7A2FB48364B5141AAEA09F7241C3319D05CBA0

Function 00EFDE90 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8330d1d83b6316eae00b6c7c8aad66a10a3c6a23fb633e55481d6951daf957b
Instruction ID: 1a1af973f7376bd0f1fb60cb7b2cf56fd647d26ceb6a6ff7adb674f190c7485e
Opcode Fuzzy Hash: d8330d1d83b6316eae00b6c7c8aad66a10a3c6a23fb633e55481d6951daf957b
Instruction Fuzzy Hash: C4E06C337012186BC3196675944046AF79AFBCA3653519539D50A7B741DF32DC51C7D0

Function 00EFBA58 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b2df0bd38809b38da316b85fdf15cc339f05172a4b6e88f70af33eeef88463
Instruction ID: 8d944b1b873d70f3cd265242b06f710ae572dd3bd3e4005316771a2a96741a41
Opcode Fuzzy Hash: 25b2df0bd38809b38da316b85fdf15cc339f05172a4b6e88f70af33eeef88463
Instruction Fuzzy Hash: ACE092313002145B4718667A985142FB3DAEFC9260350547EE60EE7342CE32AC02C390

Function 00EFCD47 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c61c3f0192cded04704857083c7c34322385895833e6a060ec30101c538d5e7
Instruction ID: 2bcfce8b9bc56d43d0184c8e30a3827825877769ad79c537abe060228e5ee74e
Opcode Fuzzy Hash: 1c61c3f0192cded04704857083c7c34322385895833e6a060ec30101c538d5e7
Instruction Fuzzy Hash: 0FF0E2327082948FCB1A9B3894108AD7BE69FCB32075940BED44AEB322CA71DC02C740

Function 00EFCD58 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49498c830956329c708c6c58e70b5bfa70f1bf6e16f56c9955ae553d9e7cd1ff
Instruction ID: d97bc6a4d6c67ee0286775332670aed7c262070a5095c369b69250d42861d20b
Opcode Fuzzy Hash: 49498c830956329c708c6c58e70b5bfa70f1bf6e16f56c9955ae553d9e7cd1ff
Instruction Fuzzy Hash: C2E04F367402148F8719AB39D40082EB3EADFCA32136580BDE509EB321CE72EC02C790

Function 062A0B30 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3749859669.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62a0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c792d7b67572c134e33aaf8ce929d7c2ab26dd9f58b419483ae80afde36597c0
Instruction ID: 56c2a69ca80cddc681e3fdb32297a9f5bf3c1c27d390f09c5a62af583e369676
Opcode Fuzzy Hash: c792d7b67572c134e33aaf8ce929d7c2ab26dd9f58b419483ae80afde36597c0
Instruction Fuzzy Hash: 45F03032515248AFCB42CFC4DD11CA57FB6EB49354B08809AFA454B162C672D865DB91

Function 00EF0839 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8518c4785c97536328b62bc6974998136928347cba38052050aa26bd07f8e7b9
Instruction ID: 51c2440865c6c0457a639df90081e28be87858e3f8f5cb60e3c445e9f3052f23
Opcode Fuzzy Hash: 8518c4785c97536328b62bc6974998136928347cba38052050aa26bd07f8e7b9
Instruction Fuzzy Hash: 61E0DF30A0A185EFCB09CBF499666AEBFB1DF8B300B0041E9D409E3243DB311E18DB00

Function 00EF0848 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1817129d31e6e6a30a1ac05a1304a230c4b2649a3e81d5ce0eb47e0da7fb2895
Instruction ID: 4802836c4cc48ff72594f2a2fecc8b1d75fc41a8d80c0eaac6b11ce1cf38bfb9
Opcode Fuzzy Hash: 1817129d31e6e6a30a1ac05a1304a230c4b2649a3e81d5ce0eb47e0da7fb2895
Instruction Fuzzy Hash: 40D01230F01108EFCB04DFB5D95655EB7F5DB8E300B1044A9D509E7241DB312E049740

Function 00EFCEA8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c515982fdc8a111604bb575c174b430f255707fd727858d3b6a95c31c0a744
Instruction ID: 9f842f4c3193c65c4aee91839ddcb683dac6c14fcaa0e5d127de5cca081429b8
Opcode Fuzzy Hash: c8c515982fdc8a111604bb575c174b430f255707fd727858d3b6a95c31c0a744
Instruction Fuzzy Hash: FED05B70A4120CEBCF04EBB5891357DB3E5DF95300B5050E99508B7341DE311F00A781

Function 00EFCFC0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a191846b3ef96226d40d1d6e0aba5bc4c4d8e8b44b099dfa09529a906a383d67
Instruction ID: a670bbac25a441c252a2624be2189c388e7c40ea42babbeb44432ff7b3e5974c
Opcode Fuzzy Hash: a191846b3ef96226d40d1d6e0aba5bc4c4d8e8b44b099dfa09529a906a383d67
Instruction Fuzzy Hash: 07D0C9363101249F8740DA5DE444C42B7ECEF4D6243258099E50CCB322D662EC028B90

Function 00EFCDC0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3742053935.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ef0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 843af958005e8fdf1b7e09ce6afac25a71dc1d547b57b5f4c7fb21f592ca4dc9
Instruction ID: d1ddab8e2fec307e62dcbf37889666768f0e42b1ca8f3ec033b36757312767f0
Opcode Fuzzy Hash: 843af958005e8fdf1b7e09ce6afac25a71dc1d547b57b5f4c7fb21f592ca4dc9
Instruction Fuzzy Hash: 3EC001383542088F8344DB59E889C11BBE9AF89A2435A80A9E9498B732CA31FC00CA84

Analysis Process: powershell.exePID: 7196, Parent PID: 6320COMMON

Executed Functions

Function 04DEA9B0 Relevance: 6.5, Strings: 5, Instructions: 252COMMON

Download Yara Rule

Strings

[dYn^, xrefs: 04DEAC10, 04DEAC15
dYn^, xrefs: 04DEA9EC
{dYn^, xrefs: 04DEABAC
{`Yn^, xrefs: 04DEAC80, 04DEAC85
kdYn^, xrefs: 04DEABD8, 04DEABDD

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID: [dYn^$kdYn^${`Yn^${dYn^$dYn^
API String ID: 0-3163139991
Opcode ID: 095e3bc82b6f314deeb7325e6f7669f0acca9527ce6736546da4b8a77651fa37
Instruction ID: 3873db2484da4af1b37c91fb84769959b0f91233cb1eaeb0d9f171c45812772c
Opcode Fuzzy Hash: 095e3bc82b6f314deeb7325e6f7669f0acca9527ce6736546da4b8a77651fa37
Instruction Fuzzy Hash: 83916C75F007145BEB19EFB998206EE7AF2EBC4700B008A1CD606BB744DF75AA058BD5

Function 07CB1B88 Relevance: 2.8, Strings: 2, Instructions: 301COMMON

Download Yara Rule

Strings

4'q, xrefs: 07CB1C49
4'q, xrefs: 07CB1C3D

Memory Dump Source

Source File: 0000000B.00000002.1488134102.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 97aac6d987559db6916cda71a9a748044ce0ebc51e332f49837c1a45a4979480
Instruction ID: 2e68faa084a7fd7ac9258d7a503092b55267879ecb6333eaaaa657d0b1d77bf1
Opcode Fuzzy Hash: 97aac6d987559db6916cda71a9a748044ce0ebc51e332f49837c1a45a4979480
Instruction Fuzzy Hash: B3A129B1B0434EDFCB358B69D4547EABBE2AF86251F18806AE505CF251DB30DE42C7A1

Function 04DEB528 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

(q, xrefs: 04DEB5DA

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: 251200265827b83f56549e48900149d886564f24126915ac0ac584a59b193723
Instruction ID: 35a8a39835923f75f8a528e5934d93b5d40045d47b803a1048d345972822422f
Opcode Fuzzy Hash: 251200265827b83f56549e48900149d886564f24126915ac0ac584a59b193723
Instruction Fuzzy Hash: 1431C0367043005FE714EB65E8549AEB7E6EFC5220750863ED10ACB351EE31AC06C7B5

Function 04DEA4B8 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

(&q, xrefs: 04DEA4DA

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID: (&q
API String ID: 0-583763264
Opcode ID: d574642f5cd3395cfa31681269c79c2fe88e1606d378cd3a382869fe5fecd640
Instruction ID: c6b5f3ccece51e4690e2bb26eeb31037cea5ad7d3592ee5e80a8eaad2432da44
Opcode Fuzzy Hash: d574642f5cd3395cfa31681269c79c2fe88e1606d378cd3a382869fe5fecd640
Instruction Fuzzy Hash: DC219F75E043098FDB14DFAAD4047AEBBF5AB88320F24846AD408A7340CA75A801CBA5

Function 04DEB430 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

^Yn^, xrefs: 04DEB4EC

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID: ^Yn^
API String ID: 0-914103871
Opcode ID: 617298cbb5dadc2f9ecc1640a9df16bcf011c3d2506f2e3be4c1d1f2916d57bb
Instruction ID: ca5e53f837fc14a9575f25a1f12b414af08d5c65c3013aba23d31e3588db3531
Opcode Fuzzy Hash: 617298cbb5dadc2f9ecc1640a9df16bcf011c3d2506f2e3be4c1d1f2916d57bb
Instruction Fuzzy Hash: AB3191347013019FDB11DFAAC940AAABBF2AF84704F04846EE589CB365D774F905CB90

Function 04DE29F0 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2057524fd0c5ff66c0d2fa85b55cb2497c8f0d00b5c1009bb4aaaa35f43d9b6c
Instruction ID: 9cbc4a30202320645187d68ea1b2332b32c0e90b9a220790af053361d539c206
Opcode Fuzzy Hash: 2057524fd0c5ff66c0d2fa85b55cb2497c8f0d00b5c1009bb4aaaa35f43d9b6c
Instruction Fuzzy Hash: EE919B74A00609CFCB15DF59C494ABAFBB6FF88310B248699D815AB364C735FC91CBA4

Function 04DEAFE0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f23248552cb55238a3eb2bb9b06c110192960fd206b65d41975ad9d3034e9e
Instruction ID: 04f99b85959520cfc1d7b10bbca4f7773172a69782ad3e64e7be9246ecbbc666
Opcode Fuzzy Hash: d1f23248552cb55238a3eb2bb9b06c110192960fd206b65d41975ad9d3034e9e
Instruction Fuzzy Hash: 9B610675E002089FDB14DFA9C8846DDBBF1FF88314F14812AE808AB354EB35AD45CBA1

Function 04DE6C48 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df08309ac0308c979ed6a25e9dc7b1a4f44935a7ef38c015f7ddab6f0da167fc
Instruction ID: 995f45137fc221717930a5266ecf0ce89db31f41a70bc5455a51dddda0955b02
Opcode Fuzzy Hash: df08309ac0308c979ed6a25e9dc7b1a4f44935a7ef38c015f7ddab6f0da167fc
Instruction Fuzzy Hash: 7041AD353002059FD714EB6AD854BBB77E6FFC8214FA48469E54ACB355EB35EC028BA0

Function 04DEAFD1 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4026fda391de91b8a4a6f974d76a74a86fd2219728dcc8dd67ee3592b52368cc
Instruction ID: a86d87398c310bcd3fe0a572ef37c6424b232ae5b58d4e1408f77881806e3606
Opcode Fuzzy Hash: 4026fda391de91b8a4a6f974d76a74a86fd2219728dcc8dd67ee3592b52368cc
Instruction Fuzzy Hash: CB510875E002489FDB14DFA9D484A9DBBF1FF88314F14812AE809AB354EB35A945CBA1

Function 04DE6A9A Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93092d9e2f42e8791d574aeb619161e13e60f1f979ae07e7dc40edab7d5604fd
Instruction ID: f98e883a301c5fa7752180af73307a8c0e97c4ec3f1d79d15f181199b8155ecf
Opcode Fuzzy Hash: 93092d9e2f42e8791d574aeb619161e13e60f1f979ae07e7dc40edab7d5604fd
Instruction Fuzzy Hash: 48319E3A7002008FD714EF6EE894A7A77E6EBC862572880ACE549CF355DF35DC0287A0

Function 07CB1F6F Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1488134102.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c27895d077a9819a31e0a9b4246515b8bc7a7b53dc600223d357714700dedec
Instruction ID: df609115cb8b0640a8d58c1812850a380d6b74a1b1b5200a950e813d40bc835e
Opcode Fuzzy Hash: 1c27895d077a9819a31e0a9b4246515b8bc7a7b53dc600223d357714700dedec
Instruction Fuzzy Hash: 843129B1B043458FDB349AA894907EAB7E6EBC6211F18817AE7068F291DB31DD42C761

Function 04DE2B00 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ca11edd8ce4c05eb504d942166d0255cb72e710cd5932d48cb19e4c1180e61f
Instruction ID: 4f519e0bf5916aa933c81489405aed327e71815d60e49b283cdc534f0fd754a1
Opcode Fuzzy Hash: 2ca11edd8ce4c05eb504d942166d0255cb72e710cd5932d48cb19e4c1180e61f
Instruction Fuzzy Hash: B0418A74A00609CFCB05CF4AC098ABAFBB6FF48310B158599D815AB364C736FC91CBA4

Function 04DE6968 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7d18ef8d1e72361eea08ee9b027f910d13e28fe440a15609227ade2e3924dc8
Instruction ID: afa8f7d0ed934f5c68ce11314ced651acc59960ace1bfe85384765369e049973
Opcode Fuzzy Hash: b7d18ef8d1e72361eea08ee9b027f910d13e28fe440a15609227ade2e3924dc8
Instruction Fuzzy Hash: 4731E534B002048FDB14DF65C598AA9BBF2EF8D715F5490A8E806AB395DB31EC41DF60

Function 04DE6958 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623c174501a043683abc32aa2258f44dba6a7e680e3c7ecc090c94a84f0c9a75
Instruction ID: 5fb81094a26e4e9ba447eeccfb70e7ef90b730bb3f797d30da161a70d56af79e
Opcode Fuzzy Hash: 623c174501a043683abc32aa2258f44dba6a7e680e3c7ecc090c94a84f0c9a75
Instruction Fuzzy Hash: D9312734A002048FDB14DF65C598ABDBBF2EF9E315F5490A8E846AB355DB31EC41DB60

Function 04DEA37F Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95967bee7a9bdd8f93de0751cad271462fa4dad69e71a1847000588d15e3e5c2
Instruction ID: 7cf896ad1064ada82186134f500c8135d4cc99d3933d56e933b44797f78dcf76
Opcode Fuzzy Hash: 95967bee7a9bdd8f93de0751cad271462fa4dad69e71a1847000588d15e3e5c2
Instruction Fuzzy Hash: 8A314E74A0120A9FDB14EFAAD4947BEBBF6EFC9310F148069E405EB350EA349C458B61

Function 04DEA390 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21aabe434532163139ddf853c17ef5c1a939df542b953cb19aae2e02e61e7c41
Instruction ID: d832556f0b2afa41912acc2a7418bbb52dfd1f4248838f7d2c270d38cca5db77
Opcode Fuzzy Hash: 21aabe434532163139ddf853c17ef5c1a939df542b953cb19aae2e02e61e7c41
Instruction Fuzzy Hash: CC312F74E0120A9FDB14EFAAD4947BEBBF6EF88250F148069E505EB350EA349C458B61

Function 04DEA247 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf47e6138090ede9db17a43508a984dfbe0dfd2a3bbc2f80a2a943d47ea6420e
Instruction ID: 20d154773393224e8c63fb37b5743c5bc4b16b2b374d1ce80ef4256df5e2d857
Opcode Fuzzy Hash: cf47e6138090ede9db17a43508a984dfbe0dfd2a3bbc2f80a2a943d47ea6420e
Instruction Fuzzy Hash: E8312FB8A002049FEB04EFA4D854BFE77B6EF88300F248469D615AF395DA35DD418BA5

Function 04DEA258 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d157cac081e3cab30be32cc39c00e9d5afcb09984045512fed10692143e56a18
Instruction ID: c123cb6ed7cac86eab077919abbffa8705ba9b9e23409a9e4017a1f4b35100a3
Opcode Fuzzy Hash: d157cac081e3cab30be32cc39c00e9d5afcb09984045512fed10692143e56a18
Instruction Fuzzy Hash: 9F312DB8E002089FEB04EFA4D454BFE77B6EF88300F608469D615AF394DA35DD418BA5

Function 0367F238 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1364987300.000000000367D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0367D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_367d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d268408f5289c18c9904feaf3294a563443132dec47f35897ed8459cbac91b8
Instruction ID: c71c8b5ee723f28b867aab7ef5fcbfd64ac415ef366173b3b1638369a99950c4
Opcode Fuzzy Hash: 2d268408f5289c18c9904feaf3294a563443132dec47f35897ed8459cbac91b8
Instruction Fuzzy Hash: 3021FE75604200EFDF04CFA0DAC4F26BBA5FB88214F6485A9E9094F256C336D456CBA5

Function 04DE8920 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575a69d50b2fbd0667e638861f529fb4e9aa5c1b08494d4949ddc5f086ec0be3
Instruction ID: 33deb42eb611d6eb549bf653d479d4e6bf04ed6327be4d5e96944a52d8f069f6
Opcode Fuzzy Hash: 575a69d50b2fbd0667e638861f529fb4e9aa5c1b08494d4949ddc5f086ec0be3
Instruction Fuzzy Hash: 592189B4E017448FDB60EF6AC48839AFBF2FF88310F28801EE44D9B245D67464819B65

Function 04DE8922 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed243e4e347211bdda25f2c7f2b8ab682ed6ed05360dd8b23ca2a11b873253bd
Instruction ID: 3dbfef04fe1c30175161cef1e80e0a6afcc8fcc23a8175fbf2c73d0bc90fc02d
Opcode Fuzzy Hash: ed243e4e347211bdda25f2c7f2b8ab682ed6ed05360dd8b23ca2a11b873253bd
Instruction Fuzzy Hash: 842189B4E017448FDB60EF6AD48839AFBF2FF88310F28801EE44D9B245D67464819B61

Function 0367F233 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1364987300.000000000367D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0367D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_367d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db14e1fbd481c373aa523bb9b771c634d45f7ce68899f9c04ab426dc2dff8be
Instruction ID: b99afcb2022bedd119c078bc6a9c99f22047572f081f449e02728f41587c5f7d
Opcode Fuzzy Hash: 3db14e1fbd481c373aa523bb9b771c634d45f7ce68899f9c04ab426dc2dff8be
Instruction Fuzzy Hash: B3216A76504240DFCB16CF50DAC4B16BBA2FB48314F28C5A9E9494F656C33AD46ACF91

Function 04DEB200 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9765b933b59d7b3c19b4e5a338ac65ab01c06b460cda30bc81ac4dc050742d9c
Instruction ID: f86a1711e416fc760a431c01f276a948743635fccec28b34d335542bd57122a3
Opcode Fuzzy Hash: 9765b933b59d7b3c19b4e5a338ac65ab01c06b460cda30bc81ac4dc050742d9c
Instruction Fuzzy Hash: 2A118C356083048FD729DF75D494A697BF5EF8A210B1488AEE04ACB6B2DB30BC85CB55

Function 0367D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1364987300.000000000367D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0367D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_367d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b7cc4149c75b3d952fa6e2027961e96534f40b661dbc59df1878269bbb4a4e2
Instruction ID: b96795ed331bf319b34ca30624e297765b5a0d96d7828fe058fb7e0d7ba6f4e8
Opcode Fuzzy Hash: 3b7cc4149c75b3d952fa6e2027961e96534f40b661dbc59df1878269bbb4a4e2
Instruction Fuzzy Hash: 5D01A771404340AEEB208E25C984B66FBD8DF41224F5C995ADD480F282C2799446CAB5

Function 0367D006 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1364987300.000000000367D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0367D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_367d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39717422f5780e00ae1106652fd585ba68683ef1b9c43d9c82fc6dc1a7fcba34
Instruction ID: 5c57810054ddd3bfd6bdf049554c2286199728aed8f346e713ed3bf1eb7a914d
Opcode Fuzzy Hash: 39717422f5780e00ae1106652fd585ba68683ef1b9c43d9c82fc6dc1a7fcba34
Instruction Fuzzy Hash: 1001007240E3C09FD7128B258994B52BFB8EF57224F1D85DBD9888F297C2695848C772

Function 04DE6E5F Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a7fdeb0cad943639dfd28364ec0aecfba1265ecb11e5cb6940a2a6844cba6eb
Instruction ID: 46b26c22a7dd098acd9cb491f67201d454ca9458c01aa45168393288adae83ee
Opcode Fuzzy Hash: 9a7fdeb0cad943639dfd28364ec0aecfba1265ecb11e5cb6940a2a6844cba6eb
Instruction Fuzzy Hash: E1F02B36300600AFD7209F69E440AFFB7E5EF88664B40061CD04ED7750CB70AC46C7A0

Function 0367D9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1364987300.000000000367D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0367D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_367d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43f3de15c0e7198026960544809a6fe632190ab0deae527a00b5cf8c6c1136a5
Instruction ID: 9b3bd6c135e5e87af0cd3edc677e0561ae693c56ef373103609e64e52e5d1cac
Opcode Fuzzy Hash: 43f3de15c0e7198026960544809a6fe632190ab0deae527a00b5cf8c6c1136a5
Instruction Fuzzy Hash: 32F0E776600600AF9760CF0AD985C22FBA9EFD4670719C55AE84A4B612C671EC42CAA0

Function 04DED2B8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f11a28671010720e9354cdb4f3758da9f31e82593e4ce1896f9f37f59d49a3b6
Instruction ID: babdaab518166ce96f93c2b0f33f3c9be203a09e9f378912dd0eb7f0ec254ae0
Opcode Fuzzy Hash: f11a28671010720e9354cdb4f3758da9f31e82593e4ce1896f9f37f59d49a3b6
Instruction Fuzzy Hash: F3F034353156918FC3119B2DD494866BBF6EFCA61531A05AEE049CF732DA21DC02CB50

Function 04DE6E70 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dfb206c3b7cc989b00d8dde3b20eeb0424c5f92670aa2dfefba84f449f7c689
Instruction ID: 447eac110d05fa3684335481644927327b140fb86c06ae4165b4675bf76a040f
Opcode Fuzzy Hash: 1dfb206c3b7cc989b00d8dde3b20eeb0424c5f92670aa2dfefba84f449f7c689
Instruction Fuzzy Hash: 66F02736300614AFD710AA56E84097F77E9EB8C574B40062CE10AC3300CB30AC0187F0

Function 0367D998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1364987300.000000000367D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0367D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_367d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d14595201f8025089c5dcb9c6b63a1437e67195a80af276857cf8b6b36ead6
Instruction ID: 3cf8e95071a31a32020efc2cc0ccc3d412fc9cfea511ecfbc8cb420a53abca93
Opcode Fuzzy Hash: f0d14595201f8025089c5dcb9c6b63a1437e67195a80af276857cf8b6b36ead6
Instruction Fuzzy Hash: 4EF0F976100640AFD765CF06C985D23BBB9EF89620B298489F85A5B352C671FC42CFA0

Function 04DE8608 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fd725ff00b7bdc45bc6b710d35c89c29bb9588bbdb94505bc2a0487fe1ea1c1
Instruction ID: 4855f5ee81211663c9bd53fb205780c25ac88192501ea27f593c791493ec8fb3
Opcode Fuzzy Hash: 0fd725ff00b7bdc45bc6b710d35c89c29bb9588bbdb94505bc2a0487fe1ea1c1
Instruction Fuzzy Hash: 20F027797042044BE348AF6DD0183AB7BA6EFC4368F20816ED5055B3C8DE39AC418BF1

Function 04DED109 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5739f0bbe2dac9c2e797c2eb8ac5ae25b9dbe35b2ec5da949eafe4f9e60cf29
Instruction ID: 582a7c9c2c01adb2b481a03419eb6840c1a710cee9ac0db148b369177730d9fd
Opcode Fuzzy Hash: e5739f0bbe2dac9c2e797c2eb8ac5ae25b9dbe35b2ec5da949eafe4f9e60cf29
Instruction Fuzzy Hash: 79F02B346047405FC713A72EA41159EBBF6DFC6260315049EE05ACF362DE648C06C766

Function 04DED158 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34091ae086fd404e2dcdfde5a873ee364b425932d47fa8e0bdc1e83553d440b
Instruction ID: 2b5ab09cfe94deb41c04f7fd404923440cd6a92563cc8657ba12ec6f4c397053
Opcode Fuzzy Hash: e34091ae086fd404e2dcdfde5a873ee364b425932d47fa8e0bdc1e83553d440b
Instruction Fuzzy Hash: F4F0E5307140419FC7099BBDD4044E8BFA2DFC9310B0484BFE849DB361EE319815CBA5

Function 04DED2C8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a3fb4a6ff9c1e0a11c85d27b05767121261f3c806ae314282eb6c92c9675afa
Instruction ID: 78f4c03b54cc2d0eb7133f543fec621c862f97a586ae51be57bba5ca684662c5
Opcode Fuzzy Hash: 9a3fb4a6ff9c1e0a11c85d27b05767121261f3c806ae314282eb6c92c9675afa
Instruction Fuzzy Hash: 5DE09A353002118F87109F1EE498C66B7FAEFCEA2531900A9E549CB331CE31EC01CB90

Function 04DE7E88 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe44b4ace412acf23909c9fe875106e93871ea69b8d4fc315cf29fb76dfd7076
Instruction ID: 886a14999d20b8f8dcb5e67e59d614fdfa01b962c1ec2235801e33342832c42e
Opcode Fuzzy Hash: fe44b4ace412acf23909c9fe875106e93871ea69b8d4fc315cf29fb76dfd7076
Instruction Fuzzy Hash: 37F082253083906BC70B6B76A01816D7F66FFC6234F0501AED0498B343CEA84805C3A6

Function 04DE8688 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b7b0b7f95f76d2fd76d6be8ab5a96170e8a53b7755e311533ab7bd225532625
Instruction ID: abd7aa267b52388bbe58c6dff9167f3dc6a20c8224e2311f4a88371bf3a8f163
Opcode Fuzzy Hash: 0b7b0b7f95f76d2fd76d6be8ab5a96170e8a53b7755e311533ab7bd225532625
Instruction Fuzzy Hash: DBF06D749003049FD364EFB9E09C3AA7BE5FB44320F00482DE10ED7380DB35A8408B91

Function 04DE8A68 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ad8b3047535a6e11c4c7b3c4ebfb7b7c7508236994b4b988c49bb88e9f6a646
Instruction ID: 0e64f76baad3b2bf9c32b2d41a17669adb205a29d02c6524fcd46a09aa5d7750
Opcode Fuzzy Hash: 6ad8b3047535a6e11c4c7b3c4ebfb7b7c7508236994b4b988c49bb88e9f6a646
Instruction Fuzzy Hash: 56E02B1334116217575871FFAC00A77A6CECEC206930501FAAF08C7282ED40EC0393F2

Function 04DEA4A8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a480fa6a64c812876e6aba16dad5bcfc9e521519ff3e39eb5ec8f7ca8f4fd7
Instruction ID: e19b819baf164da802d29efaaaa665a250e1e481507c394103ebbd3c4682629b
Opcode Fuzzy Hash: 04a480fa6a64c812876e6aba16dad5bcfc9e521519ff3e39eb5ec8f7ca8f4fd7
Instruction Fuzzy Hash: 79D02E23318254178B0CA02FAC200662ADBCBC1621319C0BAF608CB344FC62EC0243E6

Function 04DE868A Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 786a0e92f6fe11b40e6ce2b46c4c960a099afd36a9e7f11f689ddac96a2cee29
Instruction ID: 7e118cfbfb2d6270442aec33e38eff7144dd481c1fd71e67e915283cfe57df07
Opcode Fuzzy Hash: 786a0e92f6fe11b40e6ce2b46c4c960a099afd36a9e7f11f689ddac96a2cee29
Instruction Fuzzy Hash: 16E0ED749013049FD764EF79E09C3AA7BE5FB84310F10592DE15ED7380DB35A8408B51

Function 04DE7E98 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d730f37c41a663af69c7067017715d24b871e007ee194623b970530a9b398b7
Instruction ID: d2a21aeb4829a07bd87e49fa7168573639bb635f8438c82194e94310f0f52ae4
Opcode Fuzzy Hash: 1d730f37c41a663af69c7067017715d24b871e007ee194623b970530a9b398b7
Instruction Fuzzy Hash: 8CE04F393047146BDA092B7BA05C2AE7B5AFBC4735F00466DE50A87342DFB9580187EA

Function 04DED168 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: 13333c25550ac61d43318c54ec663bd64e1d0a353a26b94d4f512e63735ea042
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: D1E08631B0001497CB18959AD4104EDF7AADBCD220F04807AD94AA7341DE72A91586F5

Function 04DED118 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7302cf577c287f7c421eb1ee3a8abfb38200caa2d8b9522db9c8d1b9fe12a418
Instruction ID: 7125f2538c7cfcab2e279e6e3f3fdf13d1b06f6957eb41d06abb22747e446043
Opcode Fuzzy Hash: 7302cf577c287f7c421eb1ee3a8abfb38200caa2d8b9522db9c8d1b9fe12a418
Instruction Fuzzy Hash: A0E0C235700B15178626B65FB8105AFB7FADFC4AB1355402EE019CB301DE60EC0287EA

Function 04DE8A70 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a83524a40ff3a05ab05cb853e9989eced779cdc980313166a8cbefbecbc08f4
Instruction ID: a4c0813a669c79f72cfcea50dc61a3b51eb64c0404c13fafe6a03e4d1a3f0a06
Opcode Fuzzy Hash: 0a83524a40ff3a05ab05cb853e9989eced779cdc980313166a8cbefbecbc08f4
Instruction Fuzzy Hash: 0CD05E1335012207665870EF5D0067BA6CECEC65A570540B6AF09C7681EC40EC0263F2

Function 04DEFC58 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a6b1351bb95e42153ba81ff9d545eaa5d7d613a25216eae32313487228536bf
Instruction ID: cc4a688e18545e118a80b31f4878c34330615959285ce4cd21c62792b78f13af
Opcode Fuzzy Hash: 9a6b1351bb95e42153ba81ff9d545eaa5d7d613a25216eae32313487228536bf
Instruction Fuzzy Hash: 00E01A71E4164A9E8784EFBA94815AEFBF0AB49254B1085AE8919D7311E63286018B80

Function 04DE7C5C Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e1c4004be2378d61ef4d9344c3d47cd0e3331c9afefc251ae6854f09957b9af
Instruction ID: d3ee6ef55e194ad1421743fd4905116d6fa672b62c5007a771052625c338b8ed
Opcode Fuzzy Hash: 9e1c4004be2378d61ef4d9344c3d47cd0e3331c9afefc251ae6854f09957b9af
Instruction Fuzzy Hash: 33E0E635804109DBC748EF56E81B4BEBB74FA10311F40519DE90752695EA712956CF85

Function 04DEFC68 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 1de22fd81fe6a5bbf47f857c655a3e85a98300e984e3221f03ab3d796b843321
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: B0D06270D0420D9F8780EFADC94156DFBF4EB48204F6085AE8919D7301F73296128BD1

Function 04DE7D29 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b180bd0a6df6618449783296208a40ede5d6acb353497df6e4c3545ac5f9068
Instruction ID: 4d23608f064c5eba00df59a35ffecdcd2054f4dcc176a6b362612735e176c0c0
Opcode Fuzzy Hash: 2b180bd0a6df6618449783296208a40ede5d6acb353497df6e4c3545ac5f9068
Instruction Fuzzy Hash: 22E01238A0410DAFC744EFA9E89697EBBB5FB48314F00465DEE0A93751EA706945CFC1

Function 04DE7C68 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c20421e1d3e4d088dee4c10d88a97df009a56300902e02f20918335142bf582
Instruction ID: 84a2afb278e9e328ef533ac42f69dff8a6a3b15ee3440d692e0eeda71b93db47
Opcode Fuzzy Hash: 5c20421e1d3e4d088dee4c10d88a97df009a56300902e02f20918335142bf582
Instruction Fuzzy Hash: 8DD012348041099BCB48AF66E41A4BDBB74FA00311F40419DD907526C1EA702546CF85

Function 04DE7D30 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c466cc428bf2bf77798e0a02204c8211d5aaf4af3472091e1e5a4ce6c0e8c9e9
Instruction ID: a346d652e0f36c809535b6c4cf3f653cea858c52e517a63312310beb022880e4
Opcode Fuzzy Hash: c466cc428bf2bf77798e0a02204c8211d5aaf4af3472091e1e5a4ce6c0e8c9e9
Instruction Fuzzy Hash: CCD01738A042099F8744EFA9E84A46EBBB5FB48200F004269DA0A93780EA306885CFC1

Function 04DE6E38 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6da31a5a7e6fdb7f6c427247cded2b83a69964609db873b1fb2f9eae3102ad6
Instruction ID: b202d288cf82f93c8be3077851014330b2d304da24895045622e6ea4e865729c
Opcode Fuzzy Hash: c6da31a5a7e6fdb7f6c427247cded2b83a69964609db873b1fb2f9eae3102ad6
Instruction Fuzzy Hash: 2AD0223880D3C04FC7139F34A4558883F306F1221030400FEDC6B8E6A3CA65C808CF01

Function 04DE73B0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7075e5c1fddc99bc7fa9a2585b1fa251e37145d2f9d06256f05e7d9d4963a58
Instruction ID: 40d415c62fb41808bde10d5216a9335abe8827bbd701f89c6973ae0da251e3c3
Opcode Fuzzy Hash: a7075e5c1fddc99bc7fa9a2585b1fa251e37145d2f9d06256f05e7d9d4963a58
Instruction Fuzzy Hash: F0C08C96C081B112EF61423484C82042F923B43325B0D88E084C01B042C8A88844D341

Function 04DE6E48 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c216ff4b07e1e6436caf3830d56cd4be0f31f405765790405114eaa94734478
Instruction ID: da6ca3f216864d5962e8a235edbc634dd4ded9a7d7e570e67adb54fe584d56c7
Opcode Fuzzy Hash: 5c216ff4b07e1e6436caf3830d56cd4be0f31f405765790405114eaa94734478
Instruction Fuzzy Hash: ABB092340447088FC298AF79A4189187729AB4031538008A9ED0E4A7978E36EC84CA44

Non-executed Functions

Function 07CB0F60 Relevance: 11.4, Strings: 9, Instructions: 184COMMON

Download Yara Rule

Strings

$q, xrefs: 07CB100D
$q, xrefs: 07CB0FEC
`Qq, xrefs: 07CB10FB
tPq, xrefs: 07CB10CF
$q, xrefs: 07CB1029
`Qq, xrefs: 07CB1095
fq, xrefs: 07CB104A
$q, xrefs: 07CB11D1
$q, xrefs: 07CB11FB

Memory Dump Source

Source File: 0000000B.00000002.1488134102.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID: fq$`Qq$`Qq$tPq$$q$$q$$q$$q$$q
API String ID: 0-1290391743
Opcode ID: 14d7145c397d819f8ae79d83937288a48d4cf55ad49516bee82e0cd7cfb82ed8
Instruction ID: 8939f91d31853f6c4abe089f8839bca149f898443bf406382f6aed20a1d3da3f
Opcode Fuzzy Hash: 14d7145c397d819f8ae79d83937288a48d4cf55ad49516bee82e0cd7cfb82ed8
Instruction Fuzzy Hash: D3616CB0A1420EDFDB34CE45D5A5BEAB7F1AB86351F1C8056F801AB290C735DE85CBA1

Function 04DEF9E8 Relevance: 10.2, Strings: 8, Instructions: 182COMMON

Download Yara Rule

Strings

,q, xrefs: 04DEFA3D
$q, xrefs: 04DEFB85
,kGq, xrefs: 04DEFB43
$q, xrefs: 04DEFB6B
$q, xrefs: 04DEFAE0
$q, xrefs: 04DEFB9F
$q, xrefs: 04DEFB51
$q, xrefs: 04DEFB37

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID: ,kGq$,q$$q$$q$$q$$q$$q$$q
API String ID: 0-3465679616
Opcode ID: 572e9c8f82cd5e4810dd04937c87fe6022d381f9df326ed4e14e4ab3933da7ea
Instruction ID: 210ee9e763709e18740b390f180beeefa37cbeff7012cb7a5be3fe82425189d3
Opcode Fuzzy Hash: 572e9c8f82cd5e4810dd04937c87fe6022d381f9df326ed4e14e4ab3933da7ea
Instruction Fuzzy Hash: 4D519F30B107099FDB29AFB7A8646BCB7B1BFCC600714046ED096DF765EF60A8458762

Function 04DEF4D8 Relevance: 6.7, Strings: 5, Instructions: 422COMMON

Download Yara Rule

Strings

$q, xrefs: 04DEF85E
$q, xrefs: 04DEF9A4
$q, xrefs: 04DEF802
$q, xrefs: 04DEF9BF
,kGq, xrefs: 04DEF845

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID: ,kGq$$q$$q$$q$$q
API String ID: 0-381241185
Opcode ID: 5de31d1534b8ea7e3d17fdea08e77d088b4fcf774d588d1678a8846e8e81b819
Instruction ID: 28a1b07c4ea2bc208f774ce3f42b74d05be048ef1fcef9d51640ae65c88e23dd
Opcode Fuzzy Hash: 5de31d1534b8ea7e3d17fdea08e77d088b4fcf774d588d1678a8846e8e81b819
Instruction Fuzzy Hash: 5DD1CA34B102119FEB24BF3A985477E73D6AFC9614B24446ED546DF3A4EE70EC0287A1

Function 04DED568 Relevance: 5.3, Strings: 4, Instructions: 340COMMON

Download Yara Rule

Strings

{:Yn^, xrefs: 04DED603
[:Yn^, xrefs: 04DED655
k:Yn^, xrefs: 04DED62C
K:Yn^, xrefs: 04DED67E

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID: K:Yn^$[:Yn^$k:Yn^${:Yn^
API String ID: 0-62103211
Opcode ID: 46aaab29815d533c51d38d31135bb0f7e49f9a09c9aecd82eba1efc9f83126c9
Instruction ID: 8466197044ec7167e831653ff607ba82b4207b898e2e1336e93d42c8226f75d6
Opcode Fuzzy Hash: 46aaab29815d533c51d38d31135bb0f7e49f9a09c9aecd82eba1efc9f83126c9
Instruction Fuzzy Hash: 4EE1EB347002058FDB05DF69C598AADBBF2FF49314F4994A8E54AAB362DB34EC85CB50

Function 04DED558 Relevance: 5.3, Strings: 4, Instructions: 332COMMON

Download Yara Rule

Strings

{:Yn^, xrefs: 04DED603
[:Yn^, xrefs: 04DED655
k:Yn^, xrefs: 04DED62C
K:Yn^, xrefs: 04DED67E

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID: K:Yn^$[:Yn^$k:Yn^${:Yn^
API String ID: 0-62103211
Opcode ID: c49b8c5e1f5a930f5510d1053fc7e23c529d7da7557273e6efdbc6189649eea3
Instruction ID: 87a97a7241e0cc29ce50439d469991c17748730b3597f40a1b9cc5279d76db58
Opcode Fuzzy Hash: c49b8c5e1f5a930f5510d1053fc7e23c529d7da7557273e6efdbc6189649eea3
Instruction Fuzzy Hash: ADE1F938600205CFDB05DF69C588AA97BF2FF49314F5980A8E44AAB362DB34EC85CB50

Function 04DE6F32 Relevance: 5.2, Strings: 4, Instructions: 235COMMON

Download Yara Rule

Strings

`q, xrefs: 04DE702B
`q, xrefs: 04DE70AA
`q, xrefs: 04DE714C
`q, xrefs: 04DE71CA

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID: `q$`q$`q$`q
API String ID: 0-10485352
Opcode ID: 9a2458904c561a645678a459c1882a8da7c62359dc041d0ec450d136bf479021
Instruction ID: dc6abe9b464d42619c061ccbba8309b4cdfc7a2588e921878381134ddf29cef0
Opcode Fuzzy Hash: 9a2458904c561a645678a459c1882a8da7c62359dc041d0ec450d136bf479021
Instruction Fuzzy Hash: A9B19178E003099FDB54DFA9D980A9DFBF2BF88310F248629D419AB355DB30A945CF90

Function 04DE6F38 Relevance: 5.2, Strings: 4, Instructions: 234COMMON

Download Yara Rule

Strings

`q, xrefs: 04DE702B
`q, xrefs: 04DE70AA
`q, xrefs: 04DE714C
`q, xrefs: 04DE71CA

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID: `q$`q$`q$`q
API String ID: 0-10485352
Opcode ID: 514ab19d81b165f149eff87dbdfe400662db5f44fc1bc77ea1d0a671a7f3749b
Instruction ID: 1e7a6a6ddf7282d1efd0c0f5f6cecff7f2e809650d756990d80e00ed3a22bd97
Opcode Fuzzy Hash: 514ab19d81b165f149eff87dbdfe400662db5f44fc1bc77ea1d0a671a7f3749b
Instruction Fuzzy Hash: C8B18178E003099FDB54DFA9D990A9DFBF2BF88310F208629D419AB355DB30A945CF90

Function 04DE4A1C Relevance: 5.1, Strings: 4, Instructions: 132COMMON

Download Yara Rule

Strings

Yn^, xrefs: 04DE4AD2
Yn^, xrefs: 04DE4B32
Yn^, xrefs: 04DE4A92
Yn^, xrefs: 04DE4A82

Memory Dump Source

Source File: 0000000B.00000002.1365940416.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4de0000_powershell.jbxd

Similarity

API ID:
String ID: Yn^$Yn^$Yn^$Yn^
API String ID: 0-3008656407
Opcode ID: 7d050bf678ba05cc4db5259167871e03676a80dd910c929cc47aa802fe08f229
Instruction ID: 033fc2016020d7ae8f1f26ac9fdebd8b0bbba0620abc5bc5531d65a0a105deb0
Opcode Fuzzy Hash: 7d050bf678ba05cc4db5259167871e03676a80dd910c929cc47aa802fe08f229
Instruction Fuzzy Hash: 54415D4280E3D12FE7136B7998A42D53FB0AE93169B0F41D7C4C0CF1A3E818585A97AB

Function 07CB0317 Relevance: 5.0, Strings: 4, Instructions: 42COMMON

Download Yara Rule

Strings

4'q, xrefs: 07CB0373
$q, xrefs: 07CB0352
4'q, xrefs: 07CB037F
$q, xrefs: 07CB035E

Memory Dump Source

Source File: 0000000B.00000002.1488134102.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7cb0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q
API String ID: 0-3199993180
Opcode ID: f581eb913070e82ef5369eb939c01d225e39546588d421f444a7a2d8cea7708d
Instruction ID: bcbe2a50107ffe085a7e5498b27d5f2e7adb7228a3d8f465f7523d65d1691a59
Opcode Fuzzy Hash: f581eb913070e82ef5369eb939c01d225e39546588d421f444a7a2d8cea7708d
Instruction Fuzzy Hash: 46F0F66571C35B4FC63A125614242F66BB36BC2920B2D4197E841EF392CD248E8783E7

Analysis Process: OfficeTrackerNMP2663.exePID: 9032, Parent PID: 932COMMON

Executed Functions

Function 00E708B0 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

tPq, xrefs: 00E7095E

Memory Dump Source

Source File: 00000029.00000002.1545198520.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_e70000_OfficeTrackerNMP2663.jbxd

Similarity

API ID:
String ID: tPq
API String ID: 0-789928099
Opcode ID: 3acefc25d1dab3b13b1ec7aec6b51c6a5fcc94e34313cd248b7b9355935df039
Instruction ID: de767e9ec2da2f525d01c051859432617de7115b3487b090a659f568196071b6
Opcode Fuzzy Hash: 3acefc25d1dab3b13b1ec7aec6b51c6a5fcc94e34313cd248b7b9355935df039
Instruction Fuzzy Hash: EC2107353406108FC759EB38C468A2D7BE2AFC972532554A9E50ADF3B2DE31DC42CB91

Function 00E7153A Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

8q, xrefs: 00E71555

Memory Dump Source

Source File: 00000029.00000002.1545198520.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_e70000_OfficeTrackerNMP2663.jbxd

Similarity

API ID:
String ID: 8q
API String ID: 0-4083045702
Opcode ID: b017e149d2aabd4e25d87bc9b63453957fbf4c216809863c87a835cd9b8c66da
Instruction ID: 14367ffa56cb7c6e64b6cca3f47a7488519af1a273917126f4332a93129b4bec
Opcode Fuzzy Hash: b017e149d2aabd4e25d87bc9b63453957fbf4c216809863c87a835cd9b8c66da
Instruction Fuzzy Hash: 1CE0DF39E00B500BDB25B3BDB020BADA7E55BC8710F0489FED40A67689DA648C0A4B91

Function 00E70E30 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.1545198520.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_e70000_OfficeTrackerNMP2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c86c0fe8771c99f766be62b0c1ebf18c6e6c4ebe8cbab2af2ba377de4a7be2b3
Instruction ID: 830ae422c226b1e20d629a1765d7576462ff2366a5a0482688d03d05023992de
Opcode Fuzzy Hash: c86c0fe8771c99f766be62b0c1ebf18c6e6c4ebe8cbab2af2ba377de4a7be2b3
Instruction Fuzzy Hash: 58029D30A007459FCB14DF68D890AAEBBF2BF84714B15C5A9D509AF395DB31EC42CBA1

Function 00E709B0 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.1545198520.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_e70000_OfficeTrackerNMP2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e647fe14a81d7eb64fc31a8966e1eee387e32b51001ed588ac2afbbed298b167
Instruction ID: ee52ca44c5ef18c21059df43cfc885853ed47c97fb849cbc29ab72d7050544a7
Opcode Fuzzy Hash: e647fe14a81d7eb64fc31a8966e1eee387e32b51001ed588ac2afbbed298b167
Instruction Fuzzy Hash: AAC15C34600741CFD729DF28D894B6A7BE2BF88704F6488A8D91A9F365DB71ED41CB90

Function 00E71498 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.1545198520.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_e70000_OfficeTrackerNMP2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f80ef09d606840de4664f59ebfcfa6df8dd4df0dd78e9d32e2b6da4714ee767
Instruction ID: b8181f6fdc6fbe3d73fb449456e021382a39e37095ff17d003a61ee54baed517
Opcode Fuzzy Hash: 0f80ef09d606840de4664f59ebfcfa6df8dd4df0dd78e9d32e2b6da4714ee767
Instruction Fuzzy Hash: 6101C031F002449FD714ABB9E8557AE7FB6DF89714F1040AAD609AB392CF749D01CB92

Function 00E71348 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.1545198520.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_e70000_OfficeTrackerNMP2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ccaa832007d6a09e569f43eeadd8cdfe777f83646497fdc812c46d512a014bb
Instruction ID: 51c00040c31cb1fc87f8145eaec1d6edfa41266d63ff49869f90400e9d407fa9
Opcode Fuzzy Hash: 3ccaa832007d6a09e569f43eeadd8cdfe777f83646497fdc812c46d512a014bb
Instruction Fuzzy Hash: F201A776600A109FC321972CED5491A3BA0EB88B5431645D5E846AF329DA30DC0187A1

Function 00E71421 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.1545198520.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_e70000_OfficeTrackerNMP2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6a6e0ee980c1272686a7e8fd0c94ded37ebecfa8dcbe1f9209622313c9c9fcf
Instruction ID: c73a868c3f1f7d12e6cb53636ebedd30db9647825c510ca7642eea2d44c03ecb
Opcode Fuzzy Hash: d6a6e0ee980c1272686a7e8fd0c94ded37ebecfa8dcbe1f9209622313c9c9fcf
Instruction Fuzzy Hash: D1F0BE32B053244FD32957795C54BAF2BEAEFC962031848AEE00AD7362ED348D0683A5

Function 00E70868 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.1545198520.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_e70000_OfficeTrackerNMP2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9583b9bdffa688a2030ba8dbe5c82663a7a196a71922d8a18b66b3ee66ffcbc
Instruction ID: 9aebf0ce567c280b38c964af8f01a530ff74488ce0676a7e7b519fac034f397b
Opcode Fuzzy Hash: e9583b9bdffa688a2030ba8dbe5c82663a7a196a71922d8a18b66b3ee66ffcbc
Instruction Fuzzy Hash: CFE09236A04209AF8B08EFF9E8884DE7FEDFF48222B008066F00DD3210EFB058408790

Function 00E70857 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.1545198520.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_e70000_OfficeTrackerNMP2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e6546f3e5cdacb0cb6d4add6691c0a795c2ab010dac37a51498cad250f6c496
Instruction ID: 5adf1db57573d2e351cad9109e1c4daa24586ab05a5e3f306689978b001c3edb
Opcode Fuzzy Hash: 0e6546f3e5cdacb0cb6d4add6691c0a795c2ab010dac37a51498cad250f6c496
Instruction Fuzzy Hash: 7EE09279A042499FC709DFFA98487CBBFE9EF48115F5480DEE008E3310EA3059008755

Function 00E71489 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.1545198520.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_e70000_OfficeTrackerNMP2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc648764d562ae9beb3f7938c194652f02887e641b0b4b919b13ed6782ddce9
Instruction ID: a82eea4e26e72c21b83a8a7d437905d8b4a162a5d2c2a564e59b6083c9c7a12a
Opcode Fuzzy Hash: fcc648764d562ae9beb3f7938c194652f02887e641b0b4b919b13ed6782ddce9
Instruction Fuzzy Hash: 0CD0A732A09BD05BC72167B5AC052CC3F34CA02755B0440FAD549EB192EA44891483D3

Function 00E713E0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.1545198520.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_e70000_OfficeTrackerNMP2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cb0051270b04df7c3b9866b744b97c85ea3a6f6985c8bfe2072ab50adbbad89
Instruction ID: a04748f3f1c894f21292f03b28383bd0c9d41c7d92f9710c8a5da4098af84e2e
Opcode Fuzzy Hash: 3cb0051270b04df7c3b9866b744b97c85ea3a6f6985c8bfe2072ab50adbbad89
Instruction Fuzzy Hash: 65E02B381087C08FC716BF28EA746603FB59745309B4504D9D1419F3B6C7B08C40C751

Function 00E71590 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000029.00000002.1545198520.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_e70000_OfficeTrackerNMP2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4ebaf60d4bdb5d866bbde224e263ccf8348c1d1087baad27896296113e0a2db
Instruction ID: eb819fcfc6c75175b0946ade4063e0d91cc734767ddff0baa4283eba86c985f4
Opcode Fuzzy Hash: c4ebaf60d4bdb5d866bbde224e263ccf8348c1d1087baad27896296113e0a2db
Instruction Fuzzy Hash: FCB0125BC9C7B007E2115558546234A3BC0277873DFCF19F48C8D632A2B4887C0785C7

Analysis Process: OfficeTrackerNMP2663.exePID: 9048, Parent PID: 932COMMON

Executed Functions

Function 012508B0 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

tPq, xrefs: 0125095E

Memory Dump Source

Source File: 0000002A.00000002.1545386815.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1250000_OfficeTrackerNMP2663.jbxd

Similarity

API ID:
String ID: tPq
API String ID: 0-789928099
Opcode ID: bef70a2a7aed76d68e700945275ddf436715f4b6d51e361c4ec0923cca8161b7
Instruction ID: 72a246396125f098920fc4046250b6ad00f532965e30554be3754b67fb083319
Opcode Fuzzy Hash: bef70a2a7aed76d68e700945275ddf436715f4b6d51e361c4ec0923cca8161b7
Instruction Fuzzy Hash: 64213C353406108FC759EB3CC4A8A2C7BE2AF8A71532514A9E506CF376DE31DC42CB91

Function 01251539 Relevance: 1.3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

8q, xrefs: 01251555

Memory Dump Source

Source File: 0000002A.00000002.1545386815.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1250000_OfficeTrackerNMP2663.jbxd

Similarity

API ID:
String ID: 8q
API String ID: 0-4083045702
Opcode ID: 120d4a43029edc4e1030669dbe717b56ba18fa240dc5c1e3ac28f6aefcca4b80
Instruction ID: c9bd077fa3e3f7bd39573865da493603f26c19596496a5d244c81f35763c7ce5
Opcode Fuzzy Hash: 120d4a43029edc4e1030669dbe717b56ba18fa240dc5c1e3ac28f6aefcca4b80
Instruction Fuzzy Hash: FBF055715143402BDA42F3A8F4A039D7BABAB56310F080668D185DB68AEA31880A4BE1

Function 01250E30 Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.1545386815.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1250000_OfficeTrackerNMP2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9b74ab1b33d516fe085f82e24577d02047aa29d1d9b2057879ed992d07aa628
Instruction ID: 88467e6a8a4806569b43aab3785c5b20ee75a74a19341b6e1b6f67350ca01519
Opcode Fuzzy Hash: b9b74ab1b33d516fe085f82e24577d02047aa29d1d9b2057879ed992d07aa628
Instruction Fuzzy Hash: 0B029F30B102059FDB55DF68D894AAEBBF6FF84310B248568D9459F395DB31EC42CBA0

Function 012509B0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.1545386815.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1250000_OfficeTrackerNMP2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 050d20a187656752e3ef031ca556f87fe5e53d5bcf65081b93b5a97375030ce0
Instruction ID: 9d1cf94d0c340544b4b11b7498ac78d94688f3aaf3268c91aee656c96f8c1333
Opcode Fuzzy Hash: 050d20a187656752e3ef031ca556f87fe5e53d5bcf65081b93b5a97375030ce0
Instruction Fuzzy Hash: E7C16B34610302CFE715DF28C894B697BE6FB89300F648868ED468B358EB75EC41CBA4

Function 01251498 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.1545386815.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1250000_OfficeTrackerNMP2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8ec15f7c34c4c520a7568d1ad7757470eae206be472610111a034e92b2db44f
Instruction ID: 3f544d210ffbf8482228c276d7f43e778839f9b76efb09143b3c18122ec3eaeb
Opcode Fuzzy Hash: f8ec15f7c34c4c520a7568d1ad7757470eae206be472610111a034e92b2db44f
Instruction Fuzzy Hash: 0F01D270F001049FDB04ABB9E86579D7FB6EF8A700F1040AAE605DB384CE39AC01CB91

Function 01251421 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.1545386815.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1250000_OfficeTrackerNMP2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df6623b0fde90e2200c9c7917dd7460b21708d1f33ca4034413e9ef7846da777
Instruction ID: 427eb9307d7bac6048b52ac944d785f1699384b4cb50e1c7433927ec0c798c39
Opcode Fuzzy Hash: df6623b0fde90e2200c9c7917dd7460b21708d1f33ca4034413e9ef7846da777
Instruction Fuzzy Hash: 6FF02E72B013142FE30857798C44AAF7BEEEFC5220724447AE009C7300ED768C0683E4

Function 01250857 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.1545386815.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1250000_OfficeTrackerNMP2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10df12832456fb6d14344d9ff96df46ca324df006dfa48f72178dd3fd616a0d3
Instruction ID: 22525e9cb2772fdef2b3599f16d3a4374db8e3600c236fe16eb288d5a6f3a12c
Opcode Fuzzy Hash: 10df12832456fb6d14344d9ff96df46ca324df006dfa48f72178dd3fd616a0d3
Instruction Fuzzy Hash: 28F02231A0828CAFCB11DFB998584CA7FFDEF4A314B0080EAE048E3202E63188018F60

Function 01250868 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.1545386815.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1250000_OfficeTrackerNMP2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 591903e72d966a9818a71f736d78bb154067791c494a6ba38969f86af371d329
Instruction ID: 207a5de18c0f3200dfdb86333ef8bcadbef3bc1056d9faf9cb1e02781aa5f41b
Opcode Fuzzy Hash: 591903e72d966a9818a71f736d78bb154067791c494a6ba38969f86af371d329
Instruction Fuzzy Hash: 1CE09272A08109AF8B14EFF9E8484DE7FFDFB48362B018066F009D3204EAB694408F90

Function 012513E0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.1545386815.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1250000_OfficeTrackerNMP2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7563b052425a8dd43437ed125e7942a9eccbc917dcc6cfcb5c0e7557812cc0eb
Instruction ID: dba3c5e574a174d03192f113cbabe20163939e8a70f63c9dd8fc6e3eb8192c94
Opcode Fuzzy Hash: 7563b052425a8dd43437ed125e7942a9eccbc917dcc6cfcb5c0e7557812cc0eb
Instruction Fuzzy Hash: 3AE0C23C2082804FCB06AF75E968B543FF99B4A201F400894E881C769BDA746C40CFA4

Function 01251489 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.1545386815.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1250000_OfficeTrackerNMP2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e7a114c1ebfefe968eb7118163b7ca40f2d8fbda20ed7634ade1962d1198cac
Instruction ID: 7fe14d7c359b6a3337ed136458119761e456f0f5535d02c3201b7906aa5aa2a0
Opcode Fuzzy Hash: 1e7a114c1ebfefe968eb7118163b7ca40f2d8fbda20ed7634ade1962d1198cac
Instruction Fuzzy Hash: 55D0A776B147144BDB1157A5AC091CC3F64DB42250B0501AADD84C7141EA78A9188BD2

Function 01251590 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002A.00000002.1545386815.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_1250000_OfficeTrackerNMP2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f4c6503ec5e198a55626f13523c1295cf8048a670f9d1403cbec4b5838898f1
Instruction ID: 476518d79c8cb99439087c2547db8e138619ba534b61300a4491e3064cf52e19
Opcode Fuzzy Hash: 9f4c6503ec5e198a55626f13523c1295cf8048a670f9d1403cbec4b5838898f1
Instruction Fuzzy Hash: BBD012A19083C10DEB2347245411380FF517F23308FAD61C6C0C486093D56D01CAD756

Analysis Process: MaxLoonaFest2663.exePID: 5400, Parent PID: 4056COMMON

Executed Functions

Function 02CF09B0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.1607998705.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2cf0000_MaxLoonaFest2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee9feebc33a604cfe2517be5547229b61d0d8a34c2277fefb8928bd255f6b912
Instruction ID: 591c0540e4c85bffc755cbc4d4f5b5dc0b7b91cdaae46f6bbb197905ce8217f1
Opcode Fuzzy Hash: ee9feebc33a604cfe2517be5547229b61d0d8a34c2277fefb8928bd255f6b912
Instruction Fuzzy Hash: A3D16B35A00301DFE759EF34D454B6A7BE6BF88704F548868E9068B35ADB72ED42CB90

Function 02CF08B0 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

tPq, xrefs: 02CF095E

Memory Dump Source

Source File: 0000002D.00000002.1607998705.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2cf0000_MaxLoonaFest2663.jbxd

Similarity

API ID:
String ID: tPq
API String ID: 0-789928099
Opcode ID: 5801e371f041486d580053e32e85a34370ed0a29a161201dd2d241855f1eb735
Instruction ID: d82ab36e07feb2c513841ce4512bdeaa164a225b652612a7267172c084363631
Opcode Fuzzy Hash: 5801e371f041486d580053e32e85a34370ed0a29a161201dd2d241855f1eb735
Instruction Fuzzy Hash: 6E2139353406108FC799AB38C458A2D7BE2AF8A72532504E9E906CF3B6DF35DC42CB91

Function 02CF1539 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

8q, xrefs: 02CF1555

Memory Dump Source

Source File: 0000002D.00000002.1607998705.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2cf0000_MaxLoonaFest2663.jbxd

Similarity

API ID:
String ID: 8q
API String ID: 0-4083045702
Opcode ID: 1786e843a19ba3384fdf4a83d0cf262c7330b0384c4ed4baa42dfeb74e282ce3
Instruction ID: 4f6da3a1d40f40cee1f621859a1ec37688193fae005ffd035e545bb2d6db3c43
Opcode Fuzzy Hash: 1786e843a19ba3384fdf4a83d0cf262c7330b0384c4ed4baa42dfeb74e282ce3
Instruction Fuzzy Hash: 36F05C3650534067D343F378F4207697AD66B86720F44446DD5488B35ACE118A0BC7E1

Function 02CF0E30 Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.1607998705.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2cf0000_MaxLoonaFest2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab76a03ad73b2ae0dc9fcc025af917ba80c21c224764a71665a3de09cb2fb83b
Instruction ID: d5e3dbda07713426d06a131d314887dd3623eb4eedd8f4e52a549d1b63f22c84
Opcode Fuzzy Hash: ab76a03ad73b2ae0dc9fcc025af917ba80c21c224764a71665a3de09cb2fb83b
Instruction Fuzzy Hash: C7029C70A00205DFCB55DF68D890AAEBBF2BFC4310F288569D5099B395DB71ED46CBA0

Function 02CF1498 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.1607998705.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2cf0000_MaxLoonaFest2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 454ab18094901b0ea7a40f6529bcd44056b82c307d067db1bd0d493163991b47
Instruction ID: acfefb64327f46b112b40a7341f8fa82088feb79ce1030f17e7c6ba40df8e23f
Opcode Fuzzy Hash: 454ab18094901b0ea7a40f6529bcd44056b82c307d067db1bd0d493163991b47
Instruction Fuzzy Hash: C611C871B042049FDB05EBB4E42579E7FB5EFC6214F1040AED6059B395CA359D05CB91

Function 02CF1421 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.1607998705.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2cf0000_MaxLoonaFest2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 620e99409590093dec2058eb0fc24d0e614826fbe33872ceb737c1fc86359230
Instruction ID: 73056bcd310d9cb2d6562934f6918ea13bbfecf048bf4a0f27976b6137a93080
Opcode Fuzzy Hash: 620e99409590093dec2058eb0fc24d0e614826fbe33872ceb737c1fc86359230
Instruction Fuzzy Hash: 4FF0B436B053141FE31957799815AAF7BEAEFC522071444BEE409C7356DD758C0287E4

Function 02CF0857 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.1607998705.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2cf0000_MaxLoonaFest2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12117628353cf726ef14a3d1764fe2d06515eb49d1253c3953f36db35ee72ff4
Instruction ID: 0472bd63fa0f3ce77347554c85afc654df7ad2fe60e05af0cabc53ffbc4fa230
Opcode Fuzzy Hash: 12117628353cf726ef14a3d1764fe2d06515eb49d1253c3953f36db35ee72ff4
Instruction Fuzzy Hash: 52F0303160C28DAFC756DFB9985459ABFF9DE86620B1480EAE108D7216E6705901C761

Function 02CF0868 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.1607998705.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2cf0000_MaxLoonaFest2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beedf88fce9ab778f9654d3ccb3da45a1333fe73bb922364b8f50a622e46ffa7
Instruction ID: ed06333f086816348d378ec0a5b004d55f6df16e2d5e5bda2803b813f1b76921
Opcode Fuzzy Hash: beedf88fce9ab778f9654d3ccb3da45a1333fe73bb922364b8f50a622e46ffa7
Instruction Fuzzy Hash: 67E06D32A08109AFCB15EFA9A4485DEBBEDEB48622B108067E20DD2204EA705A408790

Function 02CF13E0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.1607998705.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2cf0000_MaxLoonaFest2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d8bebcc1b45d7defda0076b29a2c5d13ca0064e0b9a0fdb39371ffb4f15ad7
Instruction ID: 5c430cdd7bd4e01dd1766ee1f1ee73ed4afcb17e737f89c76004b6d3eb157c72
Opcode Fuzzy Hash: 94d8bebcc1b45d7defda0076b29a2c5d13ca0064e0b9a0fdb39371ffb4f15ad7
Instruction Fuzzy Hash: BAE08C35A0D3849FCB0B9F35E938A213FF8AB8A310B8600DAE5418B26BC6605942CB54

Function 02CF1489 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.1607998705.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2cf0000_MaxLoonaFest2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea5b94e0cc5d0f2de91381d3360af1a5398de371d06773088d82fc9758590acf
Instruction ID: 419dd1c803947b5f06fe7a747b9857f75f9afe7118a6cfb969465179ab144d4d
Opcode Fuzzy Hash: ea5b94e0cc5d0f2de91381d3360af1a5398de371d06773088d82fc9758590acf
Instruction Fuzzy Hash: DCD0A736E147148BDF1695B5B8161CC7BA4DB42254F0400AAD508C7142E7148F148BD2

Function 02CF1590 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.1607998705.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_2cf0000_MaxLoonaFest2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee9088a8a437c485d71531b2cb0fc485cc41ef00c52938d10a31a97e30b0a9d9
Instruction ID: 9b1ba436b2132f1ca236052383b71b242321125a4c51b60bd63d5aa991fab533
Opcode Fuzzy Hash: ee9088a8a437c485d71531b2cb0fc485cc41ef00c52938d10a31a97e30b0a9d9
Instruction Fuzzy Hash: D5D0CAA490E3D21EE7A75B3488113403FB22F43218FAD20CFC1C48E0A3C2A9458AD36B

Analysis Process: MaxLoonaFest2663.exePID: 1316, Parent PID: 4056COMMON

Executed Functions

Function 02DB08B0 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

tPq, xrefs: 02DB095E

Memory Dump Source

Source File: 0000002F.00000002.1704384033.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_2db0000_MaxLoonaFest2663.jbxd

Similarity

API ID:
String ID: tPq
API String ID: 0-789928099
Opcode ID: 9484ee63c93852118e154b58557ec76abd5c20e03f7fd3890c5bf0b05ff4f860
Instruction ID: e253abc72c576a72d7642fa15cfb032d0f49211b804271f501357868827facfc
Opcode Fuzzy Hash: 9484ee63c93852118e154b58557ec76abd5c20e03f7fd3890c5bf0b05ff4f860
Instruction Fuzzy Hash: 0021F5343406108FC759AB38D468A6D7BE2AF8A62532544E9E506CF3B2DE35DC42CB91

Function 02DB1539 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

8q, xrefs: 02DB1555

Memory Dump Source

Source File: 0000002F.00000002.1704384033.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_2db0000_MaxLoonaFest2663.jbxd

Similarity

API ID:
String ID: 8q
API String ID: 0-4083045702
Opcode ID: 8312b880b5846b7aa188217328df933aaee8a004a2ec8d1e8d8bc9bf0a6480f4
Instruction ID: e5b86ecf29762a2720a9d09e437ced74c9c289d503b0cb84caf5c9688489db70
Opcode Fuzzy Hash: 8312b880b5846b7aa188217328df933aaee8a004a2ec8d1e8d8bc9bf0a6480f4
Instruction Fuzzy Hash: AEF05C50601B44ABE303B76CF43479D7AE79F87320F4448A6D4558B749DF109D09CBA2

Function 02DB0E30 Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.1704384033.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_2db0000_MaxLoonaFest2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f206b683f7fcbec145059463e1668810772d815518063a2f0019cc185a55e828
Instruction ID: 9e478867a074e298feb93cec9fcd972bf63efb9b97ca49f6db9e7b423fcda93b
Opcode Fuzzy Hash: f206b683f7fcbec145059463e1668810772d815518063a2f0019cc185a55e828
Instruction Fuzzy Hash: 56029070A00715DFDB15DF64D8A4AAEBBF2FF84310B248568D40A9B395DB31EC46CBA0

Function 02DB09B0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.1704384033.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_2db0000_MaxLoonaFest2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65edcd8edb43dd8e9afd7a6389df89a0fd7eb7ed18c35866262a378d72a53f65
Instruction ID: c57c8083c938f77411e427805bd839d3ba2e113b7836269ab46e9d44ef8eb0bb
Opcode Fuzzy Hash: 65edcd8edb43dd8e9afd7a6389df89a0fd7eb7ed18c35866262a378d72a53f65
Instruction Fuzzy Hash: 7FD1A938700305DFE71ADF34D464BAA7BA2BF89301F548868D8168B7A8DB71EC55CB90

Function 02DB1498 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.1704384033.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_2db0000_MaxLoonaFest2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e0fa087dadf3a6abf456ef1a8a1ddd4d22f2683e58bdbec01660476346540b
Instruction ID: 620e44f2e96337916e3895e974c9c0951939861bd63bc719f90b0342ac91d3eb
Opcode Fuzzy Hash: 66e0fa087dadf3a6abf456ef1a8a1ddd4d22f2683e58bdbec01660476346540b
Instruction Fuzzy Hash: 7D11C031F002149FD705AFB9E525BAE7FB6DF8A310F5040AAD9099B384CA34ED09CB91

Function 02DB1421 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.1704384033.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_2db0000_MaxLoonaFest2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb2cee8bc5c341e65655db34af8d3d3bb698f6f5be9f6879016be4f71349b3c
Instruction ID: f0231335c3a8d61189534f888b2506cda3c79ddeeb121daf705a18eb013c91ff
Opcode Fuzzy Hash: ebb2cee8bc5c341e65655db34af8d3d3bb698f6f5be9f6879016be4f71349b3c
Instruction Fuzzy Hash: FDF02431B043142FE3191B796814AFF7BAAEFC622071848BAE009C7301DD258C0383E4

Function 02DB0857 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.1704384033.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_2db0000_MaxLoonaFest2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d94aef1b04e117b1be8a11cbf980cafe96062c06e2bd3feee27f0a9ea33d03a1
Instruction ID: 779e80126da327653ba4dabd0282f928f119ef523d7eedf7d4c9c85bd5426ced
Opcode Fuzzy Hash: d94aef1b04e117b1be8a11cbf980cafe96062c06e2bd3feee27f0a9ea33d03a1
Instruction Fuzzy Hash: 19F02B35A08249AFCB01DFF998485CBBFFDDE47010B0044DBE008C3201F6305909C791

Function 02DB0868 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.1704384033.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_2db0000_MaxLoonaFest2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d43bfa0cdaf237197cf8e0c70556d34ab43725204ee918de665f40ec3b9890b4
Instruction ID: b7f40cbc97c4ca878d184a26f8c00e8dc80e8342d5d55601e1fa8ebb32949e07
Opcode Fuzzy Hash: d43bfa0cdaf237197cf8e0c70556d34ab43725204ee918de665f40ec3b9890b4
Instruction Fuzzy Hash: 1CE09276E44109AF9B14EFF9E8485DFBFEDEF48122B018466E40DD2300EB705D508790

Function 02DB13E0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.1704384033.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_2db0000_MaxLoonaFest2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ef44e8ed79a956ed5febf18c69e1104bb3c6486806684f9098114f9bcffe6e
Instruction ID: f1d8ec7b3ceaa1d26bcb83ecb34dde7cad3f8bde72792c17f680270d2b46dbf5
Opcode Fuzzy Hash: 89ef44e8ed79a956ed5febf18c69e1104bb3c6486806684f9098114f9bcffe6e
Instruction Fuzzy Hash: E1E08634649385DFC71A9F24F538A543FA45B57200B4504E5E48187256C6609C59C755

Function 02DB1489 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.1704384033.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_2db0000_MaxLoonaFest2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 290bd0657e67ebcec93a75907af19939c4dd6f28ffadfb5a3838b141308e7a7f
Instruction ID: 0985ea80dfaad824804482e2981efb7096d186cf9da70a304c6d5f6b0e23bd1e
Opcode Fuzzy Hash: 290bd0657e67ebcec93a75907af19939c4dd6f28ffadfb5a3838b141308e7a7f
Instruction Fuzzy Hash: C0D0A733A0856097EB1715B1B9266CD3F648E62260B4901B6D848D7342E60CCE2DC3D1

Function 02DB1590 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.1704384033.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_2db0000_MaxLoonaFest2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cea658bdeae64072b5bffe1852e097eeb9e085f2c3cb3e49a54c15dcff9b7a2
Instruction ID: e5a5b8705affb18f7e00bd743fc0b10d0476786043df3192af6ad724bf6aa7b5
Opcode Fuzzy Hash: 6cea658bdeae64072b5bffe1852e097eeb9e085f2c3cb3e49a54c15dcff9b7a2
Instruction Fuzzy Hash: 18D0C954A4D7C29EE7235B34441A364BFA14F03204F5D18C6E0C58A193C25C048EC32B

Analysis Process: FANBooster2663.exePID: 6092, Parent PID: 4056COMMON

Executed Functions

Function 01090E30 Relevance: 6.7, Strings: 5, Instructions: 440COMMON

Download Yara Rule

Strings

D@, xrefs: 010910FC
D@, xrefs: 01091186
D@, xrefs: 01091141
<Q, xrefs: 01091039
D@, xrefs: 010911CB

Memory Dump Source

Source File: 00000032.00000002.1900058269.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_1090000_FANBooster2663.jbxd

Similarity

API ID:
String ID: <Q$D@$D@$D@$D@
API String ID: 0-3199645294
Opcode ID: f8e8fab17f36f42c6ed71b5d4789eed309dcb4c9fa2d152d32f123f07f8da6bf
Instruction ID: 838dbfc090cf52a0361887542f7b3ceac36e8502209d2a497cd2a1d4e22bc097
Opcode Fuzzy Hash: f8e8fab17f36f42c6ed71b5d4789eed309dcb4c9fa2d152d32f123f07f8da6bf
Instruction Fuzzy Hash: E302AD70B006159FDB11DF68D890AAEBBF2FF88310B148568E545AF395DB31ED42CBA1

Function 01091498 Relevance: 2.6, Strings: 2, Instructions: 54COMMON

Download Yara Rule

Strings

D@, xrefs: 010914C5
D@, xrefs: 010914D7

Memory Dump Source

Source File: 00000032.00000002.1900058269.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_1090000_FANBooster2663.jbxd

Similarity

API ID:
String ID: D@$D@
API String ID: 0-3862852415
Opcode ID: 7db9547dfbd55da7a250b3399d67ff3277f2420b76be1a6df26b36f24e97f378
Instruction ID: c67b6cbd836bdb4bdb242d7decc8029de8d1fcee87fd2fa8111a1755909f2858
Opcode Fuzzy Hash: 7db9547dfbd55da7a250b3399d67ff3277f2420b76be1a6df26b36f24e97f378
Instruction Fuzzy Hash: C601C471B041149FDB04ABB9E82579E7BB5DF8A310F1040AAD609AB395CE34ED018B95

Function 010908B0 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

tPq, xrefs: 0109095E

Memory Dump Source

Source File: 00000032.00000002.1900058269.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_1090000_FANBooster2663.jbxd

Similarity

API ID:
String ID: tPq
API String ID: 0-789928099
Opcode ID: 0403029699b412da3445f61f91cd46bbe40ddfc64c1377aaf67c57b0139e1514
Instruction ID: 890a40612a22df671372c183ee2b149dc75a86172b3312bbb6b0858e7b9656ae
Opcode Fuzzy Hash: 0403029699b412da3445f61f91cd46bbe40ddfc64c1377aaf67c57b0139e1514
Instruction Fuzzy Hash: 14213C343406108FC759AB38C468A2D7BE6AF8A72532544F9E546CF3B6DE35DC42CB91

Function 01091539 Relevance: 1.3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

8q, xrefs: 01091555

Memory Dump Source

Source File: 00000032.00000002.1900058269.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_1090000_FANBooster2663.jbxd

Similarity

API ID:
String ID: 8q
API String ID: 0-4083045702
Opcode ID: 2336316d7cc13cf33b9810ed76810d074db88867e27a374ef897f84d2b93a093
Instruction ID: c7c21b2c916c6342402b64f27068040b07659346786391030c0263b8b8ecaec7
Opcode Fuzzy Hash: 2336316d7cc13cf33b9810ed76810d074db88867e27a374ef897f84d2b93a093
Instruction Fuzzy Hash: 9EF0A3756003009BD742B278E4607AF75C65B44260F054465E0466B799DE30990547E1

Function 010909B0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.1900058269.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_1090000_FANBooster2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca2765e04e0373adddf906d56a81bf7e9d32f3ce87e372f9f1575aa26e0e1ef3
Instruction ID: 64c4748e8c235ed91a253dd8ff17ff1e9beb68772ffa0c3a77a7c69a9daa9791
Opcode Fuzzy Hash: ca2765e04e0373adddf906d56a81bf7e9d32f3ce87e372f9f1575aa26e0e1ef3
Instruction Fuzzy Hash: 45C19E34601305CFDB19EF28D954B6A3BFABB48304F148468E8469F769DB70ED41CB91

Function 01091348 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.1900058269.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_1090000_FANBooster2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c636d9d6c2f4305746914a63e0a4d788604b5679fb09d40870feb800c70ccec
Instruction ID: 38440251c910cbbf69d40293514b5d6f3fe244571888de54cc7409078f4c195f
Opcode Fuzzy Hash: 9c636d9d6c2f4305746914a63e0a4d788604b5679fb09d40870feb800c70ccec
Instruction Fuzzy Hash: D9012B777006219FC7219729E954E2F3FF4EF89AB0301C554E8869F759CA30D800C7A1

Function 01091421 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.1900058269.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_1090000_FANBooster2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f570fe5630b74514e9a977e2a6019c4fac141a2f995a3b0598a366a907d0711
Instruction ID: 1cbc53a450c89b03ab5bb7f275fd3148e6ce523abaacd2a5dcd56aad5c8da309
Opcode Fuzzy Hash: 9f570fe5630b74514e9a977e2a6019c4fac141a2f995a3b0598a366a907d0711
Instruction Fuzzy Hash: FFF02E32B063241FD3081B7A5C10BAF3BAAEFCA26070484AAE00AC7355ED308C0283E4

Function 01090868 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.1900058269.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_1090000_FANBooster2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d102c354effca387cfd4742d447376f39eabd1a4eacbcfe30802060e96fc747
Instruction ID: 1a1dfe643e9f4b18d79ce9756edccb72beb5fce4b0531f8b29ee2161e1aac29c
Opcode Fuzzy Hash: 3d102c354effca387cfd4742d447376f39eabd1a4eacbcfe30802060e96fc747
Instruction Fuzzy Hash: 39E06DB3B04219AF8B04EFAAA8484DB7BEDFB48122B0080A6E009E6251EA7094408790

Function 01090867 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.1900058269.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_1090000_FANBooster2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26286193e99c76e1118375c36ce85da6ed5a0b4621dd6255dbadda78cf93d548
Instruction ID: 6a56890885da88f51789856acbae04d6c3b866b12ebffc23155c131dcb4082a9
Opcode Fuzzy Hash: 26286193e99c76e1118375c36ce85da6ed5a0b4621dd6255dbadda78cf93d548
Instruction Fuzzy Hash: 12E086B6B04119AF8B04DFFA98449DF7FFDEF48111B1081BAE009E7241E67085018B50

Function 010913E0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.1900058269.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_1090000_FANBooster2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55d5ba92681a72176cc86685119afc2425c1ec227d5ebe97e4e306a2b0f875d1
Instruction ID: ed9c2b3161b4bc78a2057df325a9cb498e541fffe6a45ec4ed915ce7d7c48d76
Opcode Fuzzy Hash: 55d5ba92681a72176cc86685119afc2425c1ec227d5ebe97e4e306a2b0f875d1
Instruction Fuzzy Hash: A9E0CD3920D3C05FC7069F65EA2471A3FF59F09214F4104D8D0826BA67CB747844C756

Function 01091489 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.1900058269.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_1090000_FANBooster2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa9ac7d6b51fb1d59bf2a2ad19fc0bb3b6e9933c2fb49ad58bb4c15f232f647a
Instruction ID: 1503fa3ab94e7728d80335f77170cd4c87585bc562bd132e1be1cc36412eb0fb
Opcode Fuzzy Hash: fa9ac7d6b51fb1d59bf2a2ad19fc0bb3b6e9933c2fb49ad58bb4c15f232f647a
Instruction Fuzzy Hash: EFD0A733B4DE905BDB0162B9AC163CE3F648B06150F0541FBD544E7195E618891883D2

Function 01091590 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000032.00000002.1900058269.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_1090000_FANBooster2663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a996a531f22a8e2892decb456aed5340ff51e8b27a45ead3b3919ae0a9b9fa
Instruction ID: 633dab2e71f13a84c012dd55f1ebeafbd394f1df4c3341f4256593cc5de56a36
Opcode Fuzzy Hash: a2a996a531f22a8e2892decb456aed5340ff51e8b27a45ead3b3919ae0a9b9fa
Instruction Fuzzy Hash: B0D012A5A0C3C2CDDB234770482533C7FA11F02214F9E11C6C0D25B1A3E1380459D357

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe

C:\Users\user\AppData\Local\MaxLoonaFest2663\MaxLoonaFest2663.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FANBooster2663.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MaxLoonaFest2663.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OfficeTrackerNMP2663.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\FANBooster2663\FANBooster2663.exe

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0glaokhr.30r.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1aga23cs.pjf.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1w2sfdkc.gvm.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_23dmljal.dbl.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2br1ukrl.ql3.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4czbpl1u.2fz.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4va2ro5t.2u3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4xa0om4w.eht.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_51zdcgil.0tq.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5dg45pi2.dqz.ps1

Windows Analysis Report
file.exe