Edit tour

Windows Analysis Report
DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Overview

General Information

Sample name:	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe renamed because original name is a hash value
Original sample name:	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO66158152 WKH2406122.scr.exe
Analysis ID:	1519259
MD5:	6d11edaa5ab6a54db22f5c4ec1a8fcb3
SHA1:	0bca6fb453f9d5b7cf8e04164f5fa632c3ce1e90
SHA256:	2f89944e9e1a59602a6d50e917c092e30467f83e312bb1bcc5e758109766cd94
Tags:	AsyncRATexeuser-threatcat_ch
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe (PID: 7364 cmdline: "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe" MD5: 6D11EDAA5AB6A54DB22F5C4EC1A8FCB3)

DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe (PID: 7592 cmdline: "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe" MD5: 6D11EDAA5AB6A54DB22F5C4EC1A8FCB3)

DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe (PID: 7600 cmdline: "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe" MD5: 6D11EDAA5AB6A54DB22F5C4EC1A8FCB3)

powershell.exe (PID: 8000 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6252 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5816 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3276 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 5780 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7600 -s 2028 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["104.250.180.178"], "Port": "7061", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.3733612223.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000006.00000002.3733612223.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10068:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10105:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1021a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf55a:$cnc4: POST / HTTP/1.1
00000000.00000002.1268908735.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1268908735.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1a520:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xb003c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc3d10:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1a5bd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xb00d9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xc3dad:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1a6d2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xb01ee:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc3ec2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x19a12:$cnc4: POST / HTTP/1.1 0xaf52e:$cnc4: POST / HTTP/1.1 0xc3202:$cnc4: POST / HTTP/1.1
00000006.00000002.3746004817.0000000003201000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe PID: 7364	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe PID: 7364	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe PID: 7600	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
6.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10268:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10305:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1041a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf75a:$cnc4: POST / HTTP/1.1
0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xe468:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xe505:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xe61a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xd95a:$cnc4: POST / HTTP/1.1
0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2e6fe74.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2e6fe74.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2e6fe74.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x211c8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x34e9c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x21265:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x34f39:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2137a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x3504e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x206ba:$cnc4: POST / HTTP/1.1 0x3438e:$cnc4: POST / HTTP/1.1
0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2e6685c.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2e6685c.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2e6685c.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x2a7e0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x3e4b4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2a87d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x3e551:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2a992:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x3e666:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x29cd2:$cnc4: POST / HTTP/1.1 0x3d9a6:$cnc4: POST / HTTP/1.1
0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10268:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa5d84:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xb9a58:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10305:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa5e21:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xb9af5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1041a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xa5f36:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xb9c0a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf75a:$cnc4: POST / HTTP/1.1 0xa5276:$cnc4: POST / HTTP/1.1 0xb8f4a:$cnc4: POST / HTTP/1.1
Click to see the 8 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe", ParentImage: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, ParentProcessId: 7600, ParentProcessName: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe', ProcessId: 8000, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe", ParentImage: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, ParentProcessId: 7600, ParentProcessName: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe', ProcessId: 8000, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, ProcessId: 7600, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe", ParentImage: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, ParentProcessId: 7600, ParentProcessName: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe', ProcessId: 8000, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T09:22:32.783291+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:22:44.012487+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:22:57.230682+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:02.805269+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:10.320889+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:23.560667+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:32.790905+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:36.800386+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:37.900521+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:39.032515+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:39.651018+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:44.620356+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:44.850321+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:49.640421+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:55.250511+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:55.491159+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:55.724106+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:02.812647+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:05.491071+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:05.750760+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:07.020757+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:07.251001+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:07.770725+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:09.972584+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:10.821402+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:12.726025+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:12.960767+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:15.670702+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:18.870678+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:23.449464+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:28.740847+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:29.020724+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:32.791436+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:33.011621+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:38.030595+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:39.130548+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:39.360992+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:41.591124+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:43.450419+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:44.500898+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:44.730729+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:54.790200+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:55.020531+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:55.250624+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:02.791005+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:04.370509+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:05.130408+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:08.570538+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:10.480479+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:11.090257+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:24.380938+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:25.850618+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:26.560874+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:26.880656+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:31.900871+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:32.350842+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:32.821188+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:35.710261+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:37.210695+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:47.510456+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:47.750518+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:57.755617+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:57.991233+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:26:02.811847+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:26:03.110308+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:26:03.395532+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:26:08.410711+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T09:22:44.014287+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:22:57.234361+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:23:10.322834+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:23:23.563636+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:23:36.802812+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:23:37.902799+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:23:39.034721+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:23:39.652574+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:23:44.626799+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:23:44.854840+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:23:49.642049+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:23:55.253159+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:23:55.492630+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:23:55.733169+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:05.495019+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:05.800927+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:06.011509+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:06.022050+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:06.029228+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:07.022567+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:07.252620+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:07.772413+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:09.974145+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:10.823335+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:12.727522+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:12.962219+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:13.199280+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:13.204303+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:13.433178+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:15.674314+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:18.872336+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:23.453192+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:28.743443+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:29.022275+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:29.345111+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:38.033293+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:39.132055+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:39.362471+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:39.602746+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:41.593010+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:43.452477+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:44.503166+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:44.732890+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:54.792395+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:55.022087+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:55.257227+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:04.375782+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:05.131991+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:08.572130+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:10.482476+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:11.092370+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:11.373530+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:24.383453+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:25.852272+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:26.562807+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:26.885209+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:31.902358+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:32.352994+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:35.711931+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:37.212602+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:47.514012+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:47.757939+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:57.757651+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:57.992775+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:58.488645+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:58.490689+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:26:03.111779+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:26:03.398723+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T09:22:32.783291+0200	2852874	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:02.805269+0200	2852874	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:32.790905+0200	2852874	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:02.812647+0200	2852874	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:32.791436+0200	2852874	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:33.011621+0200	2852874	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:02.791005+0200	2852874	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:32.821188+0200	2852874	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:26:02.811847+0200	2852874	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.10	49716	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T09:24:12.403436+0200	2853193	1	Malware Command and Control Activity Detected	192.168.2.10	49716	104.250.180.178	7061	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.1268908735.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["104.250.180.178"], "Port": "7061", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 6.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack	String decryptor: 104.250.180.178
Source: 6.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack	String decryptor: 7061
Source: 6.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack	String decryptor: <123456789>
Source: 6.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack	String decryptor: <Xwormmm>
Source: 6.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack	String decryptor: XWorm V5.2
Source: 6.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack	String decryptor: USB.exe
Source: 6.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack	String decryptor: %AppData%
Source: 6.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack	String decryptor: XClient.exe

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3762349982.000000000634B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: ?goC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3762349982.000000000634B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb& source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3738501808.0000000001364000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb<p# source: WER628D.tmp.dmp.28.dr
Source:	Binary string: System.Xml.ni.pdb source: WER628D.tmp.dmp.28.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3738501808.0000000001364000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Accessibility.pdb source: WER628D.tmp.dmp.28.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbC source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3738501808.0000000001364000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER628D.tmp.dmp.28.dr
Source:	Binary string: *.pdb source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3762349982.000000000634B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbF source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3738501808.0000000001364000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdbL0gw# source: WER628D.tmp.dmp.28.dr
Source:	Binary string: HP[o0C:\Windows\mscorlib.pdb source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3762349982.000000000634B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: **.pdb source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3762349982.000000000634B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbT source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3763870035.0000000006600000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.PDB source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3763870035.0000000006600000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER628D.tmp.dmp.28.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER628D.tmp.dmp.28.dr
Source:	Binary string: System.Configuration.pdb source: WER628D.tmp.dmp.28.dr
Source:	Binary string: System.Xml.pdb source: WER628D.tmp.dmp.28.dr
Source:	Binary string: System.pdb source: WER628D.tmp.dmp.28.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER628D.tmp.dmp.28.dr
Source:	Binary string: System.Core.ni.pdb source: WER628D.tmp.dmp.28.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER628D.tmp.dmp.28.dr
Source:	Binary string: System.Management.pdb` source: WER628D.tmp.dmp.28.dr
Source:	Binary string: %%.pdb source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3762349982.000000000634B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER628D.tmp.dmp.28.dr
Source:	Binary string: Microsoft.VisualBasic.pdblX source: WER628D.tmp.dmp.28.dr
Source:	Binary string: mscorlib.pdb source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3763870035.0000000006600000.00000004.00000020.00020000.00000000.sdmp, WER628D.tmp.dmp.28.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3763870035.0000000006617000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbMZ@ source: WER628D.tmp.dmp.28.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER628D.tmp.dmp.28.dr
Source:	Binary string: @go.pdb source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3762349982.000000000634B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WER628D.tmp.dmp.28.dr
Source:	Binary string: System.Management.pdb source: WER628D.tmp.dmp.28.dr
Source:	Binary string: mscorlib.ni.pdb source: WER628D.tmp.dmp.28.dr
Source:	Binary string: System.Management.ni.pdb source: WER628D.tmp.dmp.28.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3738501808.0000000001364000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb4 source: WER628D.tmp.dmp.28.dr
Source:	Binary string: System.Core.pdb source: WER628D.tmp.dmp.28.dr
Source:	Binary string: symbols\dll\mscorlib.pdbLb source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3762349982.000000000634B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbt source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3738501808.0000000001364000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbL source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3763870035.0000000006617000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER628D.tmp.dmp.28.dr
Source:	Binary string: System.ni.pdb source: WER628D.tmp.dmp.28.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER628D.tmp.dmp.28.dr
Source:	Binary string: mscorlib.pdb246122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32XCli source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3738501808.000000000132C000.00000004.00000020.00020000.00000000.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 104.250.180.178:7061 -> 192.168.2.10:49716
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 104.250.180.178:7061 -> 192.168.2.10:49716
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.10:49716 -> 104.250.180.178:7061
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.10:49716 -> 104.250.180.178:7061
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.10:49716 -> 104.250.180.178:7061

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 104.250.180.178

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2e6fe74.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2e6685c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.10:49716 -> 104.250.180.178:7061

Source: Joe Sandbox View

IP Address: 104.250.180.178 104.250.180.178

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178

Source: powershell.exe, 0000000B.00000002.1334474378.00000000055EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1382761393.000000000602B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1431034891.000000000550B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1504570907.0000000005B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000013.00000002.1481975927.0000000004C66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000B.00000002.1324717162.00000000046D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1371910805.0000000005116000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1412810062.00000000045F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1481975927.0000000004C66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3746004817.0000000003201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1324717162.0000000004581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1371910805.0000000004FC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1412810062.00000000044A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1481975927.0000000004B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000B.00000002.1324717162.00000000046D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1371910805.0000000005116000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1412810062.00000000045F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1481975927.0000000004C66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000013.00000002.1481975927.0000000004C66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000B.00000002.1340954600.0000000007F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 0000000B.00000002.1324717162.0000000004581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1371910805.0000000004FC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1412810062.00000000044A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1481975927.0000000004B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000013.00000002.1504570907.0000000005B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000013.00000002.1504570907.0000000005B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000013.00000002.1504570907.0000000005B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000013.00000002.1481975927.0000000004C66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000B.00000002.1334474378.00000000055EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1382761393.000000000602B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1431034891.000000000550B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1504570907.0000000005B78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2e6fe74.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2e6685c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000006.00000002.3733612223.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1268908735.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 0_2_013DDA4C	0_2_013DDA4C
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 0_2_052D55F4	0_2_052D55F4
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 0_2_052D0120	0_2_052D0120
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 0_2_052D0130	0_2_052D0130
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 0_2_052D55D0	0_2_052D55D0
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 0_2_052D7BD0	0_2_052D7BD0
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 6_2_016244C7	6_2_016244C7
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 6_2_01624AC0	6_2_01624AC0
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 6_2_01621458	6_2_01621458
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 6_2_01623E18	6_2_01623E18
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_042AB498	11_2_042AB498
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_042AB488	11_2_042AB488
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_083C3AA8	11_2_083C3AA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_0378B490	14_2_0378B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_0378B470	14_2_0378B470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_08FD3E98	14_2_08FD3E98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_02BFB490	16_2_02BFB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_02BF306A	16_2_02BF306A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_02BFB489	16_2_02BFB489
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_04A9B490	19_2_04A9B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_08B33E98	19_2_08B33E98

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7600 -s 2028

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1268908735.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1268908735.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameriched20.dllp( vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1268908735.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1268908735.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q,\\StringFileInfo\\000004B0\\OriginalFilename vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1272756922.00000000071D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1269203702.0000000003DE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1268314495.000000000117E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000000.1259236986.00000000009E2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamexGEb.exe0 vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3759307369.0000000004201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamexGEb.exe0 vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3762049526.0000000006209000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3738501808.00000000012B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dll vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3733612223.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Binary or memory string: OriginalFilenamexGEb.exe0 vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 6.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2e6fe74.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2e6685c.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000006.00000002.3733612223.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1268908735.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: XClient.exe.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.raw.unpack, 0jpphwwqZqta9yNAU1rmvPgO8j.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.raw.unpack, LQsPA89PDgnCWG85KTzaHUxHxV.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.raw.unpack, LQsPA89PDgnCWG85KTzaHUxHxV.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f9c280.3.raw.unpack, uUqlwqsi7rB5Dws3Q1.cs	Security API names: _0020.SetAccessControl
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f9c280.3.raw.unpack, uUqlwqsi7rB5Dws3Q1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f9c280.3.raw.unpack, uUqlwqsi7rB5Dws3Q1.cs	Security API names: _0020.AddAccessRule
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f48660.4.raw.unpack, FelmYBrAO4eprDftxs.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f9c280.3.raw.unpack, FelmYBrAO4eprDftxs.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.raw.unpack, MA7oxPPspVKDSv5kbor4FnogXhSLqN9jk8XGyoEg4DmabG3T3zwnypMQ3ZJUTHsOLdOneQe3sw7pXikdZGn4uDbXtV5HzjkClf7.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.raw.unpack, MA7oxPPspVKDSv5kbor4FnogXhSLqN9jk8XGyoEg4DmabG3T3zwnypMQ3ZJUTHsOLdOneQe3sw7pXikdZGn4uDbXtV5HzjkClf7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71d0000.5.raw.unpack, uUqlwqsi7rB5Dws3Q1.cs	Security API names: _0020.SetAccessControl
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71d0000.5.raw.unpack, uUqlwqsi7rB5Dws3Q1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71d0000.5.raw.unpack, uUqlwqsi7rB5Dws3Q1.cs	Security API names: _0020.AddAccessRule
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f48660.4.raw.unpack, uUqlwqsi7rB5Dws3Q1.cs	Security API names: _0020.SetAccessControl
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f48660.4.raw.unpack, uUqlwqsi7rB5Dws3Q1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f48660.4.raw.unpack, uUqlwqsi7rB5Dws3Q1.cs	Security API names: _0020.AddAccessRule
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71d0000.5.raw.unpack, FelmYBrAO4eprDftxs.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@18/24@0/1

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8012:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5956:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8008:120:WilError_03
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Mutant created: \Sessions\1\BaseNamedObjects\f8RKHn3SOlVxjC9t
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7600

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

File read: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe"
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe"
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe"
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7600 -s 2028
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: XClient.lnk.6.dr

LNK file: ..\..\..\..\..\XClient.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3762349982.000000000634B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: ?goC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3762349982.000000000634B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb& source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3738501808.0000000001364000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb<p# source: WER628D.tmp.dmp.28.dr
Source:	Binary string: System.Xml.ni.pdb source: WER628D.tmp.dmp.28.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3738501808.0000000001364000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Accessibility.pdb source: WER628D.tmp.dmp.28.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbC source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3738501808.0000000001364000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER628D.tmp.dmp.28.dr
Source:	Binary string: *.pdb source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3762349982.000000000634B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbF source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3738501808.0000000001364000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdbL0gw# source: WER628D.tmp.dmp.28.dr
Source:	Binary string: HP[o0C:\Windows\mscorlib.pdb source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3762349982.000000000634B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: **.pdb source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3762349982.000000000634B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbT source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3763870035.0000000006600000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.PDB source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3763870035.0000000006600000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER628D.tmp.dmp.28.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER628D.tmp.dmp.28.dr
Source:	Binary string: System.Configuration.pdb source: WER628D.tmp.dmp.28.dr
Source:	Binary string: System.Xml.pdb source: WER628D.tmp.dmp.28.dr
Source:	Binary string: System.pdb source: WER628D.tmp.dmp.28.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER628D.tmp.dmp.28.dr
Source:	Binary string: System.Core.ni.pdb source: WER628D.tmp.dmp.28.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER628D.tmp.dmp.28.dr
Source:	Binary string: System.Management.pdb` source: WER628D.tmp.dmp.28.dr
Source:	Binary string: %%.pdb source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3762349982.000000000634B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER628D.tmp.dmp.28.dr
Source:	Binary string: Microsoft.VisualBasic.pdblX source: WER628D.tmp.dmp.28.dr
Source:	Binary string: mscorlib.pdb source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3763870035.0000000006600000.00000004.00000020.00020000.00000000.sdmp, WER628D.tmp.dmp.28.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3763870035.0000000006617000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbMZ@ source: WER628D.tmp.dmp.28.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER628D.tmp.dmp.28.dr
Source:	Binary string: @go.pdb source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3762349982.000000000634B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WER628D.tmp.dmp.28.dr
Source:	Binary string: System.Management.pdb source: WER628D.tmp.dmp.28.dr
Source:	Binary string: mscorlib.ni.pdb source: WER628D.tmp.dmp.28.dr
Source:	Binary string: System.Management.ni.pdb source: WER628D.tmp.dmp.28.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3738501808.0000000001364000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb4 source: WER628D.tmp.dmp.28.dr
Source:	Binary string: System.Core.pdb source: WER628D.tmp.dmp.28.dr
Source:	Binary string: symbols\dll\mscorlib.pdbLb source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3762349982.000000000634B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbt source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3738501808.0000000001364000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbL source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3763870035.0000000006617000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER628D.tmp.dmp.28.dr
Source:	Binary string: System.ni.pdb source: WER628D.tmp.dmp.28.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER628D.tmp.dmp.28.dr
Source:	Binary string: mscorlib.pdb246122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32XCli source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3738501808.000000000132C000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{WDu24wMlQIEWaQwpfHXwdgNG7RJ4K5Y3bc5hVwls9Fj1cTY3HpvtBcqLeH6gaDiVDpDYXKIIuXaOlu2lCAJTOwdsnqwm1PXfsVw.kpaiBhymIJGBuLt851gqZoLAoD2fiZkc0DA3Lc823wxxdIa6PYsvKZlA56OH12YQ41sSLHjT4iWQJiKp8tggB2I54feK1c86Mqm,WDu24wMlQIEWaQwpfHXwdgNG7RJ4K5Y3bc5hVwls9Fj1cTY3HpvtBcqLeH6gaDiVDpDYXKIIuXaOlu2lCAJTOwdsnqwm1PXfsVw.zZbnUIep0vWxKxGVBok7L3PrzjZoEnwL0TSMXbwigCiaVp6nuwuxywUGaEN9dKldJ3TrYBoPGwVErMlqUaYHm6AAkBixXvLS97V,WDu24wMlQIEWaQwpfHXwdgNG7RJ4K5Y3bc5hVwls9Fj1cTY3HpvtBcqLeH6gaDiVDpDYXKIIuXaOlu2lCAJTOwdsnqwm1PXfsVw._1fd035fDiEoy57pBpWpWQTfLABgAwu559F98CfIdCDdRJ74x4qfREzt6LaVDN65xSX6mXNev2t5WO73ujfaH60MUncnZRoGV4vj,WDu24wMlQIEWaQwpfHXwdgNG7RJ4K5Y3bc5hVwls9Fj1cTY3HpvtBcqLeH6gaDiVDpDYXKIIuXaOlu2lCAJTOwdsnqwm1PXfsVw.IW9FNA672lsDi2tCYs0XmXfyWkYhTHM1nl8C6baQ9lTI8YY8Qyto5zkIeoHh2Zcqmqyiuv94riMmQCcGwepP0z2tUnSyyl1yoCb,LQsPA89PDgnCWG85KTzaHUxHxV.WufUBprPTFHXMI553kXybp9FaY()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_9CLWboLL8arHgBpNMCHih5iKc1[2],LQsPA89PDgnCWG85KTzaHUxHxV.WL37fsRxQxlu6tAK1xjQRngPmh(Convert.FromBase64String(_9CLWboLL8arHgBpNMCHih5iKc1[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { _9CLWboLL8arHgBpNMCHih5iKc1[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71d0000.5.raw.unpack, uUqlwqsi7rB5Dws3Q1.cs	.Net Code: T6JRZnufKE System.Reflection.Assembly.Load(byte[])
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.7f80000.6.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2e6685c.1.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2e6fe74.0.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f9c280.3.raw.unpack, uUqlwqsi7rB5Dws3Q1.cs	.Net Code: T6JRZnufKE System.Reflection.Assembly.Load(byte[])
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f48660.4.raw.unpack, uUqlwqsi7rB5Dws3Q1.cs	.Net Code: T6JRZnufKE System.Reflection.Assembly.Load(byte[])
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	.Net Code: HFKY311DFA0CknBmafbCyAhvOzvwUW3ViyV49tKstRpT8xAE2GnNPEVulKkb5ija7d4jHOKsf5tq0JZu3yzP System.AppDomain.Load(byte[])
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	.Net Code: iXIBZqNvKivS6RYy8lRx3sDnEn System.AppDomain.Load(byte[])
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	.Net Code: iXIBZqNvKivS6RYy8lRx3sDnEn
Source: XClient.exe.6.dr, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 6.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.4205570.1.raw.unpack, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 0_2_052DF1C8 push esp; retf	0_2_052DF1C9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_042A42AF push ebx; ret	11_2_042A42DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_042A636B push eax; ret	11_2_042A6371
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_0378633D push eax; ret	14_2_03786351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_02BF633D push eax; ret	16_2_02BF6351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_04A96338 push eax; ret	19_2_04A96341
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_04A93ACD push ebx; retf	19_2_04A93ADA

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Static PE information: section name: .text entropy: 7.805156176612846
Source: XClient.exe.6.dr	Static PE information: section name: .text entropy: 7.805156176612846

Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71d0000.5.raw.unpack, EWk5EGKijIaiRSqgCZ.cs	High entropy of concatenated method names: 'M8DZYtMaX', 'FoePcNS3w', 'SwoONkENX', 'oUyEJvdcp', 'n4Cf0kjtw', 'ph4NVEcEs', 'M8cKG25PBGoqybpZyb', 'NdbyBwnOel6DY7gILO', 'bLikcaVTD', 'ukJ2bEiN7'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71d0000.5.raw.unpack, uUqlwqsi7rB5Dws3Q1.cs	High entropy of concatenated method names: 'hUaemyPUIx', 'W8Eel5FgZu', 'QFFeY41TTK', 'vjqeCHWyu8', 'DwWebLqgwM', 'pX7eq7QYYr', 'RkFeaxQOyG', 'eBwesLcMC7', 'gIVe0PRuDs', 'Wx1e7WP4sy'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71d0000.5.raw.unpack, ct7qxCuWIsEjLRwCRr.cs	High entropy of concatenated method names: 'onfal3kO96', 'CK6aC6kXDs', 'tgIaqmeiok', 'YGyq95YMym', 'VqPqzcb0MU', 'dupaXts1fV', 'h5Ga4NI1JR', 'z6laKStDah', 'mrcaeCM1ZO', 'QmxaRLExRc'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71d0000.5.raw.unpack, LJD8Ef6cFXafZXMS5e.cs	High entropy of concatenated method names: 'xcrkG6cumb', 'MbHkANJis1', 'N12kgyUZXb', 'A3pk3UYRlx', 'RWOkt16hfv', 'd3okMFJerh', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71d0000.5.raw.unpack, lffQcqGwGqPpJ4Eaor.cs	High entropy of concatenated method names: 'OAZqmG3KUT', 'dgaqYUUL01', 'Ia5qb2L2rs', 'B0QqaIqeMp', 'LGaqsSCNlr', 'vjJbVgX9rw', 'GZJbhoGVvE', 'SqqbHc4Iwy', 'xvkbLhf1Pt', 'wsJb6jQWp7'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71d0000.5.raw.unpack, LuZePO1hBMjFln9NX7.cs	High entropy of concatenated method names: 'ToString', 'iYdwDQ0PAc', 'a4bwA4ZZSi', 'fjfwgY5MaZ', 'koZw3VEUDu', 'jZQwMIYFsA', 'Ip9wWjmC2s', 'OLfwuANjD5', 'ce8wj9M4Kq', 'arswI4Numl'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71d0000.5.raw.unpack, CiAK8fIGG6GNLVEYNP.cs	High entropy of concatenated method names: 'ksRaByvFEo', 'jbXa8oc8lF', 'qHJaZItpOP', 'hSwaPpIR3v', 'uNIaTPSXTM', 'U8FaOQ1mQj', 'A7faEO7k5t', 'zUDarm2kjp', 'eO2afo8aLe', 'FgLaNhJyVt'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71d0000.5.raw.unpack, FqfVpkROrPeGsvRejp.cs	High entropy of concatenated method names: 'wSG4aelmYB', 'GO44seprDf', 'joF47J81Ck', 'V434ptfU8e', 'XMc45nk0ff', 'qcq4wwGqPp', 'MATiQBoYcaE0Ek9w43', 'PApCggFqppdpQXuOQS', 'j2S44Q5VPH', 'Epk4e4O6jI'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71d0000.5.raw.unpack, t130s14evMytwfh4DIR.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sKf2tJ1ouH', 'hoD2nn4gNt', 'zCH21i5Vkd', 'zTZ2SNgXAc', 'vZ42VSoeP1', 'mAx2h2hU1x', 'Pb52HqWme9'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71d0000.5.raw.unpack, H4lNPTdYK1KqqYFoV8.cs	High entropy of concatenated method names: 'BsJJruV4ba', 'mudJfmlLw6', 'EHrJG3uRri', 'kVtJAlKta2', 'EvAJ3xsfVM', 'GjVJMw3g4v', 'BKcJulmDL0', 'f48JjintOV', 'M17JyFw67a', 'E2iJDNCrZQ'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71d0000.5.raw.unpack, oZQm7KYY83vowOPI3i.cs	High entropy of concatenated method names: 'Dispose', 'Cx246C9mDK', 'OKBKAKZHbC', 'tj5ssFmjuw', 'GUa49ILCBv', 'sKc4zYIb1E', 'ProcessDialogKey', 'NGuKXJD8Ef', 'wFXK4afZXM', 'T5eKK3ECyJ'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71d0000.5.raw.unpack, qeag0qtZcaGu8bd8eF.cs	High entropy of concatenated method names: 'ET65yBL45u', 'xBx5FWKu21', 'hlP5t0pbVU', 'W7J5nHHy0p', 'e9l5AJaxCQ', 'PB55gu4sHT', 'cG553r8SB2', 'BmC5MIvhGg', 'O9n5Wd8XO1', 'qXK5uJpAMJ'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71d0000.5.raw.unpack, FelmYBrAO4eprDftxs.cs	High entropy of concatenated method names: 'DH7Yt83X5D', 'MIWYniaMtl', 'UY9Y1v3khi', 'tToYSTtkRs', 'FovYVKE4tE', 'Qf2YhPCiPq', 'uNBYHx2xfE', 'oDuYLDPZ2Z', 'tMRY6Wu5ia', 'kbKY9wOlBW'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71d0000.5.raw.unpack, xDxjyqfoFJ81CkH43t.cs	High entropy of concatenated method names: 'Ts1CPJOybq', 'RVICOA6n78', 'ywmCrCVL2t', 'VFUCfxF3tc', 'NtOC5BF3OX', 'bHvCwb6s5f', 'Dl8CQAVUxp', 'fINCkJIvvq', 'oiYCoNdFoJ', 'WkRC2eOZH5'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71d0000.5.raw.unpack, AjQ7TYh0yZ7fO90ADR.cs	High entropy of concatenated method names: 'vnIQLfVRwe', 'aqpQ9GJjN8', 'YlMkX3CKei', 'NU7k45aTLc', 'RpfQDqbyd0', 'EoaQFxJ5w6', 'evWQdaUYLP', 'PadQtMqsMi', 'vxqQnbPvRH', 'NoCQ1dv5xy'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71d0000.5.raw.unpack, vaILCBLvoKcYIb1EyG.cs	High entropy of concatenated method names: 'LgMklrkyNv', 'rjRkYY9kPj', 'ltFkC3cCg6', 'BQQkb3wWcZ', 'C5okqOnVSk', 'WMykaOGYAJ', 'uSgksXaQCl', 'OYdk0j5uNT', 'TWmk71G5rY', 'FV8kp0sm9o'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71d0000.5.raw.unpack, icq7iXC1RWxNstJ17C.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'dlyK6Qddim', 'bFFK9RaDih', 'GRfKzAq1vI', 'OgeeXHrpjb', 'ijie4YcHrC', 'bgReKciVLc', 'H8veePNJ9k', 'lxUhBd94W0pxYDkxKo2'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71d0000.5.raw.unpack, lIwjeg4XPYZuaxI5c1l.cs	High entropy of concatenated method names: 'uAtoBeKYKM', 'qpNo8amFOW', 'AQ6oZgXeA1', 'B2AoPrKKWp', 'wk3oTLtNyb', 'H2uoOnawqh', 'ED2oEOQSpH', 'qpEorOaqYu', 'tS8ofpiKbv', 'BmCoNvFrbp'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71d0000.5.raw.unpack, IECyJf9v8JQDxVMZPi.cs	High entropy of concatenated method names: 'FMuo4lkySK', 'oAQoe4lo5t', 'ca7oRRvyrU', 'T7Holo51pw', 'aRJoYCkUhd', 'o08obYRtkC', 'tAIoqaxS8S', 'UEukH6q2rB', 'DZ3kLnv3rl', 'hIek6CuEB6'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.7f80000.6.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2e6685c.1.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2e6fe74.0.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f9c280.3.raw.unpack, EWk5EGKijIaiRSqgCZ.cs	High entropy of concatenated method names: 'M8DZYtMaX', 'FoePcNS3w', 'SwoONkENX', 'oUyEJvdcp', 'n4Cf0kjtw', 'ph4NVEcEs', 'M8cKG25PBGoqybpZyb', 'NdbyBwnOel6DY7gILO', 'bLikcaVTD', 'ukJ2bEiN7'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f9c280.3.raw.unpack, uUqlwqsi7rB5Dws3Q1.cs	High entropy of concatenated method names: 'hUaemyPUIx', 'W8Eel5FgZu', 'QFFeY41TTK', 'vjqeCHWyu8', 'DwWebLqgwM', 'pX7eq7QYYr', 'RkFeaxQOyG', 'eBwesLcMC7', 'gIVe0PRuDs', 'Wx1e7WP4sy'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f9c280.3.raw.unpack, ct7qxCuWIsEjLRwCRr.cs	High entropy of concatenated method names: 'onfal3kO96', 'CK6aC6kXDs', 'tgIaqmeiok', 'YGyq95YMym', 'VqPqzcb0MU', 'dupaXts1fV', 'h5Ga4NI1JR', 'z6laKStDah', 'mrcaeCM1ZO', 'QmxaRLExRc'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f9c280.3.raw.unpack, LJD8Ef6cFXafZXMS5e.cs	High entropy of concatenated method names: 'xcrkG6cumb', 'MbHkANJis1', 'N12kgyUZXb', 'A3pk3UYRlx', 'RWOkt16hfv', 'd3okMFJerh', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f9c280.3.raw.unpack, lffQcqGwGqPpJ4Eaor.cs	High entropy of concatenated method names: 'OAZqmG3KUT', 'dgaqYUUL01', 'Ia5qb2L2rs', 'B0QqaIqeMp', 'LGaqsSCNlr', 'vjJbVgX9rw', 'GZJbhoGVvE', 'SqqbHc4Iwy', 'xvkbLhf1Pt', 'wsJb6jQWp7'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f9c280.3.raw.unpack, LuZePO1hBMjFln9NX7.cs	High entropy of concatenated method names: 'ToString', 'iYdwDQ0PAc', 'a4bwA4ZZSi', 'fjfwgY5MaZ', 'koZw3VEUDu', 'jZQwMIYFsA', 'Ip9wWjmC2s', 'OLfwuANjD5', 'ce8wj9M4Kq', 'arswI4Numl'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f9c280.3.raw.unpack, CiAK8fIGG6GNLVEYNP.cs	High entropy of concatenated method names: 'ksRaByvFEo', 'jbXa8oc8lF', 'qHJaZItpOP', 'hSwaPpIR3v', 'uNIaTPSXTM', 'U8FaOQ1mQj', 'A7faEO7k5t', 'zUDarm2kjp', 'eO2afo8aLe', 'FgLaNhJyVt'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f9c280.3.raw.unpack, FqfVpkROrPeGsvRejp.cs	High entropy of concatenated method names: 'wSG4aelmYB', 'GO44seprDf', 'joF47J81Ck', 'V434ptfU8e', 'XMc45nk0ff', 'qcq4wwGqPp', 'MATiQBoYcaE0Ek9w43', 'PApCggFqppdpQXuOQS', 'j2S44Q5VPH', 'Epk4e4O6jI'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f9c280.3.raw.unpack, t130s14evMytwfh4DIR.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sKf2tJ1ouH', 'hoD2nn4gNt', 'zCH21i5Vkd', 'zTZ2SNgXAc', 'vZ42VSoeP1', 'mAx2h2hU1x', 'Pb52HqWme9'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f9c280.3.raw.unpack, H4lNPTdYK1KqqYFoV8.cs	High entropy of concatenated method names: 'BsJJruV4ba', 'mudJfmlLw6', 'EHrJG3uRri', 'kVtJAlKta2', 'EvAJ3xsfVM', 'GjVJMw3g4v', 'BKcJulmDL0', 'f48JjintOV', 'M17JyFw67a', 'E2iJDNCrZQ'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f9c280.3.raw.unpack, oZQm7KYY83vowOPI3i.cs	High entropy of concatenated method names: 'Dispose', 'Cx246C9mDK', 'OKBKAKZHbC', 'tj5ssFmjuw', 'GUa49ILCBv', 'sKc4zYIb1E', 'ProcessDialogKey', 'NGuKXJD8Ef', 'wFXK4afZXM', 'T5eKK3ECyJ'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f9c280.3.raw.unpack, qeag0qtZcaGu8bd8eF.cs	High entropy of concatenated method names: 'ET65yBL45u', 'xBx5FWKu21', 'hlP5t0pbVU', 'W7J5nHHy0p', 'e9l5AJaxCQ', 'PB55gu4sHT', 'cG553r8SB2', 'BmC5MIvhGg', 'O9n5Wd8XO1', 'qXK5uJpAMJ'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f9c280.3.raw.unpack, FelmYBrAO4eprDftxs.cs	High entropy of concatenated method names: 'DH7Yt83X5D', 'MIWYniaMtl', 'UY9Y1v3khi', 'tToYSTtkRs', 'FovYVKE4tE', 'Qf2YhPCiPq', 'uNBYHx2xfE', 'oDuYLDPZ2Z', 'tMRY6Wu5ia', 'kbKY9wOlBW'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f9c280.3.raw.unpack, xDxjyqfoFJ81CkH43t.cs	High entropy of concatenated method names: 'Ts1CPJOybq', 'RVICOA6n78', 'ywmCrCVL2t', 'VFUCfxF3tc', 'NtOC5BF3OX', 'bHvCwb6s5f', 'Dl8CQAVUxp', 'fINCkJIvvq', 'oiYCoNdFoJ', 'WkRC2eOZH5'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f9c280.3.raw.unpack, AjQ7TYh0yZ7fO90ADR.cs	High entropy of concatenated method names: 'vnIQLfVRwe', 'aqpQ9GJjN8', 'YlMkX3CKei', 'NU7k45aTLc', 'RpfQDqbyd0', 'EoaQFxJ5w6', 'evWQdaUYLP', 'PadQtMqsMi', 'vxqQnbPvRH', 'NoCQ1dv5xy'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f9c280.3.raw.unpack, vaILCBLvoKcYIb1EyG.cs	High entropy of concatenated method names: 'LgMklrkyNv', 'rjRkYY9kPj', 'ltFkC3cCg6', 'BQQkb3wWcZ', 'C5okqOnVSk', 'WMykaOGYAJ', 'uSgksXaQCl', 'OYdk0j5uNT', 'TWmk71G5rY', 'FV8kp0sm9o'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f9c280.3.raw.unpack, icq7iXC1RWxNstJ17C.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'dlyK6Qddim', 'bFFK9RaDih', 'GRfKzAq1vI', 'OgeeXHrpjb', 'ijie4YcHrC', 'bgReKciVLc', 'H8veePNJ9k', 'lxUhBd94W0pxYDkxKo2'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f9c280.3.raw.unpack, lIwjeg4XPYZuaxI5c1l.cs	High entropy of concatenated method names: 'uAtoBeKYKM', 'qpNo8amFOW', 'AQ6oZgXeA1', 'B2AoPrKKWp', 'wk3oTLtNyb', 'H2uoOnawqh', 'ED2oEOQSpH', 'qpEorOaqYu', 'tS8ofpiKbv', 'BmCoNvFrbp'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f9c280.3.raw.unpack, IECyJf9v8JQDxVMZPi.cs	High entropy of concatenated method names: 'FMuo4lkySK', 'oAQoe4lo5t', 'ca7oRRvyrU', 'T7Holo51pw', 'aRJoYCkUhd', 'o08obYRtkC', 'tAIoqaxS8S', 'UEukH6q2rB', 'DZ3kLnv3rl', 'hIek6CuEB6'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f48660.4.raw.unpack, EWk5EGKijIaiRSqgCZ.cs	High entropy of concatenated method names: 'M8DZYtMaX', 'FoePcNS3w', 'SwoONkENX', 'oUyEJvdcp', 'n4Cf0kjtw', 'ph4NVEcEs', 'M8cKG25PBGoqybpZyb', 'NdbyBwnOel6DY7gILO', 'bLikcaVTD', 'ukJ2bEiN7'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f48660.4.raw.unpack, uUqlwqsi7rB5Dws3Q1.cs	High entropy of concatenated method names: 'hUaemyPUIx', 'W8Eel5FgZu', 'QFFeY41TTK', 'vjqeCHWyu8', 'DwWebLqgwM', 'pX7eq7QYYr', 'RkFeaxQOyG', 'eBwesLcMC7', 'gIVe0PRuDs', 'Wx1e7WP4sy'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f48660.4.raw.unpack, ct7qxCuWIsEjLRwCRr.cs	High entropy of concatenated method names: 'onfal3kO96', 'CK6aC6kXDs', 'tgIaqmeiok', 'YGyq95YMym', 'VqPqzcb0MU', 'dupaXts1fV', 'h5Ga4NI1JR', 'z6laKStDah', 'mrcaeCM1ZO', 'QmxaRLExRc'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f48660.4.raw.unpack, LJD8Ef6cFXafZXMS5e.cs	High entropy of concatenated method names: 'xcrkG6cumb', 'MbHkANJis1', 'N12kgyUZXb', 'A3pk3UYRlx', 'RWOkt16hfv', 'd3okMFJerh', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f48660.4.raw.unpack, lffQcqGwGqPpJ4Eaor.cs	High entropy of concatenated method names: 'OAZqmG3KUT', 'dgaqYUUL01', 'Ia5qb2L2rs', 'B0QqaIqeMp', 'LGaqsSCNlr', 'vjJbVgX9rw', 'GZJbhoGVvE', 'SqqbHc4Iwy', 'xvkbLhf1Pt', 'wsJb6jQWp7'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f48660.4.raw.unpack, LuZePO1hBMjFln9NX7.cs	High entropy of concatenated method names: 'ToString', 'iYdwDQ0PAc', 'a4bwA4ZZSi', 'fjfwgY5MaZ', 'koZw3VEUDu', 'jZQwMIYFsA', 'Ip9wWjmC2s', 'OLfwuANjD5', 'ce8wj9M4Kq', 'arswI4Numl'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f48660.4.raw.unpack, CiAK8fIGG6GNLVEYNP.cs	High entropy of concatenated method names: 'ksRaByvFEo', 'jbXa8oc8lF', 'qHJaZItpOP', 'hSwaPpIR3v', 'uNIaTPSXTM', 'U8FaOQ1mQj', 'A7faEO7k5t', 'zUDarm2kjp', 'eO2afo8aLe', 'FgLaNhJyVt'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f48660.4.raw.unpack, FqfVpkROrPeGsvRejp.cs	High entropy of concatenated method names: 'wSG4aelmYB', 'GO44seprDf', 'joF47J81Ck', 'V434ptfU8e', 'XMc45nk0ff', 'qcq4wwGqPp', 'MATiQBoYcaE0Ek9w43', 'PApCggFqppdpQXuOQS', 'j2S44Q5VPH', 'Epk4e4O6jI'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f48660.4.raw.unpack, t130s14evMytwfh4DIR.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sKf2tJ1ouH', 'hoD2nn4gNt', 'zCH21i5Vkd', 'zTZ2SNgXAc', 'vZ42VSoeP1', 'mAx2h2hU1x', 'Pb52HqWme9'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f48660.4.raw.unpack, H4lNPTdYK1KqqYFoV8.cs	High entropy of concatenated method names: 'BsJJruV4ba', 'mudJfmlLw6', 'EHrJG3uRri', 'kVtJAlKta2', 'EvAJ3xsfVM', 'GjVJMw3g4v', 'BKcJulmDL0', 'f48JjintOV', 'M17JyFw67a', 'E2iJDNCrZQ'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f48660.4.raw.unpack, oZQm7KYY83vowOPI3i.cs	High entropy of concatenated method names: 'Dispose', 'Cx246C9mDK', 'OKBKAKZHbC', 'tj5ssFmjuw', 'GUa49ILCBv', 'sKc4zYIb1E', 'ProcessDialogKey', 'NGuKXJD8Ef', 'wFXK4afZXM', 'T5eKK3ECyJ'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f48660.4.raw.unpack, qeag0qtZcaGu8bd8eF.cs	High entropy of concatenated method names: 'ET65yBL45u', 'xBx5FWKu21', 'hlP5t0pbVU', 'W7J5nHHy0p', 'e9l5AJaxCQ', 'PB55gu4sHT', 'cG553r8SB2', 'BmC5MIvhGg', 'O9n5Wd8XO1', 'qXK5uJpAMJ'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f48660.4.raw.unpack, FelmYBrAO4eprDftxs.cs	High entropy of concatenated method names: 'DH7Yt83X5D', 'MIWYniaMtl', 'UY9Y1v3khi', 'tToYSTtkRs', 'FovYVKE4tE', 'Qf2YhPCiPq', 'uNBYHx2xfE', 'oDuYLDPZ2Z', 'tMRY6Wu5ia', 'kbKY9wOlBW'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f48660.4.raw.unpack, xDxjyqfoFJ81CkH43t.cs	High entropy of concatenated method names: 'Ts1CPJOybq', 'RVICOA6n78', 'ywmCrCVL2t', 'VFUCfxF3tc', 'NtOC5BF3OX', 'bHvCwb6s5f', 'Dl8CQAVUxp', 'fINCkJIvvq', 'oiYCoNdFoJ', 'WkRC2eOZH5'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f48660.4.raw.unpack, AjQ7TYh0yZ7fO90ADR.cs	High entropy of concatenated method names: 'vnIQLfVRwe', 'aqpQ9GJjN8', 'YlMkX3CKei', 'NU7k45aTLc', 'RpfQDqbyd0', 'EoaQFxJ5w6', 'evWQdaUYLP', 'PadQtMqsMi', 'vxqQnbPvRH', 'NoCQ1dv5xy'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f48660.4.raw.unpack, vaILCBLvoKcYIb1EyG.cs	High entropy of concatenated method names: 'LgMklrkyNv', 'rjRkYY9kPj', 'ltFkC3cCg6', 'BQQkb3wWcZ', 'C5okqOnVSk', 'WMykaOGYAJ', 'uSgksXaQCl', 'OYdk0j5uNT', 'TWmk71G5rY', 'FV8kp0sm9o'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f48660.4.raw.unpack, icq7iXC1RWxNstJ17C.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'dlyK6Qddim', 'bFFK9RaDih', 'GRfKzAq1vI', 'OgeeXHrpjb', 'ijie4YcHrC', 'bgReKciVLc', 'H8veePNJ9k', 'lxUhBd94W0pxYDkxKo2'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f48660.4.raw.unpack, lIwjeg4XPYZuaxI5c1l.cs	High entropy of concatenated method names: 'uAtoBeKYKM', 'qpNo8amFOW', 'AQ6oZgXeA1', 'B2AoPrKKWp', 'wk3oTLtNyb', 'H2uoOnawqh', 'ED2oEOQSpH', 'qpEorOaqYu', 'tS8ofpiKbv', 'BmCoNvFrbp'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3f48660.4.raw.unpack, IECyJf9v8JQDxVMZPi.cs	High entropy of concatenated method names: 'FMuo4lkySK', 'oAQoe4lo5t', 'ca7oRRvyrU', 'T7Holo51pw', 'aRJoYCkUhd', 'o08obYRtkC', 'tAIoqaxS8S', 'UEukH6q2rB', 'DZ3kLnv3rl', 'hIek6CuEB6'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.raw.unpack, WDu24wMlQIEWaQwpfHXwdgNG7RJ4K5Y3bc5hVwls9Fj1cTY3HpvtBcqLeH6gaDiVDpDYXKIIuXaOlu2lCAJTOwdsnqwm1PXfsVw.cs	High entropy of concatenated method names: 'nzpq34I2Owdcl9fMv5UC2J5bWAhYRAKaulM2epxdlOUgYAwStJcbsQF2LV7', '_3TV7y1L0UdqugSHqWSFDQgjIB1RLAMta0zbdfnGtgjiEucMaYzlPshW9VtV', 'pjvrCbuiTImLYchYZBIntOVyvPn3ZfSMtWVvNsM0Nvur9iH1fX2B8axAglC', 'jI7KmqV1ayX8qwmay9TzwN1cwR8kqb0h8EMRQLIOnFHgagzy7qGeZFVymwQ'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.raw.unpack, 8vDNxxr6KA56TLeIORtyRLSVXe.cs	High entropy of concatenated method names: '_00wnbuD6N1v3u4tAFw3wul2CM0', 'fbuqWesh3CVNj2RtuGY4FmHJps', 'HFqUUv7DJAEEhvrSsywavqaOIT', 'lO3fdbWbA8cdJSM60XZlTyTo1nRw6RJ0TkcvaWTmeXkk', 'o454lDfZaM893ftJX7v3O4qrjBaqZgXKn8MLidOK6Wep', 'dGQ7XoqybmSzxfRt5TDkZgPg2kC5INkjb6ybBBTnIQBQ', 'qnxpDMttXO5Q6RWMOugTF1OB5xiLTvjjuAAVGH4HMLQO', 'HeZsr9e5BNhQhw2tx7EzDGOu3oFSOtiNHoENJsbWOQXf', 'DJjUyYbm7hNYuN3aTC7191TEVjaM3TCFuJXKVoTOyfXP', 'gZOiEnnJ6n7BiHg1PhnYUfFDonaGra3pPadwz8Md8Lwa'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.raw.unpack, TvXNMPQzFStCY57ElDLFZF5wAWyu0HVKP74m0eYWEhLZU5ek0outej2CSyzPAywwqGzOP32wGaNx3OfXdD6rsa5uWywfJM4PgHN.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'cqdgMqYlqVr2WPbYU5d9YHP80OHFw99M9Y6CT3Cr4bu1pDH343obGJOq7xC', 'g5ZfxcIQ2yYANiEqDIDYC5MiH24kf8WoOop4sg9QRmMmIwIekfETxLRXPUs', '_26HTuFzrNZYByDsAEiZbqNFA59SdHCtVcYm4RrYlYDtfKTpyB7EqJpy61DM', 'Hta5nog2yoVHh9zNcyUS7cXHn92CKJeikSJ96C9reTxLwGxghqe54UiXCun'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.raw.unpack, JJqNIbmAEnE7SiPqGMTQm6czGZ9oDVL8xeYwvixsqiqWp3UZE3bbHqW0DPuSoU7Yz04fIfeMVsV3xLKVxXwRTrLXVvtHRM473Hj.cs	High entropy of concatenated method names: '_0wZ0aYgmMl7kCbvj6Ou4SqrdhKMFXGYofIhw64PZvBBBcVwz8edGsmoVjHZbxfJWPFhXcFK7G5Pkh3B9nMhjygTmnsyHZe5BwKO', 'wKAxAa74PvSccIjVWKrzIU9aAbAaHgp2F7R6H71jGdpLfaJQlfMmCgmIYeOq3bhY2kwGWp326CXODtRaQ1K7UejHfChjJCsd4w6', 'mblvCI5AALNqM17akKxCiwWFqw4LHtX9ugJUzGVJ5hX19rmDg285YT5yERlcJs18nWe8lJA3wuvI431UqKVZVz65vnGkNFR36WN', '_7CaW1EWN4UJVbiroC1AJiLX9lGWRa1euvVKutGGoR8xtke3Xu7QmRXrUL6xaZijXX9TQVdzIzydglyCWCssa48rnFFFPU2xct98', 'GywKF26peTAjyqmA0CwBA9qjJy4zhnHgjQ3LQ24bOXCR5e8HHJQUHzAMBVF6ruq9Qx8IW2od06bo2WNzKmI5vXL99DfhdVs0lR0', 'wJj4dvHtMignilEHYXN1NqGKGCvTZPsAQfYt5ZUtqcHgRruffEstHQHFzzP', 'z8wKUA2RKriNaMffEKpb4ppJCmTntUt8oajciBxfzbgAWeF0darr6JKmGCE', 'gDKN5mrHJddJ7SGyk37vE8BX8FDQO4LE9MUKXE6gr3ZBhTUKPL1dpb7nZJU', 'q59SA0UWlBieLpkTGLZQ2MuXoOR0y6UAwZUuPLi7j5XLYpj5l0PTYnG4bR2', '_5HnHp0XZFWIe58Rxw2X8ec6Ak3NpUsaEP4gwO8SsoiNMr9hESe9256VyQLT'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.raw.unpack, 0jpphwwqZqta9yNAU1rmvPgO8j.cs	High entropy of concatenated method names: '_1Rspokhmbe63QRMYYW7YaeFX0v', 'yq2uAsopTtMnLlhOp3DDOI5x0D3nFRlhWfKcOXT4v4gy', 'P6kUAuGkBsoDc6hkTCoEjAFeZebruUYkj9lWD5A2Wa30', '_5fL5nT5bzWd4k9YU5fI6Mpi6WWp4SBBmZ5CDOZK7cqqb', 'OZMMPGeVcmQdHwJF9epKtonlDSwhlOm5WEq7HAmYKxkl'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	High entropy of concatenated method names: 'LdFLkiKlLrIfANYkDqDQXycHmXxIRUaNL4TkP4RHu7gZe8lku41k0ght9Et3VdaNL2d3xxicXkR3nKgFLeTJ', 'HFKY311DFA0CknBmafbCyAhvOzvwUW3ViyV49tKstRpT8xAE2GnNPEVulKkb5ija7d4jHOKsf5tq0JZu3yzP', '_0Sb0jSn74vlKCTBycSpeKCKh8YVnIEDot37X0YY8eiqItyMOkMMnEHcDx87GiyxSyRglhdcD2PfetzhD4OQv', 'oaGsaY395ldYCvAX6WxuCpu4ToG9fV2z5tOYwsJcZ5WUXesjqC4oPF69K1QpSsQ7gFX5LmiVjo2HXeH06dJ3', 'Jvg1iNjm2BnGEK9IIpgoplw6Fr0GV7T4vOumLInDXwY0x4C7t6WTPgLEDEOjf44CUQacC30IEtGAWjL1KcxM', 'erIkWKvNLiY2o8ryEih0Eq4ui5nGIqCHNiSsMAnAy9xaqzkqpDDH8VaOOFprVmT3M2Ikaye65nLjquYxw1E0', 'XZN7O3p3PknQ8oiGMcm2nUKm2u4J2dqNsvpWsGAEBCnitAPO84VpGDc6njiiTqqghHeXC3ltqdDBds0326Am', 'GanNgRzx9YmKSxobPaRmKvYnZEBvFAUCoPdDSV29IjNGNpAsix8wOUqtZnIRoKjLONyRAl2amIDRhhSMEsvR', 'aSPD3e3gL7inuMeKBXU5aaNxfyuloxHqiCgBrqZNzpio6yary8g4U7qoSVAKB9M5aK8JZ4JL7frwEPIWLNii', 'tMNw0i1eU1cZcutvPHlHjmT4OmNObT1BsuhC6uw8Dnbb4boPq9pTjoXX239rQ1OxsNBiYEUDmDjXfN7SxgnS'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.raw.unpack, kaHZoyXSlsqJiGMDmYfIITVF1t.cs	High entropy of concatenated method names: '_6Uc2JxshDBPfgjJCqPzKspkSU6', '_0EOkSBhN5BPczbdrIiryIEVhy9Jcydn0pQbJMd8zvSPb', 'xq6aEromiLWyTaoNny5Z75jxKNwfdMWW98IhSvJ6oZpR', 'U9ZFrYbS9G7idln1Gk7gDwUXZHcoxvNGRUMapKTfcdMn', 'ywQd4pM6VBs57Lkeaqj7cUzstOyB2LDnY1mqhMKk3XiZ'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.raw.unpack, MA7oxPPspVKDSv5kbor4FnogXhSLqN9jk8XGyoEg4DmabG3T3zwnypMQ3ZJUTHsOLdOneQe3sw7pXikdZGn4uDbXtV5HzjkClf7.cs	High entropy of concatenated method names: 'bCUGVYnUqZyhFAZbEOF8KW3BuhcghQFp4XbpthrY6K0XxuF4hMaEIWAIpnB3sTgPgCko4dcZKitOlvJ4V9gmqXXdcZBfSDK9PWi', 'gDbp8urZptnAbj0zWQ7gFA2VSwEQMOJWyzCYgjq8ln8fED06jOLIa7FsNFZl81vOShWbUSbuI29QzqPYJpDv', 'l2qBqfPnflox0oUMwDgwc6T2D0lpuAvDPkD4apKf5Wd14y3XcjfkBS1Ndh3Gc8tw5VLgrW3tjRK8zSoKU0aU', 'hoypSSF61Ev12VdcpSWsuCsz8EiMN0p8VwXX510nTgecdRq3auorXQHedcwtI5XSdv3Jd1tDQQJqUMUluGmb', 'YV1XISLVVJ5Y0mBVcHk1dNPhFHKtppPBBjKUhzkde4VTAu2v4uTmDptxzRPlgs8IOiTvVMXi4VuQJk2v9LPM', 'Uo8HKkXeQThRMnP47TFhsmst4pNfLPDeHcfjtIgOLBoBIOlIOPHVs8TPXtX8A6Po5jCiQgFkesG3YNZjzcF7', 'XbuhqAjsSjImWGTWc0QyDqw4o38ZrGLkTeO7gQZHxpjqTP2daTBnRUPSuLKXqlSvS3PhLJwzRrIQQzIUfZs9', 'HCdwGWSVOU9ZMemoUSROkkB37ldP2pm0vIb58nnbPUZ5niX0gO6PXVkJ3d6wXEGpbO7ygUwE4Y4divvJYUCm', 'UmQJWM9T5XTdAv5EWIqg0EbL73yYEejk7kvUSMPBkUrj5MBOxAgEkqWEnW47gLT9HaKc0isLagCWLN4qPZj6', 'ijmQHVULTzVwclrwpq3xcMYgi1lhxhpu2IixdEaz11jtj8gwM8u23SVGpFCmLZxJ53H9WIkqaguItBf4PvKG'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.raw.unpack, LQsPA89PDgnCWG85KTzaHUxHxV.cs	High entropy of concatenated method names: '_4csOR5COJp8Nw3svOgBiOEei9M', 'oveHTjECO0IF9XGehFIVHW7lat', 'yRio6ujIz4vsYwBFUmeCDplhI8', '_2lHxdw84riTaEpvOtTBEqGkKfx', 'vGXLg0twHPePs16E9gmC5qtgJi', 'amALwgZEgu6vjk9VJ0l2nLE3Ld', 'rSUlQxAaBUIsMYMhkDoSbV6fZj', 'wJ3YLoJiM8fEsrTjaaxtEvrjUC', 'cjkSPRge0PhwjImVXL1VszhHEk', 'caCxIgsVfZKzYuJ3bbMJuPWieY'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.raw.unpack, xtLYoziFoUXIYcdlBH3lx0uJoM.cs	High entropy of concatenated method names: 'DyiS7GCf6yJBfx6mBb9DkUiW0c', 'fiQpyAo0IBbeBuurlZXXD0ovlh', '_8WbDzYCEqnK691DDZQiYMS38tS', 'uxjvrYaAM1okWt3r2WV930uiBi', '_5tnbXy7KCwX4Q0gToPZK5Hx9h9', 'kFc8o3QG5lEqswQDaulholu0z4', 'nDwUZxUoLoII7NnxtAegToyTjy', 'fWo08S8ROrOcbRLfn78U2ZYTED', 'TJbvllUdEJV2xqcRQt0BGAMsWD', 'bjftBidTyaRZhAraXSu114o6Sd'

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe	Jump to behavior

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

File created: C:\Users\user\AppData\Roaming\XClient.exe

Jump to dropped file

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe PID: 7364, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Memory allocated: 13D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Memory allocated: 2DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Memory allocated: 2BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Memory allocated: 8090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Memory allocated: 9090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Memory allocated: 9250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Memory allocated: A250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Memory allocated: 1620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Memory allocated: 3200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Memory allocated: 3100000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Code function: 0_2_052D4340 rdtsc

0_2_052D4340

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Window / User API: threadDelayed 8954	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Window / User API: threadDelayed 889	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5846	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3929	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7616	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2007	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8362	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1200	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7819
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1860

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe TID: 7384	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe TID: 8064	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe TID: 8016	Thread sleep count: 8954 > 30	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe TID: 8016	Thread sleep count: 889 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8152	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3380	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1824	Thread sleep count: 8362 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1824	Thread sleep count: 1200 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1472	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8076	Thread sleep count: 7819 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8076	Thread sleep count: 1860 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8052	Thread sleep time: -5534023222112862s >= -30000s

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3738501808.0000000001364000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Code function: 0_2_052D4340 rdtsc

0_2_052D4340

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe'
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe'

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3746004817.0000000003370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3746004817.0000000003370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0Te
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3746004817.0000000003370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3746004817.0000000003370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3746004817.0000000003370000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managert-

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3763870035.0000000006617000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 6.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2e6fe74.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2e6685c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3733612223.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1268908735.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3746004817.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe PID: 7364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe PID: 7600, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 6.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2e6fe74.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2e6685c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.2deb2b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3733612223.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1268908735.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3746004817.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe PID: 7364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe PID: 7600, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	2 Registry Run Keys / Startup Folder	12 Process Injection	1 Masquerading	OS Credential Dumping	241 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	1 DLL Side-Loading	2 Registry Run Keys / Startup Folder	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	141 Virtualization/Sandbox Evasion	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	29%	ReversingLabs	Win32.Trojan.CrypterX
DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\XClient.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\XClient.exe	29%	ReversingLabs	Win32.Trojan.CrypterX

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.microsoft.co	0%	Avira URL Cloud	safe
104.250.180.178	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
104.250.180.178	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 0000000B.00000002.1334474378.00000000055EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1382761393.000000000602B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1431034891.000000000550B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1504570907.0000000005B78000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000013.00000002.1481975927.0000000004C66000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000B.00000002.1324717162.00000000046D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1371910805.0000000005116000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1412810062.00000000045F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1481975927.0000000004C66000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 0000000B.00000002.1324717162.0000000004581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1371910805.0000000004FC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1412810062.00000000044A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1481975927.0000000004B11000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000013.00000002.1481975927.0000000004C66000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000B.00000002.1324717162.00000000046D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1371910805.0000000005116000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1412810062.00000000045F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1481975927.0000000004C66000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000013.00000002.1504570907.0000000005B78000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 0000000B.00000002.1334474378.00000000055EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1382761393.000000000602B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1431034891.000000000550B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1504570907.0000000005B78000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoft.co	powershell.exe, 0000000B.00000002.1340954600.0000000007F3E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000013.00000002.1504570907.0000000005B78000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000013.00000002.1504570907.0000000005B78000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000006.00000002.3746004817.0000000003201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1324717162.0000000004581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1371910805.0000000004FC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1412810062.00000000044A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1481975927.0000000004B11000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000013.00000002.1481975927.0000000004C66000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.250.180.178	unknown	United States		9009	M247GB	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519259
Start date and time:	2024-09-26 09:21:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe renamed because original name is a hash value
Original Sample Name:	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO66158152 WKH2406122.scr.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@18/24@0/1
EGA Information:	Successful, ratio: 83.3%
HCA Information:	Successful, ratio: 99% Number of executed functions: 313 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.126.32.76, 40.126.32.72, 20.190.160.17, 20.190.160.22, 40.126.32.134, 40.126.32.133, 40.126.32.74, 20.190.160.14
Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, fs.microsoft.com, slscr.update.microsoft.com, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target powershell.exe, PID 5816 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Simulations

Behavior and APIs

Time	Type	Description
03:22:01	API Interceptor	7352992x Sleep call for process: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe modified
03:22:06	API Interceptor	46x Sleep call for process: powershell.exe modified
09:22:31	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.250.180.178	BNE400266900B - RLS SO# W317pdf.scr.exe	Get hash	malicious	Remcos	Browse
	BNE400266900A - BL NO.BNE400266900.pdf.scr.exe	Get hash	malicious	XWorm	Browse
	(Draft) - SO# L539-SE2409060 Cut off #Uff19-15 - CHR# 487700191.scr.exe	Get hash	malicious	Remcos	Browse
	SEA - SO#L539 (SO+INV+PKG+ISF+VGM).scr.exe	Get hash	malicious	XWorm	Browse
	rSO3315RCOHBLKHRTMP249013CO240913.pdf.scr.exe	Get hash	malicious	Remcos	Browse
	rBLNO.KHRTMP249013-SINGAPOREEXPRESSV.002W.scr.exe	Get hash	malicious	XWorm	Browse
	SO#5087 (SO+INV+PKG+ISF+VGM) #U8acb#U67e5#U6536.scr.exe	Get hash	malicious	Remcos	Browse
	BOOKING CLS 817 by SEA - CFS FM KHH TO FL (#U6cf0#U967d).scr.exe	Get hash	malicious	XWorm	Browse
	A_N-#U555f#U7881-TSNCNC17066-0721-LCL..scr.exe	Get hash	malicious	Remcos	Browse
	HBLTSNCNC17066 +Arrival Notice#U6d77#U904b - WAN HAI 271S216.scr.exe	Get hash	malicious	XWorm	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
M247GB	file.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer	Browse	91.202.233.158
	file.exe	Get hash	malicious	Amadey, CryptOne, PureLog Stealer, RedLine, Stealc, Vidar, Zhark RAT	Browse	91.202.233.158
	SecuriteInfo.com.Linux.Siggen.9999.31454.15725.elf	Get hash	malicious	Unknown	Browse	158.46.140.169
	BNE400266900B - RLS SO# W317pdf.scr.exe	Get hash	malicious	Remcos	Browse	104.250.180.178
	BNE400266900A - BL NO.BNE400266900.pdf.scr.exe	Get hash	malicious	XWorm	Browse	104.250.180.178
	jD6b7MZOhT.exe	Get hash	malicious	Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine	Browse	91.202.233.158
	aL8prAD2gL.js	Get hash	malicious	XWorm	Browse	82.102.27.171
	Ref_5010_103.exe	Get hash	malicious	AgentTesla	Browse	172.86.66.70
	Ship_Doc_18505.exe	Get hash	malicious	AgentTesla	Browse	172.86.66.70
	hH9yCaIS6n.exe	Get hash	malicious	Unknown	Browse	172.86.67.251

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Sep 26 07:26:07 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	368361
Entropy (8bit):	3.597067970603058
Encrypted:	false
SSDEEP:	3072:CWR/HmIhmQc5VSIAXDc4uEqRyycLTg6bUUTxnf8tngxFEif:CWR/HmTXWc4gy7Tg6Fnf8e/
MD5:	53FBA36ACC49FB84837FEFE3D3488D90
SHA1:	9C391C63ADD58DD54EFEE5E8D89E2C0C7A8636F8
SHA-256:	333CE6C6CC66B979F2940723EB271410B071F6E5132D2938ABA7E91901585294
SHA-512:	14A7EA5A29FC158C3D1F88DC884F198695BD3F8264553BA3E37199476E2263FCD886C78E7DBF0D6CE93D6B770A65634579DEB18B38DCC4E149DE81F2EA2C2C47
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........f............d............&..x.......$...L1......4-...u..........`.......8...........T...........pT..yJ..........p1..........\3..............................................................................eJ.......3......GenuineIntel............T..............f....}........................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER64C1.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6554
Entropy (8bit):	3.7456114102341713
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbQCR6f31YZBEAQE/Dzf5aM4Up89bwWsfFQm:R6l7wVeJQCR6/1YZCAtprp89bwWsfFQm
MD5:	1B2DC7FCFF47FDC8945A62B5AE8FEC1A
SHA1:	1DE7D796339C956AD5C34260F77D8B3266ACBE60
SHA-256:	587390189C5CA9A80D6429840173DCAEA661175E8238E789182EB76AD52A7DB8
SHA-512:	A77C73CBA219678478CFFFF6EDA0395183B548A43EA41CB8D7E17A92C2770D18232941F96735AFD1CE8C19D830B76A6A2EA296156BEA6E32A5F16D795DAC6FC4
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6510.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4945
Entropy (8bit):	4.612716542135797
Encrypted:	false
SSDEEP:	48:cvIwWl8zsgJg77aI9HUWpW8VYjaYm8M4JgHpFT+q8v6HYo0xxW+d:uIjfmI79N7V+JAKAuxW+d
MD5:	6A114A07E69C30CA6E95431779889BF4
SHA1:	770AC5BF61EBE9DF68DD90F900E720B613A112B9
SHA-256:	49C037EDA82D31338ED714FE09B5B82841CBB7CCE4FCF39E767942666DFBDC50
SHA-512:	32DB8082B93CA349D8843CC550CD280D86770518E115FC7971B839DD27704532EB1A7777436C916E75FA01724B7BB5FBE71DF7210972E3808BEA63BB9BCA7B9A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="516868" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.log

Download File

Process:	C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.379389566227414
Encrypted:	false
SSDEEP:	48:+WSU4xympjgZ9tz4RIoUl8NPZHUl7u1iMugeC/ZS50Uyus:+LHxvCZfIfSKRHmOugg1s
MD5:	2A76DCDECA6BD646AEFB06D3BC0B1933
SHA1:	74E41F89A711431D84EE71B467541857DBF79BC5
SHA-256:	BCA846354B6564509C7922DE61F0F12C6B13A21DC82E84FA5E46CFB46248A759
SHA-512:	404AFD866C51902B225D9E735EAA126F940039AD815D7F50EF38965ADD3F6AAE5BF004DCD1953E813B7B94B0FAA09FAB26EC0A56C099CAB9D8A3059417540989
Malicious:	false
Preview:	@...e...............................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.598349098128234
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsra:EFYJKDoWra
MD5:	2C11513C4FAB02AEDEE23EC05A2EB3CC
SHA1:	59177C177B2546FBD8EC7688BAD19D08D32640DE
SHA-256:	BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
SHA-512:	08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
Malicious:	false
Preview:	....### explorer ###..[WIN]r

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0k3srmay.njf.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2kjh2l1s.oq1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3sgbyx4z.na4.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3xmbsoyw.evx.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b3k35ztk.tpn.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ccpktzlr.d4q.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_flyghtq1.x2t.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ikzmqees.beb.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j3nwbpja.nqc.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nbfhnphb.hh1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_secaqxsi.gvo.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t2n5vvuf.dz5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vgyfj0rh.ays.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vukss2gq.2sc.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vywkdah3.ars.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xnv41itx.bec.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Download File

Process:	C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Sep 26 06:22:28 2024, mtime=Thu Sep 26 06:22:28 2024, atime=Thu Sep 26 06:22:28 2024, length=489984, window=hide
Category:	dropped
Size (bytes):	763
Entropy (8bit):	5.1156980596454655
Encrypted:	false
SSDEEP:	12:8W124t4KqkJYChklZY//A1R0LnKMjAszvUzNHkunzAjDAjVmV:8WptfWJS4bWnnAsbrazA45m
MD5:	AF31C63F1094DCF141C40897CFB169F2
SHA1:	CBCD7A572E037FC6CD55001E218341BCC3F84BFC
SHA-256:	10EDD054252ABFCB4FE68B0A152757D8B5607B5BD7A69B07C2DC79472AC0E694
SHA-512:	62C16ECC4935B4BF7C28822D47098AEF642E12C61D89C2ACDF50F8090656CF2FFC91A9ADB3F21AB12D818869ED47FE62380C8495FB77789DEC139141DF292C32
Malicious:	false
Preview:	L..................F.... ............................z......................v.:..DG..Yr?.D..U..k0.&...&.........5q...........u..........t...CFSF..1.....EW)N..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)N:Y.:...........................c..A.p.p.D.a.t.a...B.V.1.....:Y.:..Roaming.@......EW)N:Y.:..............................R.o.a.m.i.n.g.....b.2..z..:Y.: .XClient.exe.H......:Y.::Y.:...........................`..X.C.l.i.e.n.t...e.x.e.......X...............-.......W.............8T.....C:\Users\user\AppData\Roaming\XClient.exe........\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.`.......X.......610930...........hT..CrF.f4... .....{...+...E...hT..CrF.f4... .....{...+...E..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\XClient.exe

Download File

Process:	C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	489984
Entropy (8bit):	7.7964274729429315
Encrypted:	false
SSDEEP:	12288:1Ar++/Rmf4Sh/odd2eFy+Ktdb/eR0LyhYiJdtTJ4:1s++pmfMjfs/c0LJ
MD5:	6D11EDAA5AB6A54DB22F5C4EC1A8FCB3
SHA1:	0BCA6FB453F9D5B7CF8E04164F5FA632C3CE1E90
SHA-256:	2F89944E9E1A59602A6D50E917C092E30467F83E312BB1BCC5E758109766CD94
SHA-512:	3A7258534E7D5F73AEA0D2655F9C094717DB50309AE7514EAF2AA27E0D90E41BB3C357DB72F4C4BAAC97C92FE92E2273077BD9DB323F4158432582C511CAA2FA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..f..............0..T...$.......s... ........@.. ....................................@.................................ls..O........ ........................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc.... ......."...V..............@..@.reloc...............x..............@..B.................s......H........Y..\5..........,...@............................................0..\|........(..........(....}......{....(....}........(....}........(....}........(....}........(....}........(....}........(....}.....0..!..........(.... l...Y m...Z..(....X.+......0..m........s....}..... ....}.....#......cA}..... .ig.}.....#......c.}..... .'....s....}........s....}......}......}.....(.......(.......8..........>...%..,.o....s.......{.....{....(....}......{.....{....( ...}......{.....{

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.7964274729429315
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
File size:	489'984 bytes
MD5:	6d11edaa5ab6a54db22f5c4ec1a8fcb3
SHA1:	0bca6fb453f9d5b7cf8e04164f5fa632c3ce1e90
SHA256:	2f89944e9e1a59602a6d50e917c092e30467f83e312bb1bcc5e758109766cd94
SHA512:	3a7258534e7d5f73aea0d2655f9c094717db50309ae7514eaf2aa27e0d90e41bb3c357db72f4c4baac97c92fe92e2273077bd9db323f4158432582c511caa2fa
SSDEEP:	12288:1Ar++/Rmf4Sh/odd2eFy+Ktdb/eR0LyhYiJdtTJ4:1s++pmfMjfs/c0LJ
TLSH:	A7A401541266DB27C09A2FF6A654E1F423B95ECEA912D3074FD33CFBB9AAB101240357
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..f..............0..T...$.......s... ........@.. ....................................@................................

File Icon


Icon Hash:	1e77fe7273f0311e

Static PE Info

General

Entrypoint:	0x4773be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F4E226 [Thu Sep 26 04:25:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7736c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x78000	0x20ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x753c4	0x75400	f8a7b8e07bd5c0f5fdaf2caf07368ec5	False	0.8869561234008528	data	7.805156176612846	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x78000	0x20ac	0x2200	3516f89317c2392120e7b3430be5be04	False	0.8967141544117647	data	7.49799635316667	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7c000	0xc	0x200	ce36e2320cbfad1d10653a24eb78d8b1	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x780c8	0x1cbb	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.996057104010877
RT_GROUP_ICON	0x79d94	0x14	data	1.05
RT_VERSION	0x79db8	0x2f0	SysEx File - IDP	0.4454787234042553

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-26T09:22:32.783291+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:22:32.783291+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:22:43.530520+0200	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:22:44.012487+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:22:44.014287+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:22:57.230682+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:22:57.234361+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:23:02.805269+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:02.805269+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:10.320889+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:10.322834+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:23:23.560667+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:23.563636+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:23:32.790905+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:32.790905+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:36.800386+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:36.802812+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:23:37.900521+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:37.902799+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:23:39.032515+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:39.034721+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:23:39.651018+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:39.652574+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:23:44.620356+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:44.626799+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:23:44.850321+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:44.854840+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:23:49.640421+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:49.642049+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:23:55.250511+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:55.253159+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:23:55.491159+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:55.492630+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:23:55.724106+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:23:55.733169+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:02.812647+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:02.812647+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:05.491071+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:05.495019+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:05.750760+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:05.800927+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:06.011509+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:06.022050+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:06.029228+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:07.020757+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:07.022567+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:07.251001+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:07.252620+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:07.770725+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:07.772413+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:09.972584+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:09.974145+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:10.821402+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:10.823335+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:12.403436+0200	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:12.726025+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:12.727522+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:12.960767+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:12.962219+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:13.199280+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:13.204303+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:13.433178+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:15.670702+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:15.674314+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:18.870678+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:18.872336+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:23.449464+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:23.453192+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:28.740847+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:28.743443+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:29.020724+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:29.022275+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:29.345111+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:32.791436+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:32.791436+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:33.011621+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:33.011621+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:38.030595+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:38.033293+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:39.130548+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:39.132055+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:39.360992+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:39.362471+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:39.602746+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:41.591124+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:41.593010+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:43.450419+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:43.452477+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:44.500898+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:44.503166+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:44.730729+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:44.732890+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:54.790200+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:54.792395+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:55.020531+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:55.022087+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:24:55.250624+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:24:55.257227+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:02.791005+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:02.791005+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:04.370509+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:04.375782+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:05.130408+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:05.131991+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:08.570538+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:08.572130+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:10.480479+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:10.482476+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:11.090257+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:11.092370+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:11.373530+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:24.380938+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:24.383453+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:25.850618+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:25.852272+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:26.560874+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:26.562807+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:26.880656+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:26.885209+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:31.900871+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:31.902358+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:32.350842+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:32.352994+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:32.821188+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:32.821188+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:35.710261+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:35.711931+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:37.210695+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:37.212602+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:47.510456+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:47.514012+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:47.750518+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:47.757939+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:57.755617+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:57.757651+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:57.991233+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:25:57.992775+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:58.488645+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:25:58.490689+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:26:02.811847+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:26:02.811847+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:26:03.110308+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:26:03.111779+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:26:03.395532+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP
2024-09-26T09:26:03.398723+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.10	49716	104.250.180.178	7061	TCP
2024-09-26T09:26:08.410711+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.10	49716	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 09:22:30.144624949 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:22:30.150614023 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:22:30.150842905 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:22:30.305445910 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:22:30.310492992 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:22:32.783291101 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:22:32.825113058 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:22:43.530519962 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:22:43.535583973 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:22:44.012486935 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:22:44.014286995 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:22:44.019061089 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:22:56.763039112 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:22:56.882837057 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:22:57.230681896 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:22:57.234360933 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:22:57.239320993 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:02.805269003 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:02.856170893 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:23:09.997170925 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:23:10.002216101 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:10.320888996 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:10.322834015 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:23:10.329763889 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:23.232076883 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:23:23.236958027 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:23.560667038 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:23.563636065 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:23:23.568572998 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:32.790904999 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:32.840599060 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:23:36.465818882 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:23:36.470789909 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:36.800385952 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:36.802812099 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:23:36.807710886 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:37.575155973 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:23:37.580091953 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:37.900521040 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:37.902798891 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:23:37.907685041 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:38.512814999 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:23:38.517859936 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:39.032515049 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:39.034720898 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:23:39.039570093 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:39.090889931 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:23:39.095796108 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:39.651017904 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:39.652574062 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:23:39.657433033 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:44.262861967 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:23:44.268537045 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:44.403305054 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:23:44.408480883 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:44.620356083 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:44.626799107 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:23:44.631835938 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:44.850321054 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:44.854840040 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:23:44.859680891 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:49.293956995 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:23:49.298825979 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:49.640420914 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:49.642049074 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:23:49.647042990 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:54.887779951 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:23:54.892709970 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:54.935010910 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:23:54.939824104 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:55.109164000 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:23:55.114145041 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:55.250510931 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:55.253159046 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:23:55.257997990 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:55.491158962 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:55.492630005 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:23:55.497543097 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:55.724106073 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:23:55.733169079 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:23:55.738243103 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:02.812647104 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:02.856232882 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:05.059921980 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:05.065021992 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:05.075378895 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:05.080306053 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:05.091000080 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:05.095779896 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:05.122009993 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:05.127574921 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:05.137737989 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:05.142642021 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:05.169171095 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:05.174209118 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:05.341171980 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:05.346138954 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:05.491070986 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:05.495018959 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:05.499919891 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:05.750760078 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:05.797167063 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:05.800926924 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:05.805835009 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:05.982894897 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:06.011508942 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:06.016673088 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:06.016782045 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:06.021600008 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:06.022049904 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:06.027262926 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:06.029227972 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:06.034279108 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:06.684904099 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:06.689990044 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:06.747159958 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:06.752895117 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:07.020756960 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:07.022567034 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:07.027405977 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:07.251000881 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:07.252619982 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:07.257956028 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:07.296212912 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:07.302150965 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:07.770725012 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:07.772413015 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:07.777313948 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:09.653537035 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:09.658849955 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:09.972584009 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:09.974144936 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:09.982076883 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:10.497430086 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:10.502402067 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:10.821402073 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:10.823334932 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:10.828439951 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:12.403435946 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:12.408322096 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:12.575629950 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:12.580579042 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:12.590852976 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:12.595743895 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:12.606597900 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:12.611552000 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:12.700391054 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:12.705260992 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:12.715970039 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:12.720743895 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:12.726025105 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:12.727521896 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:12.779635906 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:12.779704094 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:12.785181999 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:12.794354916 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:12.799962997 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:12.960767031 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:12.962219000 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:12.967032909 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:13.190399885 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:13.199280024 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:13.204077005 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:13.204303026 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:13.209176064 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:13.430243969 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:13.433177948 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:13.438051939 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:13.438599110 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:13.443506002 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:15.340878010 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:15.345918894 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:15.670701981 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:15.674314022 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:15.679368019 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:18.544038057 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:18.549145937 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:18.870677948 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:18.872335911 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:18.877593040 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:23.044342995 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:23.049377918 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:23.449464083 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:23.453191996 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:23.458163977 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:28.372245073 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:28.377530098 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:28.466037989 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:28.472275972 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:28.481520891 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:28.486538887 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:28.497064114 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:28.503668070 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:28.512733936 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:28.519207001 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:28.544131994 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:28.549652100 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:28.740847111 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:28.743443012 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:28.748364925 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:29.020724058 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:29.022274971 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:29.027158976 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:29.340816975 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:29.345110893 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:29.350079060 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:29.350162983 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:29.355077028 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:32.791435957 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:33.011620998 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:33.011704922 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:37.591080904 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:37.709840059 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:38.030595064 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:38.033293009 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:38.038197041 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:38.809700012 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:38.814769983 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:38.841001034 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:38.846232891 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:38.872447014 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:38.877424955 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:38.919143915 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:38.924220085 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:38.950397015 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:38.955362082 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:38.981592894 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:38.986709118 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:39.130548000 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:39.132055044 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:39.137033939 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:39.360991955 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:39.362471104 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:39.368691921 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:39.600989103 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:39.602746010 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:39.608340979 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:39.609209061 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:39.614283085 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:41.265193939 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:41.270147085 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:41.591124058 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:41.593009949 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:41.597918987 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:43.090917110 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:43.095848083 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:43.450418949 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:43.452476978 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:43.457787991 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:44.169327021 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:44.175693035 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:44.200366020 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:44.205295086 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:44.500897884 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:44.503165960 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:44.508101940 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:44.730729103 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:44.732889891 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:44.738022089 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:54.387841940 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:54.473149061 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:54.473268986 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:54.482944012 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:54.790199995 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:54.792395115 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:54.799637079 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:55.020530939 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:55.022087097 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:55.026880980 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:55.250623941 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:24:55.257226944 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:24:55.262177944 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:02.791004896 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:02.840670109 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:04.029045105 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:04.034213066 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:04.370508909 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:04.375782013 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:04.380717993 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:04.809813976 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:04.814734936 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:05.130408049 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:05.131990910 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:05.136882067 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:08.247214079 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:08.252265930 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:08.570538044 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:08.572129965 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:08.577033043 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:10.063514948 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:10.144221067 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:10.480479002 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:10.482475996 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:10.488332987 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:10.606705904 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:10.611730099 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:10.686681032 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:10.691595078 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:10.716214895 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:10.721141100 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:10.731801987 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:10.736629009 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:10.747663021 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:10.752511978 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:11.090256929 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:11.092370033 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:11.097224951 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:11.369995117 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:11.373529911 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:11.378391981 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:11.381274939 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:11.386082888 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:23.981599092 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:23.986510038 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:24.380938053 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:24.383452892 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:24.388384104 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:25.497355938 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:25.502418041 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:25.850617886 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:25.852272034 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:25.857112885 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:25.981741905 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:25.986715078 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:26.281219959 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:26.286473036 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:26.560873985 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:26.562807083 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:26.567756891 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:26.880656004 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:26.885209084 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:26.890099049 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:31.387831926 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:31.392942905 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:31.512860060 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:31.518188000 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:31.900871038 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:31.902358055 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:31.908118010 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:32.350841999 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:32.352993965 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:32.357887983 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:32.821187973 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:32.875271082 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:35.372235060 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:35.377274990 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:35.710261106 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:35.711930990 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:35.716753960 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:36.841114998 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:36.846198082 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:37.210695028 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:37.212601900 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:37.217464924 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:47.184833050 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:47.189713955 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:47.294178963 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:47.299057961 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:47.510456085 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:47.514012098 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:47.518866062 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:47.750518084 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:47.757939100 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:47.774178982 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:57.419207096 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:57.425982952 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:57.434868097 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:57.439745903 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:57.450443029 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:57.455459118 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:57.466084957 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:57.471040964 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:57.481698990 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:57.486623049 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:57.497354031 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:57.502374887 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:57.637847900 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:57.643069983 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:57.669133902 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:57.674333096 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:57.684787989 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:57.689734936 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:57.700593948 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:57.705914021 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:57.716084003 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:57.721020937 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:57.755616903 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:57.757651091 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:57.803626060 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:57.991233110 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:57.992774963 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:58.000684023 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:58.486980915 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:58.487037897 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:58.487113953 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:58.488645077 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:58.490533113 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:58.490689039 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:58.494957924 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:58.495069027 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:58.497185946 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:58.501010895 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:25:58.501168966 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:25:58.507144928 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:26:02.778466940 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:26:02.783663034 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:26:02.794043064 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:26:02.799000978 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:26:02.811846972 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:26:02.856340885 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:26:03.110307932 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:26:03.111778975 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:26:03.163471937 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:26:03.395531893 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:26:03.398722887 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:26:03.403628111 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:26:08.079396009 CEST	49716	7061	192.168.2.10	104.250.180.178
Sep 26, 2024 09:26:08.084455967 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:26:08.410711050 CEST	7061	49716	104.250.180.178	192.168.2.10
Sep 26, 2024 09:26:08.465694904 CEST	49716	7061	192.168.2.10	104.250.180.178

Target ID:	0
Start time:	03:22:01
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe"
Imagebase:	0x9e0000
File size:	489'984 bytes
MD5 hash:	6D11EDAA5AB6A54DB22F5C4EC1A8FCB3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1268908735.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1268908735.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:22:02
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe"
Imagebase:	0x280000
File size:	489'984 bytes
MD5 hash:	6D11EDAA5AB6A54DB22F5C4EC1A8FCB3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:22:02
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe"
Imagebase:	0xd80000
File size:	489'984 bytes
MD5 hash:	6D11EDAA5AB6A54DB22F5C4EC1A8FCB3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000006.00000002.3733612223.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000006.00000002.3733612223.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000006.00000002.3746004817.0000000003201000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	03:22:05
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe'
Imagebase:	0x140000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:22:05
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:22:09
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe'
Imagebase:	0x140000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	03:22:10
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	03:22:14
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Imagebase:	0x140000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	03:22:14
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	03:22:20
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Imagebase:	0x140000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	03:22:20
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	03:26:07
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7600 -s 2028
Imagebase:	0x850000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exePID: 7364, Parent PID: 3968COMMON

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	71
Total number of Limit Nodes:	4

Executed Functions

Function 052D55D0 Relevance: 2.6, Strings: 1, Instructions: 1376
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$2q, xrefs: 052D7C30

Memory Dump Source

Source File: 00000000.00000002.1270450135.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID: $2q
API String ID: 0-3731487377
Opcode ID: 945803d22d0f79a464ae3fd2fd9287e306f050239c1884e1c5b240ed842cda2c
Instruction ID: 9f292815960d95427c35bd56f1c922f009b0b2ea5a8c13cf75e5c86eb54a9be5
Opcode Fuzzy Hash: 945803d22d0f79a464ae3fd2fd9287e306f050239c1884e1c5b240ed842cda2c
Instruction Fuzzy Hash: 8DE2C534A1171ACFDB54EB64C888BA9B7B1FF89300F5186E9D5096B361DB70AE85CF40

Function 052D55F4 Relevance: 2.6, Strings: 1, Instructions: 1362
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$2q, xrefs: 052D7C30

Memory Dump Source

Source File: 00000000.00000002.1270450135.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID: $2q
API String ID: 0-3731487377
Opcode ID: 406379b4e1bf242e02144cc79c015f0c9992b932e983bd8a85e31aa33d90242e
Instruction ID: 2d836333398f8bce6b95ee0b9b8fad101b51cae85cc1508fb2a3e019cb291dae
Opcode Fuzzy Hash: 406379b4e1bf242e02144cc79c015f0c9992b932e983bd8a85e31aa33d90242e
Instruction Fuzzy Hash: D6E2C534A1171ACFDB54EB64C888BA9B7B1FF89300F5186E9D5096B361DB70AE85CF40

Function 052D7BD0 Relevance: 2.6, Strings: 1, Instructions: 1358
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$2q, xrefs: 052D7C30

Memory Dump Source

Source File: 00000000.00000002.1270450135.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID: $2q
API String ID: 0-3731487377
Opcode ID: 5e36a2aacf9ba13ba55353e47dc9d33f69dffbc8d6f035e97431bba8f30a2350
Instruction ID: 9f955d1dca0d671afa4f2218106ea40e41b4130e1974f3878f787c77364f947d
Opcode Fuzzy Hash: 5e36a2aacf9ba13ba55353e47dc9d33f69dffbc8d6f035e97431bba8f30a2350
Instruction Fuzzy Hash: 8CE2C534A1171ACFDB54EB64C888BA9B7B1FF89300F5186E9D5096B361DB70AE85CF40

Function 013D590D Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 013D59C9

Memory Dump Source

Source File: 00000000.00000002.1268640320.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a8b1c3b5ea98289a54900f7e5299d8ed3a6df6d31d78fd7c118a2972ee639778
Instruction ID: 1960257f55b1f0169f5b14bed8dafbab995680b85e0794c5c0aecf192645ad86
Opcode Fuzzy Hash: a8b1c3b5ea98289a54900f7e5299d8ed3a6df6d31d78fd7c118a2972ee639778
Instruction Fuzzy Hash: 6541D2B1C01719CBEB24CFA9D884BDDBBB5FF49308F60816AD408AB251DBB56946CF50

Function 013D4248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 013D59C9

Memory Dump Source

Source File: 00000000.00000002.1268640320.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1c0b8f2219c5d73f057f19dee13b0ec36333d2925fa1cde51588368b2bced8ca
Instruction ID: 3fdf844ed3d4b2222717f0d95ae9b67545f09ed6a338e6447512eb84ba99cc5b
Opcode Fuzzy Hash: 1c0b8f2219c5d73f057f19dee13b0ec36333d2925fa1cde51588368b2bced8ca
Instruction Fuzzy Hash: 9D41D1B1C0071DCBEB24DFA9C884B9DBBB5FF49308F60806AD408AB251DBB56945CF90

Function 052D3FA0 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 052D4061

Memory Dump Source

Source File: 00000000.00000002.1270450135.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 719874fb124d67c7e51abc0c4907761ccdd6aa965bc9c49687483a4f10317618
Instruction ID: 3261aa954b9583c1287619b3861b95f4296baa7b65f606d5849dfee4bdf5ffcb
Opcode Fuzzy Hash: 719874fb124d67c7e51abc0c4907761ccdd6aa965bc9c49687483a4f10317618
Instruction Fuzzy Hash: B54136B5A10309CFCB14DF99C488AAAFBF5FF88314F248459D519AB321D3B5A841CFA0

Function 013DB348 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,013DD346,?,?,?,?,?), ref: 013DD407

Memory Dump Source

Source File: 00000000.00000002.1268640320.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 182f4bdd7db746c4650457026649f36dc3b902971fcd60f3f394e187c5f01fa9
Instruction ID: e62780fc40def9b1aee7786379958ba1fe398defcf076108b3321c66b5ecde34
Opcode Fuzzy Hash: 182f4bdd7db746c4650457026649f36dc3b902971fcd60f3f394e187c5f01fa9
Instruction Fuzzy Hash: D121E5B5900348AFDB10CF9AE484AEEBBF4EB48310F14841AE914A7350D774A954CFA4

Function 013DD37A Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,013DD346,?,?,?,?,?), ref: 013DD407

Memory Dump Source

Source File: 00000000.00000002.1268640320.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4bedb27194a35fcc05077407eeeeddb952d6b843cd280c35c3d484bd2ef1cdaf
Instruction ID: 822c136f6c72c3f8f34e684b556be1b6ac364abdbd907109e34a26d0569cb74f
Opcode Fuzzy Hash: 4bedb27194a35fcc05077407eeeeddb952d6b843cd280c35c3d484bd2ef1cdaf
Instruction Fuzzy Hash: A621E3B6D002599FDB10CFAAE585AEEBBF4EB48310F24841AE914A7350D378A945CF64

Function 013DB378 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 013DB3DE

Memory Dump Source

Source File: 00000000.00000002.1268640320.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d591f1aebd41ea26e5f0b6a883a230e209bd706ea1d55d3fee1254f5afccd465
Instruction ID: 046a497cba9926f8ace73d63b1e096ae720858f99adba77dc6898770ff466e90
Opcode Fuzzy Hash: d591f1aebd41ea26e5f0b6a883a230e209bd706ea1d55d3fee1254f5afccd465
Instruction Fuzzy Hash: 30110FB6C002498FDB20CF9AD444BDEFBF4EB89314F14842AD829A7210C779A545CFA5

Function 0113D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268117458.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_113d000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c498b9778eac2d9f9821358f906be7aefeff15784fe9313b95a20bd04119195
Instruction ID: 30129488f3d526216a06dec9bdeb89b5017f98b2c46f127ae6cd3f1e0bcf24ec
Opcode Fuzzy Hash: 5c498b9778eac2d9f9821358f906be7aefeff15784fe9313b95a20bd04119195
Instruction Fuzzy Hash: E52128B1504204DFDF09DF54E9C0B56BB65FBC4324F64C16DD90A0B65AC336E456CBA2

Function 0113D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268117458.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_113d000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a93a30e08e5f6c6719217ecc2a387a618ed489ee0de45017fcff313151c705
Instruction ID: 759a234c370c00d32d7db094b441c08d8a986e282f684bf9341721d21baa279b
Opcode Fuzzy Hash: 14a93a30e08e5f6c6719217ecc2a387a618ed489ee0de45017fcff313151c705
Instruction Fuzzy Hash: 78210672504240DFDF19DF54E9C0B26BF75FBC4318F64C569E9050B29AC336D456CAA2

Function 0114D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268162802.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_114d000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5496bf72698f5f27a53fb51f87f8bcf404628f17e987b5da56677eadfbf5ae59
Instruction ID: 91e53337b824111957f56a3927cb049511a4ea181aa12bc5fece09771612d354
Opcode Fuzzy Hash: 5496bf72698f5f27a53fb51f87f8bcf404628f17e987b5da56677eadfbf5ae59
Instruction Fuzzy Hash: 60212271604300DFDF19DF94E880B26BBA1EB94B14F24C5ADD80A0B246C33AD847CA62

Function 0114D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268162802.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_114d000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d89edb741e0495b1569c390d92d77884bb4ffa742a16e873748095d6cc33216
Instruction ID: 817f5c12b894dadab8ea95b89449d1e9c9b00c0237390ff7abbee5f2d55c0391
Opcode Fuzzy Hash: 6d89edb741e0495b1569c390d92d77884bb4ffa742a16e873748095d6cc33216
Instruction Fuzzy Hash: AB219F755083809FCF07CF64D994B11BF71EB56614F28C5EAD8498F2A7C33A980ACB62

Function 0113D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268117458.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_113d000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction ID: 9ab025fafda5f0c6e30de22b1eab0e944f93d71f8b367f6f0be27f087b9a055f
Opcode Fuzzy Hash: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction Fuzzy Hash: C111CD76404240CFDF16CF54E5C0B56BF71FB84224F2482A9D8490A65AC33AE456CBA2

Function 0113D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268117458.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_113d000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction ID: 9ad5e8efe2b0b290873ac0fda653f45fedf457bf1c3f4fedf70b7f59b336c228
Opcode Fuzzy Hash: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction Fuzzy Hash: DC11AF76504280CFDF16CF54E5C4B16BF71FB84324F24C6A9D8490B65AC33AD556CBA2

Non-executed Functions

Function 052D0130 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270450135.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1af587fa92f2c92d98218e8e5c3c5b275b0a38ee0613027c67df9d1432320ab2
Instruction ID: 85c5fec8c9785c79f04c1b3209fd2c03096a0a47725ab053d7d9c97274f3bc29
Opcode Fuzzy Hash: 1af587fa92f2c92d98218e8e5c3c5b275b0a38ee0613027c67df9d1432320ab2
Instruction Fuzzy Hash: 0212A6B9622745AAE730CF25F84E1993FB1BF45324F90E609E1651E2E1EFB8114ACF44

Function 013DDA4C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268640320.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd9885ae7776ec474ae7e50cc9ab24e3f4d324daf162c3b4dfa237fdebd79bf9
Instruction ID: b064fb9492605067409c066924d85a02821ff209d86f6ff2684b90d3e0acba92
Opcode Fuzzy Hash: dd9885ae7776ec474ae7e50cc9ab24e3f4d324daf162c3b4dfa237fdebd79bf9
Instruction Fuzzy Hash: A2A1A336E0020ACFCF05DFB9E88459EBBB6FF85304B15856AE806BB255DB71D906CB40

Function 052D0120 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270450135.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ae4ebf6575aabb9cd6f8fa60e277e3dfe6119627ee1d9982005c6f875541268
Instruction ID: 565fe1a21c81c88e7f589fd95ca29ac4d6b3463a45db5be8182528bed98781a4
Opcode Fuzzy Hash: 5ae4ebf6575aabb9cd6f8fa60e277e3dfe6119627ee1d9982005c6f875541268
Instruction Fuzzy Hash: 00C127B9A22745AAD720CF25F84E1993FB1BF85324F50E609E1656F2E0EFB4104ACF44

Function 052D4340 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270450135.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e078a3b9f50779cc34717b7de9cc6641335ed4ff0bba0943ec00347a8ddbb662
Instruction ID: 19ab8c27253c996c2ec0eed2328df1599119d3b6b4e624100421d70de0ae688c
Opcode Fuzzy Hash: e078a3b9f50779cc34717b7de9cc6641335ed4ff0bba0943ec00347a8ddbb662
Instruction Fuzzy Hash: 771116B1C146498FDB10DF9AD845BDEFBF4EF48320F14842AD858A3250D378A545CFA5

Analysis Process: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exePID: 7600, Parent PID: 7364COMMON

Execution Graph

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	15
Total number of Limit Nodes:	1

Executed Functions

Function 0162B720 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0162B6EE,?,?,?,?,?), ref: 0162B7AF

Memory Dump Source

Source File: 00000006.00000002.3744617974.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1620000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0e6f4a6195aa9633730f7270cc8c6dcbe7b8f8073f3d68c5e96d8582fb1d3f2a
Instruction ID: 59b757cd1c1fb4f09e3aa6fd747b66f6de7fa7eee2542acb3445cbe81af03837
Opcode Fuzzy Hash: 0e6f4a6195aa9633730f7270cc8c6dcbe7b8f8073f3d68c5e96d8582fb1d3f2a
Instruction Fuzzy Hash: 842126B5900258DFDB10CFAAD884BEEBFF4EB48310F14841AE814A7350D375A944CFA5

Function 0162B0BC Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0162B6EE,?,?,?,?,?), ref: 0162B7AF

Memory Dump Source

Source File: 00000006.00000002.3744617974.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1620000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0c849ebcd74855b6f2e60184bdebd91d1da7bb7e87d4a99e1abd2a2e85b54210
Instruction ID: 7b77cba640a434d5afe4f7af395437deba96dfd185afb0c0c949b22f2b33b2de
Opcode Fuzzy Hash: 0c849ebcd74855b6f2e60184bdebd91d1da7bb7e87d4a99e1abd2a2e85b54210
Instruction Fuzzy Hash: 3121E4B5D003189FDB10CF9AD884AEEFBF8EB48310F14841AE915A7350D375A940CFA4

Function 016262A0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 01626323

Memory Dump Source

Source File: 00000006.00000002.3744617974.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1620000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 6560a2b74697587debfd52c38f2e0eed4abed8544e375ef0049228309d33fa3f
Instruction ID: c83bdb8b53b52b808f44d8ab279c56ca026575dc85a76172e48f0de11c6f7cd5
Opcode Fuzzy Hash: 6560a2b74697587debfd52c38f2e0eed4abed8544e375ef0049228309d33fa3f
Instruction Fuzzy Hash: 08212375D002189FDB24DFAAD844BEEBBF5FB88310F108429E859A7250CB74A944CFA1

Function 016262A8 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 01626323

Memory Dump Source

Source File: 00000006.00000002.3744617974.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1620000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 1f3c87ebae48d70c230fda771a95a1c9e298e1865c4f2ab4a3bb35780f27752f
Instruction ID: f927ac17bfd3fc7266c08a6764e882af3489ad03b7e382cde3f2258257b234cd
Opcode Fuzzy Hash: 1f3c87ebae48d70c230fda771a95a1c9e298e1865c4f2ab4a3bb35780f27752f
Instruction Fuzzy Hash: BF211575D002199FDB14DF9AD844BEEBBF5FB88310F108429D819A7250C774A944CFA1

Function 015CD514 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3743969803.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15cd000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4686e84f9557253d7aa531a5b864f7bb844b0cebb7b78c534842b36864831616
Instruction ID: 6fc2f47ac83410dcacafb60d9febebfa8b8667b3a607fb26083e845dfcab8c4c
Opcode Fuzzy Hash: 4686e84f9557253d7aa531a5b864f7bb844b0cebb7b78c534842b36864831616
Instruction Fuzzy Hash: 482121B2504240DFDB15DF94C9C0B2ABBB1FB98718F24C57DE8098E246C33AD446CAE2

Function 015DD0FC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3744163693.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15dd000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e47767ef43cd10f9acf44a5246aff5a6d68358798c158088e50ed4bfe6af39b
Instruction ID: c61b30583e0e7080b90d8d7a23f4d57433945780b109eb569817e3abb686181a
Opcode Fuzzy Hash: 8e47767ef43cd10f9acf44a5246aff5a6d68358798c158088e50ed4bfe6af39b
Instruction Fuzzy Hash: 5F21F575504204EFDB25DFA8D980B2ABBB5FB84214F24C96DD8094F296C37AD446CB61

Function 015DD01C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3744163693.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15dd000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76edbe9b4e74cc1a6f7a7086c7f9f2f45cb989ab95b1fcd46a02f1658ca4189c
Instruction ID: 5d09bee427e28669685b9c053c56f7b47816a589e5e11c27fad47d1b1a4a9059
Opcode Fuzzy Hash: 76edbe9b4e74cc1a6f7a7086c7f9f2f45cb989ab95b1fcd46a02f1658ca4189c
Instruction Fuzzy Hash: 7221DEB1604304DFDB25DF68C980B2ABBB5FBC4254F24C56DD90A4F292D27AD846CB62

Function 015DD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3744163693.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15dd000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0631af8d24933e1a5a852792d693920791774c6e35a9ffe9d83b86c055e9852b
Instruction ID: 7cc027699313476ed06733552016e9464b904d52165db681b892cb354dc172b0
Opcode Fuzzy Hash: 0631af8d24933e1a5a852792d693920791774c6e35a9ffe9d83b86c055e9852b
Instruction Fuzzy Hash: 7921A7755083849FD713CF68D984715BF71FB86214F28C1EAD8498F2A3D33A9846C762

Function 015CD50F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3743969803.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15cd000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction ID: f724a61be6a7573ca023b11fadf5c21590945c070c542a8f52eaf4a6e7f5f909
Opcode Fuzzy Hash: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction Fuzzy Hash: FC11DF76404280CFCB12CF44D5C0B1ABF72FB94314F2481ADD8094F656C33AD456CBA1

Function 015DD0F7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3744163693.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15dd000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction ID: 6b9bd11a0bf3d78dda8104bc8b73bec437c4fd9894d6d4dc8ca5406e4e2b9c83
Opcode Fuzzy Hash: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction Fuzzy Hash: 3D11BE75504244CFDB16CFA8D9C4B19BB71FB84214F24C6A9D8494F696C33AD44ACB51

Analysis Process: powershell.exePID: 8000, Parent PID: 7600COMMON

Execution Graph

Execution Coverage:	6.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 042AB488 Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29baae5411fe7d9386fb521185978dbdd49bea20959c348fa6dd37a75abd8728
Instruction ID: be702bf97fefdb99915bfb1d32d24b1983dd7f7df642255aa5391fa95a6346ad
Opcode Fuzzy Hash: 29baae5411fe7d9386fb521185978dbdd49bea20959c348fa6dd37a75abd8728
Instruction Fuzzy Hash: 43918EB1B407086FEB15DBB984105AEBBF3FF84700B40895CE566AB344DF34AA158BD6

Function 042AB498 Relevance: .3, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0edf9d9b6868f1549fbf51591b466f717c60f444c279c6787cfc55c75405f13
Instruction ID: 65d7091438927e21a65e93ce332a93984f1d6dae2cfa484061b67e16d056b985
Opcode Fuzzy Hash: a0edf9d9b6868f1549fbf51591b466f717c60f444c279c6787cfc55c75405f13
Instruction Fuzzy Hash: 2D918FB1B407086FEB15DBB984105AFBBE2FF84700B40895CE966AB340DF34B9058BD6

Function 083C6839 Relevance: 1.6, APIs: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 083C68A2

Memory Dump Source

Source File: 0000000B.00000002.1342320886.00000000083C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_83c0000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: d308162a7a03a5613a38da68b5bacd8c3b18ee803fde68acc950ef8fa843d397
Instruction ID: 14207e30e8d5b330c03b2005e61254c6c98ec8d6ef507d834e14cba113fed293
Opcode Fuzzy Hash: d308162a7a03a5613a38da68b5bacd8c3b18ee803fde68acc950ef8fa843d397
Instruction Fuzzy Hash: 7F1116B59003488FDB10DF9AD945BDEFBF4EF89220F24846AD858A7210D774A984CFA1

Function 083C6840 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 083C68A2

Memory Dump Source

Source File: 0000000B.00000002.1342320886.00000000083C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_83c0000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: 0193b28033ca55559074cfd0471f5a825f9b30854eb811c6b6a71a9c9a8a7bd0
Instruction ID: 5cfdf0f00d171e254e4260508483e816b7fca7dc7b8df24c45a324ac2ca2c7b7
Opcode Fuzzy Hash: 0193b28033ca55559074cfd0471f5a825f9b30854eb811c6b6a71a9c9a8a7bd0
Instruction Fuzzy Hash: 2711F5B59003498FDB10DF9AD945BDEFBF8EF88220F248419D418A7310D774A944CFA5

Function 07252308 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1338658284.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7250000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a750b375d397d55278bef7876259c45d755b5377cdfd63903ed0c274ce5678f4
Instruction ID: e454338355e2dcf7845afa0455df9cfe43815e52d5a3657d390b622a1e371308
Opcode Fuzzy Hash: a750b375d397d55278bef7876259c45d755b5377cdfd63903ed0c274ce5678f4
Instruction Fuzzy Hash: ED2226F1B20206DFDB249F6884407AAB7F6BF85221F1480BAD845DB391DB75DD41CBA2

Function 07253CE8 Relevance: .6, Instructions: 589
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1338658284.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7250000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61abd42f8d70d0cf2a5812da44a236d4ca82724d0d635b0a0a2f6555d0cf2f39
Instruction ID: 97fba29c90b9b998f88f1d643315d0b3d766ecf88fdedd9519b30159a2995e58
Opcode Fuzzy Hash: 61abd42f8d70d0cf2a5812da44a236d4ca82724d0d635b0a0a2f6555d0cf2f39
Instruction Fuzzy Hash: C51259F1B203579FDB149B6898007AAB7A2DFC2255F24807AD905DF392DB31CD82C7A1

Function 042AE958 Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2b4b54227de86bd2895ff6d11255675232e180b548b1a2d15922f6d5ff3337a
Instruction ID: a7e5b2c5d4b0d7fe8908de039975a9296ea83647a09700df3a62b0dcbc2b413c
Opcode Fuzzy Hash: d2b4b54227de86bd2895ff6d11255675232e180b548b1a2d15922f6d5ff3337a
Instruction Fuzzy Hash: 2E917E74B202198FDB14DF69C55466EBBF6AF88710B258469E802EB350DF70EC42CB91

Function 042A29F0 Relevance: .2, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7932404102148acc7f8de8ba8b60b8b52af1156dfe66e59e35468f74c7f239b5
Instruction ID: d851a520af1dd3e12c47dfd61e76921e990a2788fd7fedf14a9da2da7e8eda94
Opcode Fuzzy Hash: 7932404102148acc7f8de8ba8b60b8b52af1156dfe66e59e35468f74c7f239b5
Instruction Fuzzy Hash: 2C917A74A00605CFCB15CF59C494AAEFBB6FF88310B248599D915AB365C735FCA1CBA0

Function 042ABAB8 Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47e090182aa43a01d7da68be10c9feb43e5f21bca9d5d6c47c300ee716d66241
Instruction ID: d86595bc7f97c9d1e8c1046c021965b19711f0984046ccbfc574f9b5dff78a7a
Opcode Fuzzy Hash: 47e090182aa43a01d7da68be10c9feb43e5f21bca9d5d6c47c300ee716d66241
Instruction Fuzzy Hash: DC6159B1E012489FDB04CFA9D484B8DFFF2EF88310F14816AE919AB354EB74A845CB50

Function 042A7740 Relevance: .2, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb539168a26dc2ca3b7bf1d34cb76e7e37ad2b52145187420dcd72ddf75b65a2
Instruction ID: 824989f2f8fd0030573d538a8de5072a8ebd85955e7ff36edfc04b4673633e4c
Opcode Fuzzy Hash: bb539168a26dc2ca3b7bf1d34cb76e7e37ad2b52145187420dcd72ddf75b65a2
Instruction Fuzzy Hash: 4F51F230314206CFD704DB69DC44A6AB7EAFFC9314B1485AAE809CB352EB30EC01CBA1

Function 042ABAC8 Relevance: .2, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c06a51d837f07cb2b6fece6b9c1eedfee5eb0ed8002cdbd694f0825cf7dd819c
Instruction ID: 06164d8c545612d2652e94d4c6f707c90485b04a9202d5d71ab555db58082ec9
Opcode Fuzzy Hash: c06a51d837f07cb2b6fece6b9c1eedfee5eb0ed8002cdbd694f0825cf7dd819c
Instruction Fuzzy Hash: B6613670E012089FDB14CFA9D584B8DFBF2EF88310F14812AE919AB354EB70AC41CB50

Function 042AE5C1 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a28daf7723f120f154e3aff523f0d771539354c8602d138538705519b5196947
Instruction ID: eab41084b7d7b2e3596fc35704848faf99db54f782accb459a586c2e03d786b5
Opcode Fuzzy Hash: a28daf7723f120f154e3aff523f0d771539354c8602d138538705519b5196947
Instruction Fuzzy Hash: 02519FB4710306CFDB10EF68D484A6AB7E6EF8831474584A9D809CF795EB70EC528F91

Function 042AE5D0 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aac20f147835b102a4f90860fa9facb50fd13446e5963fbaa5b2140a676b48df
Instruction ID: 5bfce6b2deba8c6082af669c20ade9e91dd4ca089af4bb030667cd1a4b983f98
Opcode Fuzzy Hash: aac20f147835b102a4f90860fa9facb50fd13446e5963fbaa5b2140a676b48df
Instruction Fuzzy Hash: 5C416DB4B10306CFDB10EF6CC584A6AB7E6EF883447558469E809CF755EBB0EC528B91

Function 07253CCC Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1338658284.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7250000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7edef799b6fc0d61120a80d8e60dbbea79779273c04d90a4b63f44724d00f208
Instruction ID: 2cf06aa5c297350aa688a583c38c3b87ea9849fa89980f88f8cd45e4cb8838cb
Opcode Fuzzy Hash: 7edef799b6fc0d61120a80d8e60dbbea79779273c04d90a4b63f44724d00f208
Instruction Fuzzy Hash: 694122F0A312138BCB25CB24C5107AABBF29F81698F0594A9DD01AF3A3D731DD45C7A1

Function 042AE761 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 720023b8d5782e632620c98f92add9f7917a0f987e0bc8e4b573405e9b50949d
Instruction ID: 3b800cc3b211de1662d1f50a63a5c29ff6fa059da44261945a08422bf6d3e873
Opcode Fuzzy Hash: 720023b8d5782e632620c98f92add9f7917a0f987e0bc8e4b573405e9b50949d
Instruction Fuzzy Hash: D741AD70B042499FDB04DFAAD89469DBBF2EF89300F0081A9D45AEB351CB746D45CF92

Function 042A6FE0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0fc4933e77ed0e69342f2ddd00577a95745dbd143e38217e1d26b5002657998
Instruction ID: 27b8895a3394644d1b1edabc4dad6748f9112ae27e68b064cbe0ac3e428ec16f
Opcode Fuzzy Hash: c0fc4933e77ed0e69342f2ddd00577a95745dbd143e38217e1d26b5002657998
Instruction Fuzzy Hash: D4414B34B142058FDB14CFA5C498AA9BBF1EFCD311F144099D802AB391DB75EC41CB64

Function 042A6FB0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2732a6d5936d2d2188d47c4bae29f28aa1479cc46d134a02a1b3b4c44069b9cf
Instruction ID: e669d0033e64e6d1cc3759b9304fd91614b8e93eacc2e890a8d0cab596bb2a8c
Opcode Fuzzy Hash: 2732a6d5936d2d2188d47c4bae29f28aa1479cc46d134a02a1b3b4c44069b9cf
Instruction Fuzzy Hash: E5418C34B142458FCB05CFA4C858AA9BFF1EF8E314F1840A9D841AB3A2DB75EC41CB64

Function 042AE7B0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba332756efbcae131f6de9aa3225d36db29dc982c5def514f708458b4cc63d8
Instruction ID: 97d324759fdbc780390bd74f1d945b13134feb38307113cf08e624f3f5df09d6
Opcode Fuzzy Hash: 7ba332756efbcae131f6de9aa3225d36db29dc982c5def514f708458b4cc63d8
Instruction Fuzzy Hash: 4341AD74A002099FDB00DF6AD494A9DBBF2FF49304F148169E45AAB352DB74BC45CFA2

Function 042A2B00 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 891e944a8673e574acbcdfaf5846b4db2a5e36cd71f56f55c463f2c4e92ca372
Instruction ID: 479358a7668eb939aa7c5b65b319c5e4130d566e8be8c232245c58e3cc7a4cad
Opcode Fuzzy Hash: 891e944a8673e574acbcdfaf5846b4db2a5e36cd71f56f55c463f2c4e92ca372
Instruction Fuzzy Hash: AD413874A10605DFCB09CF58C098AAAF7B6FF48310B118599D916AB364C732FCA1CFA0

Function 042AC390 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0be06bea16203719969fd9e8573c3fce80f2e9159b28e9da87dd2c5c9ad5410a
Instruction ID: 39ded6391210003fa414a219a3cc39fbaf5c140ed30e9e0f0c1406c792119d18
Opcode Fuzzy Hash: 0be06bea16203719969fd9e8573c3fce80f2e9159b28e9da87dd2c5c9ad5410a
Instruction Fuzzy Hash: B231C0713017059FD708DB79E844B9EB7A6EFC9710F408229DA4ACB351DFB0A855CBA1

Function 042AAE68 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48ac90909a82e314272898ffdafdebe4fca6c552efd6384495521507edff9b9c
Instruction ID: 799ea2b559e88fbefe70ae1aa91a234846965fcb82ca4ea930a3c5e01e3ce101
Opcode Fuzzy Hash: 48ac90909a82e314272898ffdafdebe4fca6c552efd6384495521507edff9b9c
Instruction Fuzzy Hash: 03314BB1B112099FDB08DFA9D4957AEBBF6AF89340F148029E805E7350EAB49C41CF91

Function 042AAD30 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f051ac600d7985799125b5f89396fc0453a74dd4c3ad4ab02ff5bad569aca520
Instruction ID: ab1b633347a8d4f3068ab1a69c1fc4d5ea8441e8c5688d08d1c3115b41817f93
Opcode Fuzzy Hash: f051ac600d7985799125b5f89396fc0453a74dd4c3ad4ab02ff5bad569aca520
Instruction Fuzzy Hash: 583172B4A002089FEB05DFA4D854AFE7BB2EF85300F118469D515AB395CF35AD41CFA1

Function 042AE168 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e4e069f0dad8c21d2f307c90b3462af23bb20b8163757db0edd7630755aeca0
Instruction ID: 978ff77c8c6c8767973fe08a963c6434ae9616b9f110569bdf430a8851adb441
Opcode Fuzzy Hash: 8e4e069f0dad8c21d2f307c90b3462af23bb20b8163757db0edd7630755aeca0
Instruction Fuzzy Hash: DD315C74B002058FCB18DBA5D49869DBBF2EF8C354F144529D806EB390DB74AC82CB94

Function 042AAE78 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27e7d06aa9c3428ed4787646d9e527ce76415bdb8308861b321528252edef3a4
Instruction ID: 1f738967122a352b3c3de221455d98441d29765fdb922cf7074f0fee709d61f5
Opcode Fuzzy Hash: 27e7d06aa9c3428ed4787646d9e527ce76415bdb8308861b321528252edef3a4
Instruction Fuzzy Hash: 12314C70F112099FDB08DFA9D4947AEBBF6AF89300F148029E805EB354EAB49C41CF90

Function 042AE7E0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9098715ba38961c95256e25548e253a932961fc14862b95e63c5fe4dc1ca5423
Instruction ID: 563371ddd6170b766c4894a3ea86fa13e9ac1667759e11da36c62d2dfbf99227
Opcode Fuzzy Hash: 9098715ba38961c95256e25548e253a932961fc14862b95e63c5fe4dc1ca5423
Instruction Fuzzy Hash: F3317A74A006099FCB14DF6AD494A9EBBF2FF88304F108529E816AB350CB74BC41CFA1

Function 042AAFA0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844d2f9c0af22ffe1a0865b57d1365b040dd04bf2280ecefd1d37ccceb4baa02
Instruction ID: 0746b5f8d32a39a9886601a4ff1d47b5bee92175216abfbcf2bcaef44a37565b
Opcode Fuzzy Hash: 844d2f9c0af22ffe1a0865b57d1365b040dd04bf2280ecefd1d37ccceb4baa02
Instruction Fuzzy Hash: 6F21DE71A043588FDB14DFAAD40079EBBF5EF89320F14842AD418E7340CB74A945CBE5

Function 042A93F8 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc3897e2c4bb39b1ad3483e495604c81823f3cb756a3876b4f68e6e946051dea
Instruction ID: c75452acf76231afb57c099fc7762a6d3daff702a1ff0edd0e153e0a5afbae8e
Opcode Fuzzy Hash: cc3897e2c4bb39b1ad3483e495604c81823f3cb756a3876b4f68e6e946051dea
Instruction Fuzzy Hash: CB3198B5A153048FDB60DF6AD0893DAFBF2EF88320F28C81ED85D97204D6746481CBA1

Function 042AE178 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 920e38ce7e5d094e45f39490314935cf9a92223927d21a415fcd8dece1f39fd3
Instruction ID: 556b3d5eba7c0fe6f34f3f4b2a5732c7d9128ce6b5872e0749ccfd6ae6165948
Opcode Fuzzy Hash: 920e38ce7e5d094e45f39490314935cf9a92223927d21a415fcd8dece1f39fd3
Instruction Fuzzy Hash: EA310874B002158FCB18DFA9D59869EBBF6EF8C314F144569E806EB390DB74AC81CB94

Function 042AAD40 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39387b33c2ce7195096ea296f95e0b52514806187298c54476f846aa19db370b
Instruction ID: 1e0c8fdfd2cf8c273c58d0e5db54f75179b10b9662b4257bf73ed6d9433b6f7c
Opcode Fuzzy Hash: 39387b33c2ce7195096ea296f95e0b52514806187298c54476f846aa19db370b
Instruction Fuzzy Hash: 903130B4A002089FEB04EFA4D894AEE77B2EF84704F118479D515AB395DF35AD41CF90

Function 07252700 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1338658284.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7250000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3805775fd880f358404d166dd7e08c69cd02ef18ea77470db6849f7e73793b6b
Instruction ID: c5aafdb7e5a3cf901384a90941430286304ecb2c7ba3f4c53f6f7b7555f32210
Opcode Fuzzy Hash: 3805775fd880f358404d166dd7e08c69cd02ef18ea77470db6849f7e73793b6b
Instruction Fuzzy Hash: 78216BF5A30207DFDB20CFA9C584B6577E5BB45221F0480A6ED09AB290D774E984CBA1

Function 041BF3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1323657029.00000000041BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 041BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_41bd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ceaec959edef128b2896fd93e1eacb81005dda298a0d1987533841c5213a292
Instruction ID: cd9abee0f6021153f25fa297a7a4f6e0f18356fb5c0215515dc57e3aae4ec2db
Opcode Fuzzy Hash: 6ceaec959edef128b2896fd93e1eacb81005dda298a0d1987533841c5213a292
Instruction Fuzzy Hash: 1421F476604300EFDB09DF10D9C0B66BB65FB88314F24C5ADE9898A256C336E457CBA1

Function 041BF02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1323657029.00000000041BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 041BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_41bd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d222000f34ee7547c3f6fcc359bf59d7abf93c41e77cf75a25adcadf963585e
Instruction ID: 71ce18ec53a0e6a14d2a097ab8fa9c05e5b9b40b2d66340344923c0078a54568
Opcode Fuzzy Hash: 1d222000f34ee7547c3f6fcc359bf59d7abf93c41e77cf75a25adcadf963585e
Instruction Fuzzy Hash: A5213775604744DFDB14DF20CDC0B56BBA2EB84314F24C5ADDA4A8B256C336E447CAA1

Function 042A9408 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83bd747a566c4fa39a3b44afdca284dfe489ccb3595c739471b084c5aac2c379
Instruction ID: 67076fadc735b36c474628892d72533b1872a3975d6758d7aa06ba808c4dd29b
Opcode Fuzzy Hash: 83bd747a566c4fa39a3b44afdca284dfe489ccb3595c739471b084c5aac2c379
Instruction Fuzzy Hash: 772168B4A157448FEB60CF6AD4883CAFBF6EB88310F28C45ED85D97205D77464918B61

Function 042A767C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d1d8831aed2d49f831e86d809526e1cfbe39b38cf243ced8cdd22f65113644c
Instruction ID: 4284d2ed616cccca4456ebc0634c553683a97183a8e98039c51dd1eb6a08cc9c
Opcode Fuzzy Hash: 7d1d8831aed2d49f831e86d809526e1cfbe39b38cf243ced8cdd22f65113644c
Instruction Fuzzy Hash: F2112E36700119CFDB04DFA8D940ADE77F6EFC8625B0440A9E909DB751DB74EC518BA0

Function 042A2C70 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37f991905ee90ff29ec3ca5a164fa18599e4949e20653b4d77fa520a779bd68d
Instruction ID: a863940ba5cbfb7ad270a5d341fb67897bbe179897d5f55c0cdc0190cb950ef9
Opcode Fuzzy Hash: 37f991905ee90ff29ec3ca5a164fa18599e4949e20653b4d77fa520a779bd68d
Instruction Fuzzy Hash: 9C11B1306093919FDB03DF68D8A06E9BF71EF46314B1581C7D4919B2A2C326AC69CB75

Function 041BF3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1323657029.00000000041BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 041BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_41bd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97445b17e520f814378829faa67ba79061bab103a32ab6c15715ac3201c2f727
Instruction ID: 96ed415ec8bff47126f6fb458b1d79083bbd709b70177b0e13c0d6442696ba68
Opcode Fuzzy Hash: 97445b17e520f814378829faa67ba79061bab103a32ab6c15715ac3201c2f727
Instruction Fuzzy Hash: 8F218C76504240DFCB06CF10D9C4B56BF72FB88314F28C5A9D9498A656C33AD46ACB91

Function 042ADE81 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9e192dd670f2965f1999d978a593c9cdd3bba70f3379d0a07d6958641912613
Instruction ID: ccb35561aafbbf1ef494f53f57835a30ba2b32bb294d34619005c32ee6010efa
Opcode Fuzzy Hash: a9e192dd670f2965f1999d978a593c9cdd3bba70f3379d0a07d6958641912613
Instruction Fuzzy Hash: 69014E72B302849BCF04D669E4054FE7BE3DBC8321B04806AD909D7752DE616C65CBA1

Function 041BF027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1323657029.00000000041BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 041BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_41bd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff28159916af3c1565c82e67f2b531337ed64e047a92009350b64a0d4c4a9ec
Instruction ID: bd217a38673d1ac5b35c1ad7b57b69b10032bfe1150e74f005e5a16a7d434f47
Opcode Fuzzy Hash: 7ff28159916af3c1565c82e67f2b531337ed64e047a92009350b64a0d4c4a9ec
Instruction Fuzzy Hash: AC11D079504680CFCB11CF10D9C0B55FF72FB44314F28C6AAD9498B666C33AE44ACB91

Function 042ABCE8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6343ac8c9fc4c177ec0cc9ffe4f88d648a2ab1da7f6891c00d6a8ab5ecabe49
Instruction ID: 757de47b0565ce4d59b3391e3963fffafafda0389e64b31bd68eadfff3413b86
Opcode Fuzzy Hash: f6343ac8c9fc4c177ec0cc9ffe4f88d648a2ab1da7f6891c00d6a8ab5ecabe49
Instruction Fuzzy Hash: E90192317087859FD718DB76D498A9A7FE5EF45210F1484EED45AC76A2CB24FC45CB00

Function 042AE914 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e96ecdff41f33464bbe7d34a29b99027510b76da00db9826b8d57f7ac5134a1f
Instruction ID: 74dc2b4fffffaf83a6df867f217dec76beaba3d249169540fb832ff6ef6e8b78
Opcode Fuzzy Hash: e96ecdff41f33464bbe7d34a29b99027510b76da00db9826b8d57f7ac5134a1f
Instruction Fuzzy Hash: AA0126627493C75FDB0242799C61695BFB6CF43124F4A02E7D484EB2A3E70C581BCB52

Function 042AE548 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af32ea4747a211964ac7ad3d55f533909394afb62f0183800bb394cc477fe15
Instruction ID: 67f43eadcd3b6f8758e5f87a617916f6d3f530b98681e2133fb2cb87e85f2ec0
Opcode Fuzzy Hash: 9af32ea4747a211964ac7ad3d55f533909394afb62f0183800bb394cc477fe15
Instruction Fuzzy Hash: 34110934204754CFC728DF75D084896BBF6EF8931572489ADD44A87BA0DB32F845CB50

Function 042AE040 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34e6db5a89254db3acb846ec114fe9ea2a2ff89ba22061e20348c6a10503f68
Instruction ID: 365526075b133e5b71fad16a6c9e986d51aa0bd4cdc80d1330e17b58f64c7891
Opcode Fuzzy Hash: e34e6db5a89254db3acb846ec114fe9ea2a2ff89ba22061e20348c6a10503f68
Instruction Fuzzy Hash: 90019235B01218CFCB159F75E808AAEBBF6FBC8315F004069E51AD3341DB35A912CB90

Function 042ABF18 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b56fab7982f3c53a3106d165b3f080e5f9cbc2994933773bba8e62e9a916705d
Instruction ID: 070e6b7b38f5f96f2232a092be268e5d9ee25e314edb4be5d8cf47a25d2c0699
Opcode Fuzzy Hash: b56fab7982f3c53a3106d165b3f080e5f9cbc2994933773bba8e62e9a916705d
Instruction Fuzzy Hash: 13F0C8723093951FD7118A7A9C549777FEDDF86710704406BF944C7352CA70DD048B60

Function 041BD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1323657029.00000000041BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 041BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_41bd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca5ca8fcfcced7e5bea7aec7ce7a307df5da241f9d0f108580e8511bb1fc6ce2
Instruction ID: ae5815d090efaf3c03c5851917c03cc301e22ea59a228c8ac7b3df8905cd958a
Opcode Fuzzy Hash: ca5ca8fcfcced7e5bea7aec7ce7a307df5da241f9d0f108580e8511bb1fc6ce2
Instruction Fuzzy Hash: BC01F771504B409BE7284E25F8C07E7BB98DF42224F18C45AED890B142D779A541CAF1

Function 041BD006 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1323657029.00000000041BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 041BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_41bd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 236ec1a35a48d89e60a51ab5c3b96334a97888f09e4e17cf0665f1e4a1d03cd2
Instruction ID: 0c0b91d8510f54c0cecd65e41a2e3b9d3bde9e8e7c636fe071f2b2fd4e899075
Opcode Fuzzy Hash: 236ec1a35a48d89e60a51ab5c3b96334a97888f09e4e17cf0665f1e4a1d03cd2
Instruction Fuzzy Hash: CA01527140E7C05FD7168B25D894B92BFB4DF43224F1D85DBD8888F1A7C2699845CBB2

Function 042A7958 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18a1e5e0418a088b420470492ee02266ed0a449381f94353ee612107346edfc4
Instruction ID: 2ab9bbac73a90e2b28bd2acb7a2e974d47fdcb5d2f5ac5471ae575e0b8f8346c
Opcode Fuzzy Hash: 18a1e5e0418a088b420470492ee02266ed0a449381f94353ee612107346edfc4
Instruction Fuzzy Hash: 56F028313097806FC7128775A84496FBFE5DF86621704095ED08AD7391CE745C95C7B1

Function 042ADE30 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a3cd43570b75878afb5f8a48eb0da6827326f784c635a393094bb731bc5fb03
Instruction ID: 45a6c563a73c65d2636f99013eb646896d8fc4fc7a21f6b96c29b1d83ead3299
Opcode Fuzzy Hash: 2a3cd43570b75878afb5f8a48eb0da6827326f784c635a393094bb731bc5fb03
Instruction Fuzzy Hash: 48F0E2363257146B9711965EA8008EA7BABCEC6AB17004066E85DC7601DBA1BC25CBE2

Function 042A90E0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 625cb807420e2c953f525e535277370bb6567fc3fda7776bb831d3d079b969a0
Instruction ID: db3a1456e54efa2586e8761f17d49dfdc2fe5a6243ad4840fc179a629c65ba11
Opcode Fuzzy Hash: 625cb807420e2c953f525e535277370bb6567fc3fda7776bb831d3d079b969a0
Instruction Fuzzy Hash: 16F04CB27052446FE3056B79C4143AB7FA2DFC1318F20805AD85947346CF393806DBE1

Function 041BD9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1323657029.00000000041BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 041BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_41bd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b79d8ea6e131bebcba42b99814dfe129c5cc755598b817f216802bff43049ed2
Instruction ID: fe6bf1fc38209ca889a7230255acb0b8b1355332ae8eabb57532d77abc95e263
Opcode Fuzzy Hash: b79d8ea6e131bebcba42b99814dfe129c5cc755598b817f216802bff43049ed2
Instruction Fuzzy Hash: F1F04976200600AF97248F0AD984C63FBADEFC4730319C09AE84A4B712C731FC41CEA0

Function 042A9160 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549ef083011d725922e27ac1a9a1c253b4a6823b91528a700a4676905b456aa2
Instruction ID: 5cbcb5141840eb73fe94c83f8777d4001a4c6c6441788e7e83ee284020b2ae59
Opcode Fuzzy Hash: 549ef083011d725922e27ac1a9a1c253b4a6823b91528a700a4676905b456aa2
Instruction Fuzzy Hash: 5CF089716053444FE7649B79D89C3D77FE5FB45310F00445AE54DC7682CB386885CB91

Function 042ADFE0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 313bfb51f3716b29854cb2d395da66779d88d170241b2a55cbe38f0c3baf39b0
Instruction ID: eb0e777572afa8c62b14301b1936b50d0f139c7dd6b4e8cadbf690997bfd1998
Opcode Fuzzy Hash: 313bfb51f3716b29854cb2d395da66779d88d170241b2a55cbe38f0c3baf39b0
Instruction Fuzzy Hash: AEF082343552418FC3008F2DD494966BBF9DFCA75531910D9E585DBB32DA61EC52CB50

Function 042A7968 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf5a425de0035400177f75b7e56460554e2b3a48a806523370e77fdb132b3b99
Instruction ID: ee7bdf8e87d2d59e079db7b2c7dc24800f142814b9605bfe653935764a474aad
Opcode Fuzzy Hash: cf5a425de0035400177f75b7e56460554e2b3a48a806523370e77fdb132b3b99
Instruction Fuzzy Hash: C2F02731300714AFDB109B59E844A6FB7E9EBC8671B00442DE50AC3340DF71BC9187E4

Function 042A8969 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b602cbdd5b043bc530c2a2309a72c2bd986c791e724b3e0c6d067c5aa232d835
Instruction ID: 9ffa7886bfabb689d7f3376cf7ee475a53de41a444594d7d6f1602afb3488bd4
Opcode Fuzzy Hash: b602cbdd5b043bc530c2a2309a72c2bd986c791e724b3e0c6d067c5aa232d835
Instruction Fuzzy Hash: 4BF0A77A3093585BD70A27B5A8182EE3F5AABC6624F04009BEA4587242CF695D0983E6

Function 041BD998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1323657029.00000000041BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 041BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_41bd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55f7f3bf82b022dbdf875cd24d94276aa7b46c55d78756cd2892274818d0cc84
Instruction ID: 9db69f8d18192c52154d22f3d9f7558af7ba906d5e643742283a1b53ad786b36
Opcode Fuzzy Hash: 55f7f3bf82b022dbdf875cd24d94276aa7b46c55d78756cd2892274818d0cc84
Instruction Fuzzy Hash: B9F01D75100640AFD725CF06CD85D63BBB9EF89724B198499E89A5B752C731FC42CFA0

Function 042A7697 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef672dbb34722d4c0a739dc2331b61a632f18b36abfac3028d59853c7699a151
Instruction ID: f5843d602394e82e726f0df6cb696dd412006fdf212ae459bdcf430df27eb982
Opcode Fuzzy Hash: ef672dbb34722d4c0a739dc2331b61a632f18b36abfac3028d59853c7699a151
Instruction Fuzzy Hash: C9F0A039300109CFDB10DB6CD840B9A77A6EFC8B517198168E909CB711DF74EC128FA0

Function 042A90F0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 293bd0656473660c37b36e9006b231a27916eb42bd6bc97c4fd66d41df8e7bf9
Instruction ID: 0bed27b23010a97a6e46605775313d97440e04da748ae18aec5b2c03ea5d6816
Opcode Fuzzy Hash: 293bd0656473660c37b36e9006b231a27916eb42bd6bc97c4fd66d41df8e7bf9
Instruction Fuzzy Hash: F4F0E2B1B001089BE344BB69C0553AB7B96DBC0318F20816ED91947384CE39380687D0

Function 042ADFF0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cb9583f5b669f107436197a93661aa596401fef1d09e8274f39b4319aa3b95b
Instruction ID: 8e42abe17f5c9f38e3c32aee0eb321857effc677123a60d99e5113974d54edb0
Opcode Fuzzy Hash: 6cb9583f5b669f107436197a93661aa596401fef1d09e8274f39b4319aa3b95b
Instruction Fuzzy Hash: ABE06D353501118F83009B1DD448D26B7EAEFCE71131510A9E545DBB21CA61EC018B90

Function 042AEACE Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63ec058f44275c51c6a533d4c4ba459b9ba017677d202c0d90ec52c5f0caab64
Instruction ID: 4c3cd379fbe6aeb4bb691037b80a20d2ff28b3e48ce36e76fabf970698451fe2
Opcode Fuzzy Hash: 63ec058f44275c51c6a533d4c4ba459b9ba017677d202c0d90ec52c5f0caab64
Instruction Fuzzy Hash: 2AF0BD39A12108DFCB04CB98E595D9CBBB2FF88311B158041F809A7311CB31ED11DB40

Function 042AAF90 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ad6af1f1c329f4719a81d27d28509f9de942cd4c00ac744f74ff8b147fc3624
Instruction ID: 79e0c225e4e53253853a9fb0fc2deb4ce15969e412d0bae08fa231f8088cbece
Opcode Fuzzy Hash: 5ad6af1f1c329f4719a81d27d28509f9de942cd4c00ac744f74ff8b147fc3624
Instruction Fuzzy Hash: C2E0267231D3D21B8B1A812EA850062AFBBCAC372030C80BBE484CB247CD5A9C0587A1

Function 042A9551 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 239492b0084fc32cc6555956ae90318681986fe3b39d695ab5b9ec23bef1e061
Instruction ID: b7d48ade6431408b3601b847f794c29c096ca36e45789b7fd5162ec5c05d4cad
Opcode Fuzzy Hash: 239492b0084fc32cc6555956ae90318681986fe3b39d695ab5b9ec23bef1e061
Instruction Fuzzy Hash: 97D02BA2B2221627155C31FE08416BB66CFCEC02D47000039DE0DD3300EC10FC1607E1

Function 042AF600 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18bf99805408130cf560ef4c271c8e41302b46b2f96584694fadd2aa08c2d4ba
Instruction ID: f71f5b7a93eeb0f2ce0fb64b0b30f79fbe8140661c063e3e8ffec2e26a6028ff
Opcode Fuzzy Hash: 18bf99805408130cf560ef4c271c8e41302b46b2f96584694fadd2aa08c2d4ba
Instruction Fuzzy Hash: 58E03070D042459F8740DFB9C4421A9FFF0AB09214B2481AACC58D7201EB315521CBD2

Function 042A9170 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598c6c542ff28b9e41c246e1942b662dab7c01a408f45c900e7b331080a07e9c
Instruction ID: 3ba27411c1f9c7c4b78bbd7057e4fe5231158de584a55c5566a141ab40d53410
Opcode Fuzzy Hash: 598c6c542ff28b9e41c246e1942b662dab7c01a408f45c900e7b331080a07e9c
Instruction Fuzzy Hash: 8CF0EDB0A013089FD7649FB9D89C79B7BE9FB44314F004869E65EC7340DB396884CB90

Function 042A8978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9abf957711c910fc70f60b21fc9f7f91ba4d2df82d61c3437eaf11d0c27a623d
Instruction ID: baacb018709e1afa579ffc77745bb04fd008fbd64727118d6443dd0bb0873128
Opcode Fuzzy Hash: 9abf957711c910fc70f60b21fc9f7f91ba4d2df82d61c3437eaf11d0c27a623d
Instruction Fuzzy Hash: 55E0DF3530421887DB0C2B7AA90C2AE7B5ABBC4728F00002AEB0683340CF38291183E9

Function 042A9558 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1346bfc8251daf7b66f6ee3e8724026a8a5da02b3a8011f877564daac0db51e0
Instruction ID: de754883bce4d6cc4ed8aedcf07cf29023f6201cbfdf49714681b2df758d9197
Opcode Fuzzy Hash: 1346bfc8251daf7b66f6ee3e8724026a8a5da02b3a8011f877564daac0db51e0
Instruction Fuzzy Hash: 94D05E927222262B56AC31EE18016BBA6CF8EC56E4705143A9E0DD7341EC50FC2607E1

Function 042ADE40 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 405b2ab3153d61e2eec5579f0893063d10451d0a16f0149ef3b00c9230c65b63
Instruction ID: b0d964524213ac4637d837b49d57baa7a3fb7a4a8ddfc0e2a92d082922fee73a
Opcode Fuzzy Hash: 405b2ab3153d61e2eec5579f0893063d10451d0a16f0149ef3b00c9230c65b63
Instruction Fuzzy Hash: 8BE0C235310B18178215AA2EA80089F77DBDFC5EB1340842EE46AC7700DFA5FC118BE5

Function 042ADE90 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: c5bbc59a177c7be3591607604e95683af810c3f45e04bd12b4569e81b7e6a534
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: EDE08631B2011497CB089599D8104D9F7A7DFCC320F04847ADD1AE7750DAB26916C691

Function 042A8739 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ef3b0537d40a701d667ced708cdccaafc4fcc4bd6e282500c6d5faee84d52ad
Instruction ID: 29ecab32689af86c198fae0f6dec37623d5e3580f1c642cb031d6481937cb494
Opcode Fuzzy Hash: 5ef3b0537d40a701d667ced708cdccaafc4fcc4bd6e282500c6d5faee84d52ad
Instruction Fuzzy Hash: 57E04FB9D0924ECBCB08AB66E84A4BE7F74FB00301B0001A9DA4792191DB24155ACEC2

Function 042A8800 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40e7b7a89af6d39ab7ea11c36608b4902a16fd0a990ea2adc06aab40847c5475
Instruction ID: d30700f07c95dfb08cb014d4fe29080de33ab879adda424cb83783e8717c413e
Opcode Fuzzy Hash: 40e7b7a89af6d39ab7ea11c36608b4902a16fd0a990ea2adc06aab40847c5475
Instruction Fuzzy Hash: 59E0DF7AA1830B8FCB08DF65E48A4BDBFF5BB40200B004056DD0997741EB305855CFC2

Function 042AF610 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: b2757bc7fec89ed9ef81d41bee3addc353c6b0949dbd60e1c704ee91d63e6402
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 3AD04C70D142099F8780DFA9894156DFBF4AB48214B5485AA8919D7211E6715A128BD1

Function 042A8748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d77c55362ae8564f02a12b2498f1f2142d2fda9f1ec68301215d97978f56354
Instruction ID: 0f3f2f25c05d982074de279d641e5d6c11f245d576779d518f6fb23d566b2254
Opcode Fuzzy Hash: 4d77c55362ae8564f02a12b2498f1f2142d2fda9f1ec68301215d97978f56354
Instruction Fuzzy Hash: 6CD06779D1520DCBCB0CABA6E85B4BDBB78FB54301F4041A9DA0752190EA352A5ACAC5

Function 042A8810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa3e1c2c56095b9b53ded191b28fd31754dd907e80a8e21e37edb0430d941cba
Instruction ID: 9325556aee8df4dc70da9e2cd769e38b7d538570d308d3fee40c0f6fab3eb21d
Opcode Fuzzy Hash: fa3e1c2c56095b9b53ded191b28fd31754dd907e80a8e21e37edb0430d941cba
Instruction Fuzzy Hash: 83D01274A1420E8BC748EF65D44747EBFB5A744300F004155DE0593340EA306815DBC5

Function 042AEBF7 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6ea00b1324de403a05f83aca9ee54cd810430c11008a05ea042ced64c8a43da
Instruction ID: 1bed6ea4c7fe8f9105104af30d80fa37f2a1dbf2df99034011dfd5a90f8f3fce
Opcode Fuzzy Hash: d6ea00b1324de403a05f83aca9ee54cd810430c11008a05ea042ced64c8a43da
Instruction Fuzzy Hash: ACD09239B41218CFCB18DB94E895A9CB371FF84316F1180A5E9159B251CB36E922CB40

Function 042A7EA0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11b391fb4cfc10d3efcd640b1ed58fab65a20ab2d965b7c3db66409e49d334ff
Instruction ID: 9a883d2ca099eff1c6777cff00106c6d56e08f777f08804a1f9818ea2b5baaa0
Opcode Fuzzy Hash: 11b391fb4cfc10d3efcd640b1ed58fab65a20ab2d965b7c3db66409e49d334ff
Instruction Fuzzy Hash: 53C0021151A3C05FEF4396319D661153F72995352870E89D29891AB163C829881ADBA1

Function 042A7938 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6656b827e45064087c803a06b71aa74a96f0c4949470ae87cb3fbdd40ea0454f
Instruction ID: d11951ee2f32fae5bd8b0daba6b3d8cd1094647774dd72239da40c2069a0f6fd
Opcode Fuzzy Hash: 6656b827e45064087c803a06b71aa74a96f0c4949470ae87cb3fbdd40ea0454f
Instruction Fuzzy Hash: B4C08C380893848FCB06CB39A04485C7F21BF8235831508DDE81A2F2A3DA72E499DF84

Function 042A7940 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1324044873.00000000042A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_42a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f7dd54594178ea1d3f20f0e5f5317bc35aac3d37d316420382d79172f3290a
Instruction ID: 2a5b627698d6e89706881a415af6d5fcc2444b6faeea6f4992319ac997880c92
Opcode Fuzzy Hash: b9f7dd54594178ea1d3f20f0e5f5317bc35aac3d37d316420382d79172f3290a
Instruction Fuzzy Hash: CCB092300847088FC249AF7AA408818B769BB4021538004EDE82E1A2968E76E894CB84

Analysis Process: powershell.exePID: 6252, Parent PID: 7600COMMON

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 0378B470 Relevance: .3, Instructions: 261
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd10bac69fdac5b02ab9cd90cabd5d4766d8b22c01d834ca4a363bda25ee78db
Instruction ID: aa1c29fa8ea2f2e4186aef2a84933b9c0f3bf4fbe5f91c3bd3d0a5a50236c4d0
Opcode Fuzzy Hash: fd10bac69fdac5b02ab9cd90cabd5d4766d8b22c01d834ca4a363bda25ee78db
Instruction Fuzzy Hash: A4918B75F407189FEB15EBB998106AEBBF2FBC4700B00896DE056AB250DF345D058BD5

Function 0378B490 Relevance: .3, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e81389d991f7d011633b49bb34f12e05cb8a7789dc85128d1b52366d7c4be40f
Instruction ID: 2baa28de4988667ea8e3adffb9be9f6bfda2e0463438220e8a738e805c2ac835
Opcode Fuzzy Hash: e81389d991f7d011633b49bb34f12e05cb8a7789dc85128d1b52366d7c4be40f
Instruction Fuzzy Hash: 49916B75F407189FEB19EBB998106AEBBF2FBC4700B008969E016AB350DF745D058BD5

Function 08FD75D8 Relevance: 1.6, APIs: 1, Instructions: 53
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 08FD7642

Memory Dump Source

Source File: 0000000E.00000002.1392527985.0000000008FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_8fd0000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: b1b6f07761c079304df9d9980b793f88371e9e30e96339f51d926a77247a233b
Instruction ID: 4f77ca0b3b59ebcca4b3e9d2cf06305752c7442740905f803aafa9b3b6cb9ede
Opcode Fuzzy Hash: b1b6f07761c079304df9d9980b793f88371e9e30e96339f51d926a77247a233b
Instruction Fuzzy Hash: 561146B59003488FCB20DFAAC884BDEFBF5EF49224F14845AD558AB710D774A944CFA5

Function 08FD75E0 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 08FD7642

Memory Dump Source

Source File: 0000000E.00000002.1392527985.0000000008FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_8fd0000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: b1bfff19982b432e7ae13f06ce7df394bb4093716fa31c0b8f52f277d2354b43
Instruction ID: a2b287c7c6cd43d2fb3b27cb63e9fbd580f50ccdb6cdb3a4f63ca7d46def8f93
Opcode Fuzzy Hash: b1bfff19982b432e7ae13f06ce7df394bb4093716fa31c0b8f52f277d2354b43
Instruction Fuzzy Hash: 6311F5B59003498FDB20DF9AD844BDEFBF9EB48224F24841AD518A7310D774A944CFA5

Function 07E62308 Relevance: .4, Instructions: 450
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.1389028223.0000000007E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aaac1be911f8d920e49d49419852abf2da99899810f951b51a5013afcfa6a49
Instruction ID: a3b7b7d691db5647a7e020595a41d5628cb8ea9471436f7fbf3168e0f9456aab
Opcode Fuzzy Hash: 7aaac1be911f8d920e49d49419852abf2da99899810f951b51a5013afcfa6a49
Instruction Fuzzy Hash: 03E156B1B812068FDF248F68C4487AE77E9BF85295F10807ADA15DF351DB35D881CBA2

Function 07E62700 Relevance: .3, Instructions: 261
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.1389028223.0000000007E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a7ae293a726eaa5a227780515c99fd5ed46c5cd4117b4b1c6fa4567c9f9ca2e
Instruction ID: ddab59cc16233f588287c8bab7da403474559a18dedb50e47d7301570324c279
Opcode Fuzzy Hash: 7a7ae293a726eaa5a227780515c99fd5ed46c5cd4117b4b1c6fa4567c9f9ca2e
Instruction Fuzzy Hash: CD917CB1B41306CFDB208B68C849BAA77F9BF86255F1090B6D605CF251DB34D980C7A1

Function 037829F0 Relevance: .2, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44361a30a21d790beb7eb656b495ee24501b656918684c354bfdebc7d313a364
Instruction ID: b9e1fd5325e633de9f4cffaaef0fb322524d25893fbaf918727b4b60276d5ef6
Opcode Fuzzy Hash: 44361a30a21d790beb7eb656b495ee24501b656918684c354bfdebc7d313a364
Instruction Fuzzy Hash: D2917D70A006058FCB15DF59C4D4AAEFBB1FF88311B248599D915AB366C736EC91CFA0

Function 03787728 Relevance: .2, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87f1835f3a2f81d6056175012713a1f22676a21d9e698bc5dffda8e13d7fcb7b
Instruction ID: a33331fd851df07aa566f83e7b977cb4310b0eb5cec231afff0797c4f51587bf
Opcode Fuzzy Hash: 87f1835f3a2f81d6056175012713a1f22676a21d9e698bc5dffda8e13d7fcb7b
Instruction Fuzzy Hash: A951C234704245DFD708DB65D854B6A7BEAFFC9254B2988B9D40ACB351DB31DC01CBA0

Function 0378BAC0 Relevance: .2, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc5fe07793870ca118202e8b70e1f0e79f2d6bfabc924e57fa1f729c515b8182
Instruction ID: 769508f545a1d62bd7956aba7ef530990c09d0a37acf89437e5880f36c03c713
Opcode Fuzzy Hash: bc5fe07793870ca118202e8b70e1f0e79f2d6bfabc924e57fa1f729c515b8182
Instruction Fuzzy Hash: EE61E775E012489FDB14DFA9D984B9DFBF1EF88310F19812AE809AB254EB749C45CB60

Function 0378BAB0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c0867fdf238aef25cf51531ced2cc8c4707acadd2903697d8822e53beb42d7
Instruction ID: 8bccc740b1a5a1bb7fd90e0d64e6db76d5f94afa9a06f8cd876eae26de3560e8
Opcode Fuzzy Hash: c6c0867fdf238aef25cf51531ced2cc8c4707acadd2903697d8822e53beb42d7
Instruction Fuzzy Hash: 08510771E01248DFDB14DFA9D984B9DFBF1EF88310F19802AE819AB364EB709845CB51

Function 07E6196B Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1389028223.0000000007E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb607116a83cef62eb34ac323e91ca38b58d16900ffabd850000bde2e6caef88
Instruction ID: 37450fd4a8d2667eff7d31a2783594c193719c9e9ea828397e8c9dfe11c53a29
Opcode Fuzzy Hash: eb607116a83cef62eb34ac323e91ca38b58d16900ffabd850000bde2e6caef88
Instruction Fuzzy Hash: 53319AB27863498FE726976888147AEBBF2DFC6245F1440BBD101CB2A2DB35DC42C361

Function 03786FC8 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62fffe32cf6d3c0dd45db9ec34100c2ff9aa5cb7e5725b93ee0f63878705304b
Instruction ID: 7a97601bcc19ea16028738653cc86f251187bf9ce10512f018a302e514f6587b
Opcode Fuzzy Hash: 62fffe32cf6d3c0dd45db9ec34100c2ff9aa5cb7e5725b93ee0f63878705304b
Instruction Fuzzy Hash: 06414D34B042488FDB18DF64C454BADBBF6EF8D615F284099D442AB3A1DA35DD41CB61

Function 03782B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d693b3157834c10bbdf4533d8033c1de971a8a13c41383a8eb0d59228c8eeb55
Instruction ID: e5db1b00c74755aed0ed2ecf59226c8529d651d9633ae7a1882c4e6288f89316
Opcode Fuzzy Hash: d693b3157834c10bbdf4533d8033c1de971a8a13c41383a8eb0d59228c8eeb55
Instruction Fuzzy Hash: 37415874A006059FCB09DF59C598ABAFBB1FF48310B1585A9C915AB366C732FC91CFA0

Function 0378C388 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe8eb5a71ded23ad572a35306e3d224cb90545c99d02924d5a1863511f74ef5
Instruction ID: 4b91716dfa62065993506c6add588232cc6564b1792d2c99200f2874a6d644d4
Opcode Fuzzy Hash: 4fe8eb5a71ded23ad572a35306e3d224cb90545c99d02924d5a1863511f74ef5
Instruction Fuzzy Hash: F331AE353016019FD705EB78E844BAEB7A6EFC9211F048139D64ACB761DFB0AC46CBA1

Function 03786FB9 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 591a23c4a259d55502aa437e7f78bc2da6817ab6d3287d5d9e52c1e11f95a25a
Instruction ID: 16457fa572261cd8ab9a17c5da91c2f508e835a78e2ea414f9648b2fe9111b8c
Opcode Fuzzy Hash: 591a23c4a259d55502aa437e7f78bc2da6817ab6d3287d5d9e52c1e11f95a25a
Instruction Fuzzy Hash: 6E314D30A44249CFDB19DF64C554AADBBF5EF8D214F2940A8E402EB3A1DB31DC41DB60

Function 07E63DE2 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1389028223.0000000007E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95fef1681890c7568ff6d7147e7e80b789035dcf035e40ad620216731e6ae2af
Instruction ID: 5fb7258b501a01281a9a904d0aafb4d5e4b85b1fed4b53cafc117f9eb6943a4d
Opcode Fuzzy Hash: 95fef1681890c7568ff6d7147e7e80b789035dcf035e40ad620216731e6ae2af
Instruction Fuzzy Hash: 302198F6B41322DBEB2057649815AAFB3529FC6659B1080BBC502DF741DF329D4287F2

Function 0378AE60 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa6dc01238aea1b4ce55a6fb44b86b98291582da3c3a49787e8421799c954476
Instruction ID: 892a73bb66a0ebe4983ab4e2fd193bf865481cdc3ea37e9253521f2c0efaa312
Opcode Fuzzy Hash: fa6dc01238aea1b4ce55a6fb44b86b98291582da3c3a49787e8421799c954476
Instruction Fuzzy Hash: 0C317C74E412098FDB44EF69D894BAEBBF6EF88310F15806AE405EB354EB748C428B50

Function 0378AE70 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31b59eb25dd8abf7faf5021f9fd84a650235c92a251d3919f148bf58b81c7559
Instruction ID: 3cdafa89948c2384f79b5c126295da3f82f664ab200c11245a6eff935d874771
Opcode Fuzzy Hash: 31b59eb25dd8abf7faf5021f9fd84a650235c92a251d3919f148bf58b81c7559
Instruction Fuzzy Hash: 60315E74F416099FDB44EF69D8947AEBBF6EF88310F15806AE405EB350EB748C428B60

Function 0378AF98 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 832774aa46b38d81606b85a0cf02afa23770d1195e313e3d43f881d5f46fb709
Instruction ID: 25a5744240a82fecbb8905f44e9089f3a52281f5b3ddb012fc657bdb3cc80897
Opcode Fuzzy Hash: 832774aa46b38d81606b85a0cf02afa23770d1195e313e3d43f881d5f46fb709
Instruction Fuzzy Hash: 1721C175A043588FCB14DFAAD80479EFBF5EF89220F14842AD418EB340CB759845CBE5

Function 0378AD28 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cce4ede232b095d4ba0200e2634f61672bb5f6566b8b4073ee0c0a01f03d0e2
Instruction ID: 8b3547e743d1d9cd1b06233db2c2dbaa57738932cfd9bd4476ae02b50cdaa54f
Opcode Fuzzy Hash: 9cce4ede232b095d4ba0200e2634f61672bb5f6566b8b4073ee0c0a01f03d0e2
Instruction Fuzzy Hash: 313181B8A40209DFEB00DBA4D858AAE7BB2FFC5300F1584B9D115AF3A5CA789D41CF51

Function 0378DCD9 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76316bdd0eaf50e66ed3d3ee67fa086ea7d9b62f491a164d8922e268dd24b421
Instruction ID: 0ac1414abbede726b771b62c0bc4fe888f4daf21ad79418cc41835cebb2e9e44
Opcode Fuzzy Hash: 76316bdd0eaf50e66ed3d3ee67fa086ea7d9b62f491a164d8922e268dd24b421
Instruction Fuzzy Hash: 6C213A34A062449FCB25EB7CD8049EDBFB2EFC9251B0840AED446E7792DB604C02CBB1

Function 0378AD38 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 698add0d968b68d2cdb942a3c46943aea271ed57477c14f1d3e5034253e670e5
Instruction ID: ff8df6d3b68b061366970ac364a1457cefee51624bd2390fa1033fc30c7d1e12
Opcode Fuzzy Hash: 698add0d968b68d2cdb942a3c46943aea271ed57477c14f1d3e5034253e670e5
Instruction Fuzzy Hash: 153130B8A40209DFEB44EBA4E854AAE77B2FFC4300F118479D515AB3A4DE759D018FA1

Function 0359F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1369882734.000000000359D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0359D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_359d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c733d3baff1efd74c9b06efaf76afe06fb57f4f3c45f59532d36e6e14ba5e4c2
Instruction ID: 2516d369d0a0fad309bcab5d2423231c2b87daee0050e94906978a3a4df8c2a8
Opcode Fuzzy Hash: c733d3baff1efd74c9b06efaf76afe06fb57f4f3c45f59532d36e6e14ba5e4c2
Instruction Fuzzy Hash: D421C975504300DFEF05DF50E9C0B16BB65FB88315F28C5AED90D4A266C336D456CBA1

Function 037893F0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d060321c3e8d721ebe6e302195447df07dda6dda12797d51c990f0a97894ba86
Instruction ID: a08f830e368be18baf725e5820391b67da9e7cd8334d5c58d2ef9f10aec1dde7
Opcode Fuzzy Hash: d060321c3e8d721ebe6e302195447df07dda6dda12797d51c990f0a97894ba86
Instruction Fuzzy Hash: EB31BC709067448EDB60DF6AC0887DAFFF2EF89324F28805DC94D9B255C7B45445CB21

Function 07E626FE Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1389028223.0000000007E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba33ebbacf9e4e244d12983e0d3de7e978e8fdf647d5ed9a4b15bc6ab0a3818d
Instruction ID: eafab891edec43501013751306089eb43aacb457ef912cb19112cffd90dc6fc3
Opcode Fuzzy Hash: ba33ebbacf9e4e244d12983e0d3de7e978e8fdf647d5ed9a4b15bc6ab0a3818d
Instruction Fuzzy Hash: A521E5B5A82206DFDF20CF58C589FA977E9BB45799F04E066DA04DB250C334F984CB61

Function 0359F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1369882734.000000000359D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0359D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_359d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb0c702a8023f3367b89f206ed61ab1402d0d506479a73e821cc3802e70e9547
Instruction ID: c707f7e1b6c0fbe94a9bd699047f5365bd04f79a2f5dd237fc6d043df6623a86
Opcode Fuzzy Hash: fb0c702a8023f3367b89f206ed61ab1402d0d506479a73e821cc3802e70e9547
Instruction Fuzzy Hash: 62214975504340DFEF14DF10E9C0B26BBA9FB84325F28C9AED80B8B266C336D446CA61

Function 0359F4CC Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1369882734.000000000359D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0359D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_359d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 766d1dc022b50c671eb94d662e069c5e69d3601c1c202ddad5932a1da780d6f9
Instruction ID: 7484813f11c5f9e9b272dfd6f114b0b01db0165e03211002a399780af1a143c1
Opcode Fuzzy Hash: 766d1dc022b50c671eb94d662e069c5e69d3601c1c202ddad5932a1da780d6f9
Instruction Fuzzy Hash: C92127B1604340DFEF14DF14E5C0B26BBA5FB84319F34C9AED9098B251C33AD846CA62

Function 03789400 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 537eca55a67c738b27d4e0c25cbd1e13ce702b06ee3c4951c282b5633cc932b0
Instruction ID: 059d617c825c319ce7df2cef9e26b436536bd22865540a903db7962997e50a8e
Opcode Fuzzy Hash: 537eca55a67c738b27d4e0c25cbd1e13ce702b06ee3c4951c282b5633cc932b0
Instruction Fuzzy Hash: 7F219C70A017448FDB60DF6AC0883DAFBF6EB89320F28C02EC95D97245D7746481CB60

Function 07E619AF Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1389028223.0000000007E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9f735421f1c88006ccda7ee92183e7e63eb6417996081a2f8aac95999f1cbca
Instruction ID: 5648c92cce53358afe4c73c9729a1b1a0995d83c2135a79d99ec17f4b23fb918
Opcode Fuzzy Hash: a9f735421f1c88006ccda7ee92183e7e63eb6417996081a2f8aac95999f1cbca
Instruction Fuzzy Hash: 80115EF278635BCFDB278B5984487B6B7E1AF42295F08A0B6D541CB152D731D890C711

Function 03787664 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7daa24f8d1aa4d871080797834fec0035b0828e066c875ba1cff9fb1889b8da8
Instruction ID: 7fc11ede1d1a5246121ed90e0adb7c02ba3beb59add7bb46a3ed8f291923753b
Opcode Fuzzy Hash: 7daa24f8d1aa4d871080797834fec0035b0828e066c875ba1cff9fb1889b8da8
Instruction Fuzzy Hash: A711193A700218CFDF04DFA8E850A9DB7F6EFC8265B1440A5E50ADB764DB31DC418BA0

Function 0359F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1369882734.000000000359D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0359D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_359d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97445b17e520f814378829faa67ba79061bab103a32ab6c15715ac3201c2f727
Instruction ID: efd24195239d4d17681596bfc756e38acbbcafb08bbcb141a0576444ff3ddf8b
Opcode Fuzzy Hash: 97445b17e520f814378829faa67ba79061bab103a32ab6c15715ac3201c2f727
Instruction Fuzzy Hash: AF219D76508240DFDF06CF10E9C4B16BF72FB88314F28C5AAD9494A666C33AD46ACF91

Function 0378C344 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f59d91cac7bb0458551c7db96b020b77ff7fb9eff6cf23f9b9d2c60622a54bc9
Instruction ID: 3a44492c50e77f9c732a357b365c70bc467c4e2fd31ca8158ad6257ead31cdfb
Opcode Fuzzy Hash: f59d91cac7bb0458551c7db96b020b77ff7fb9eff6cf23f9b9d2c60622a54bc9
Instruction Fuzzy Hash: B3115B2620E3D14FD317973858746967FB0AF87254F1A40EBC8C5CB5A3D915484AD372

Function 0359F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1369882734.000000000359D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0359D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_359d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff28159916af3c1565c82e67f2b531337ed64e047a92009350b64a0d4c4a9ec
Instruction ID: 3b97a981b656dab79d17b048ab07a4eed8f2ea8ee35992f05d7d698a802d26f0
Opcode Fuzzy Hash: 7ff28159916af3c1565c82e67f2b531337ed64e047a92009350b64a0d4c4a9ec
Instruction Fuzzy Hash: 21119079504280DFDB15CF14D5C4B15FFB5FB44324F28C6AAD84A8B666C33AD44ACB51

Function 0378BCE0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53ea290646b137daefaa8576006ab33e18e5120fbfc9b4b786e969ab6b7946f9
Instruction ID: 73ce4a5209da1369c839c6eea5b4552bdcc843a504e0923b5fe8f2a3c1ef7db2
Opcode Fuzzy Hash: 53ea290646b137daefaa8576006ab33e18e5120fbfc9b4b786e969ab6b7946f9
Instruction Fuzzy Hash: 5301D2312087449FDB25DB79C994B9A7FF4EF46210F1844EED48ACBAA2DB60EC45CB11

Function 0359F4C7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1369882734.000000000359D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0359D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_359d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e69e57f9eb22a0ee7b7977b6bf74a2b8b9dcf83114222207a56fa92b8877d1
Instruction ID: a4789be0ee514f95b16826e69522ec6dec3beb20ef437b9dac37276376482368
Opcode Fuzzy Hash: b9e69e57f9eb22a0ee7b7977b6bf74a2b8b9dcf83114222207a56fa92b8877d1
Instruction Fuzzy Hash: 4F11A0B5504280CFEB15DF14E5C4B25FBB1FB44314F28C6AEC8498B666C33AD94ACB92

Function 0378BF10 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f04a81fda666ed612802f3f4dda56bfe6c7d33c5f0fd1c0965cf6ff17a7671
Instruction ID: 74a1300f928169a32c3294e156531eed5f2f3800bda86765a4d23fe903738e16
Opcode Fuzzy Hash: d1f04a81fda666ed612802f3f4dda56bfe6c7d33c5f0fd1c0965cf6ff17a7671
Instruction Fuzzy Hash: C4F0C8713093955FD7018A799C54AA7BFEDDF8665171940ABF884C7392CA70CD048770

Function 0359D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1369882734.000000000359D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0359D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_359d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae49e32b12f5ab90a5377f44cd35674e6ea7327d49a2c42e454ab8647d85cc82
Instruction ID: b6d2a2c876293db8e3d93de971c57d408983c1f1ecbe1f144565607481bc8d25
Opcode Fuzzy Hash: ae49e32b12f5ab90a5377f44cd35674e6ea7327d49a2c42e454ab8647d85cc82
Instruction Fuzzy Hash: 6501D4714043449BFB20CE11EC84766FBE8FB42224F1CC55BED490B252E67A9441CBB1

Function 0359D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1369882734.000000000359D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0359D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_359d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 339dffff4a6786a8e2a0c3dfdf2b5405ad2214afd84c5680122713c9cebed1bc
Instruction ID: a06e0e7577068b151719c2310eafe8f150f22e8de419a68d1a99db1dfaae337a
Opcode Fuzzy Hash: 339dffff4a6786a8e2a0c3dfdf2b5405ad2214afd84c5680122713c9cebed1bc
Instruction Fuzzy Hash: F001447140D3C05FE7168B259C94752BFB4EF43224F1D80DBD8888F1A3C2695845C772

Function 03787940 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 357bbfb5654cf44462a078ce704d5bbb812628f7a6e9a89258917b0741b425fc
Instruction ID: 9c4cb1c16e16364924355401f075303a582003aba645da49f0f862d527ff2eca
Opcode Fuzzy Hash: 357bbfb5654cf44462a078ce704d5bbb812628f7a6e9a89258917b0741b425fc
Instruction Fuzzy Hash: 9CF022316057409FD712D765E840AAE7FF9EF8A6207050A6EE04AC7661CE744C42CB71

Function 037890D0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dc6885fedf077751020d512d60a77ca84cec6cbf3521ae72ffbb16630b52902
Instruction ID: 62e19acb411641bcc9bf7297853cda0baef76fe426e88d166d6c53abf9ad9fca
Opcode Fuzzy Hash: 6dc6885fedf077751020d512d60a77ca84cec6cbf3521ae72ffbb16630b52902
Instruction Fuzzy Hash: 3A01DB756083408FD711AB38D4543AA3F61FFC1319F24419AC8465B256CE391C07C761

Function 0378C4C0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 665c9b8382aa9918078bc441a2b30152d47342932b8c69a0d830757fbadb93fb
Instruction ID: 818fce3d83059d2faef5609453c599ebabb6ce2995f921f9b8a8711d58d52621
Opcode Fuzzy Hash: 665c9b8382aa9918078bc441a2b30152d47342932b8c69a0d830757fbadb93fb
Instruction Fuzzy Hash: ABF04C751043459FD701E728E840A9ABBB5FFC22557018A7EC08ACF631CB755C0AC7A0

Function 0378DC88 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7936de41ddb9fe7022805b18a40f9291fcaa96a3113a71cdcb5d231667b97ec
Instruction ID: 3665ad991c3ebccabe80467fbcf61cc4e9dde859172637473696f32eb5b79f65
Opcode Fuzzy Hash: b7936de41ddb9fe7022805b18a40f9291fcaa96a3113a71cdcb5d231667b97ec
Instruction Fuzzy Hash: 86F059356466509B8B25E31CA800CEE7BA5DDC25A570040AFD44ADB640CBA08C064BB2

Function 0378CB52 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0afe601fe5c986b7f2ecc7437512b204ee431c80fa08dc69bd5930017e681f19
Instruction ID: 477a7056483c4f70e5425aac380dc8a9668514e3d4dcdf50c06e0d41f41b9a42
Opcode Fuzzy Hash: 0afe601fe5c986b7f2ecc7437512b204ee431c80fa08dc69bd5930017e681f19
Instruction Fuzzy Hash: 54F0E9752093804FD7069339AC9065E7FF6EEC31A035A46BFC0CBDB962CA680C068732

Function 0359D9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1369882734.000000000359D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0359D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_359d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1067d8a4e92c79554cf15bc9dc41b473c66e9240add84041508f8f841b5d0d16
Instruction ID: a4b605160d2de51c4bb83ab4112704154a68022b6aa202f7c156f344174546ab
Opcode Fuzzy Hash: 1067d8a4e92c79554cf15bc9dc41b473c66e9240add84041508f8f841b5d0d16
Instruction Fuzzy Hash: 7BF0E776600604AFD760DF0AD985C22FBBDEBD4670719C55AE84A4B712C671EC41CBA0

Function 0378DE38 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3484fffa7074a659d322d67e1ced635ba0138c26b6040aa2d83e887041cd5202
Instruction ID: c5a8076db89836f087d746bebf3523745572b01ec2f085a72e7a051fb144c182
Opcode Fuzzy Hash: 3484fffa7074a659d322d67e1ced635ba0138c26b6040aa2d83e887041cd5202
Instruction Fuzzy Hash: B5F05E347052808FC3119B2CD494D66BBF9AFCA21532910DAE485CB772CAA1CC42DB60

Function 0359D998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1369882734.000000000359D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0359D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_359d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 781cd9a5d91468a5591d3e2df17705ee74c70b7d4bdfa85d845f49ae0f9d0776
Instruction ID: ef56e9c793ede01b4a4c8d0703e7890d209d24d34435bbb09dde36d2224943d6
Opcode Fuzzy Hash: 781cd9a5d91468a5591d3e2df17705ee74c70b7d4bdfa85d845f49ae0f9d0776
Instruction Fuzzy Hash: 84F0F975100640AFD765DF06CD85D23BBB9EB85624B198489A85A4B762C731FC42CFA0

Function 03787950 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70222275406c47f03910cd3918379e70a4a954010a4a991aa9d289b5cec990fd
Instruction ID: 5d81ef75d45bac57b6200aee7ce67cf29276e3208491d1be74706be391175d63
Opcode Fuzzy Hash: 70222275406c47f03910cd3918379e70a4a954010a4a991aa9d289b5cec990fd
Instruction Fuzzy Hash: 67F0A0767007159FDB14EB6AE884A6FB7E9EBCA671B00092DE14AD7350DF70AC4187A0

Function 0378C4D0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7ffdb1521824a2e8fbfe698d638a873698cb39692db18f21c756d7cfdb6f4ea
Instruction ID: ece4b6d06b7c80b0df8ef096d08e441094f4c62db9242a00f34215ca5631191f
Opcode Fuzzy Hash: b7ffdb1521824a2e8fbfe698d638a873698cb39692db18f21c756d7cfdb6f4ea
Instruction Fuzzy Hash: 4EF027352003059BD700E729E840A5BB7A6FFC26147408A3EC14D8F720DF75AC05C7E0

Function 03789158 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54d93ea12957267713dbc9b422df828c27d0f39a949de13f646016af92bf136b
Instruction ID: 49e579e845785ebaa5f3828331be449f2007c475b48b806cdb96e5b369fa210e
Opcode Fuzzy Hash: 54d93ea12957267713dbc9b422df828c27d0f39a949de13f646016af92bf136b
Instruction Fuzzy Hash: 7CF0BE71A063008FD7609B78D8A839ABFA1FB01310F0544AAD58ED6682CB3868868B60

Function 037890E8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06743f75a0e60ef3dfa550c92be81520584e54beef65b50db30323b93b3ebac2
Instruction ID: 721bd91119c5c01a0c152eaca908680a9f1f87ec8aeeda68fdfbf3f6f15eb0de
Opcode Fuzzy Hash: 06743f75a0e60ef3dfa550c92be81520584e54beef65b50db30323b93b3ebac2
Instruction Fuzzy Hash: 10F027397442048BE704FB68D0483AF7BE6EBC0319F10816AC90A4B784CE3E6C02C7E1

Function 0378767F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce8d247501d0a764a42d3b2449e93c8fd85091fa3bb4ffd6948ea57be69d09f
Instruction ID: 3a42bd30c9b63547044edbdc31fe2b30dcf232ee41538ec28ae595d4e2bcd310
Opcode Fuzzy Hash: 2ce8d247501d0a764a42d3b2449e93c8fd85091fa3bb4ffd6948ea57be69d09f
Instruction Fuzzy Hash: 1CF0A039340205CFDB14EBADA840799B7B6FFC86557294294E40ACB364DF30CC028B90

Function 0378DE48 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fbb46ce1f2ddfcfa849ef01f277dfa5ecb50fed7424ce3d53d9a757798a698c
Instruction ID: e9a069cabca0886b702bcdceb663a79aa3e8c0c03ba7c04d338b83b3897420b7
Opcode Fuzzy Hash: 1fbb46ce1f2ddfcfa849ef01f277dfa5ecb50fed7424ce3d53d9a757798a698c
Instruction Fuzzy Hash: 92E0E535740210CF8210EB1DD498D66B7FAEFCE66531900AAE549CB771DA61EC01CB90

Function 0378C33F Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55abb99344937dc290b9311dc55b63c26cd8ebfd62c77be5aa6c95c6a2948e57
Instruction ID: e3316354f75c956e7755ecee87d41d1ab579a75388dfc1d197af13db7293f947
Opcode Fuzzy Hash: 55abb99344937dc290b9311dc55b63c26cd8ebfd62c77be5aa6c95c6a2948e57
Instruction Fuzzy Hash: BEE022373402018FD314E3799884AABABD1DBC8360B18403ED90AC7791D8218803C660

Function 0378896A Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c46a51a3fbbe29da78ef9016f1bcd61a9cf5f93e8d38bcc27cc02ecf2bb1822
Instruction ID: 530d59675cf30507059b1497bda9a9c05219e45e88fc9e250c870ad90c36bb75
Opcode Fuzzy Hash: 8c46a51a3fbbe29da78ef9016f1bcd61a9cf5f93e8d38bcc27cc02ecf2bb1822
Instruction Fuzzy Hash: C1F0EC397093819BDB0A6734A81C39D7F61FFC5329F05005FD5068B642CF290C0783A1

Function 0378AF88 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d14c1eba7fcfaa8145f5795fc2313f73354f900b30a748bd7b670e20049014b6
Instruction ID: a1172b212f6f37e5ec851288f4743b9f46ef7c47a8a5c8f11208c611a7dad266
Opcode Fuzzy Hash: d14c1eba7fcfaa8145f5795fc2313f73354f900b30a748bd7b670e20049014b6
Instruction Fuzzy Hash: 7AE0DF6674D3D10B8F26D22D68645AAAF734EC316830D81FFE881CF242DD51880783A1

Function 0378CB68 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 374258c59f86babd22fb5123c7e1aabf87bcf2ac23777bfa7fc4b48a1f0a853d
Instruction ID: 228678428a6fdb30c00703bcafaba7c5e7856d379c571f8a2a5321bfe280b363
Opcode Fuzzy Hash: 374258c59f86babd22fb5123c7e1aabf87bcf2ac23777bfa7fc4b48a1f0a853d
Instruction Fuzzy Hash: FBE020353003001BD114F25EAC5052FB7DBEEC55A0355883DC14F87A10DEB46C0183B6

Function 03789168 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fd6b4f8b5a46019b56fb1d3503ae9dd7f4e806ba26ad63c8126994a0656bc74
Instruction ID: 17f3ff46698418fb6f20790c3f64b9e48c609e538f59bc42387071aa7e93ecde
Opcode Fuzzy Hash: 0fd6b4f8b5a46019b56fb1d3503ae9dd7f4e806ba26ad63c8126994a0656bc74
Instruction Fuzzy Hash: E0F06D709013048FD760DB78D89C39A7BE9FB44310F00446DD20EC7740DB39A8818B90

Function 03789549 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 921d657f2766d159632c4723ad323f9cdb749e84c2d150dd5d77f878a1ce525d
Instruction ID: 051e36ffea8dd732e8b7989cf811438440abd4324dd911e5d40e888d51237e57
Opcode Fuzzy Hash: 921d657f2766d159632c4723ad323f9cdb749e84c2d150dd5d77f878a1ce525d
Instruction Fuzzy Hash: A0E0C2167C6612274A64F3B914407BB95CACFC509570801B9CA46DBB41DD44CC0143F2

Function 03788978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05841d1bb4c39e776ca09dfa78c6142a5c4deb596faa823d3d3e5cabc01fed7e
Instruction ID: bd1a064b094f719ed84c3142dc0b8ba617b09c95ad6ca9dfece2ddfeeda3cc6e
Opcode Fuzzy Hash: 05841d1bb4c39e776ca09dfa78c6142a5c4deb596faa823d3d3e5cabc01fed7e
Instruction Fuzzy Hash: 6FE0263970521497DB087B78A80C3AE7B66FBC4725F00003EE60B87342CF38580293E5

Function 03789550 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 614d393bae6d017eb001a1aeba48917f8e5b3a022193a37e24dff61ca448305f
Instruction ID: d9a1eb6b984baf955465ab0a089a3fd5add6f515e65e7547a2c8420cdd22e4ea
Opcode Fuzzy Hash: 614d393bae6d017eb001a1aeba48917f8e5b3a022193a37e24dff61ca448305f
Instruction Fuzzy Hash: 82D05E167C6622274954F2BA58047BBA1CECBC94A17490076DA09CB781ED44CC0143F2

Function 0378DCE8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: 3a962890790a291bbb3cc3218a40100535f904017f2d6cda06a1e839b8c8d11c
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: E7E08631B10014978B1CDA99D4104EDF7AADFCC220F04807BD90AA7380DA72591586E1

Function 0378DC98 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d28b31bf02cb682c0c2019636f31410b62e445f9f279150ad92e63916a36c903
Instruction ID: 49c8fc53c31c2e45200b2444f488b6732d3eaefa7d2863630d832e2ae140e11f
Opcode Fuzzy Hash: d28b31bf02cb682c0c2019636f31410b62e445f9f279150ad92e63916a36c903
Instruction Fuzzy Hash: EFE08C35740A144B8621E71EA80085EB7EAEAC5A61304842EE05ACB340DFA0DC028BE5

Function 03788739 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9f5642934a367b41baedf6beae0f399f34a6f6bbf482fe6088ed9751ce0d29a
Instruction ID: 2a8157954435ff0d0f91ca20aba46b8e501f7e00e7dc65a415da42540dbbc145
Opcode Fuzzy Hash: f9f5642934a367b41baedf6beae0f399f34a6f6bbf482fe6088ed9751ce0d29a
Instruction Fuzzy Hash: F0E01A3084A2498BCF09BBB4E8495ED7F30EA11216F50029DDA5392952DA21464BDBC2

Function 0378C580 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a715cbf36b8059ca105641a28657babf65e7d26997542586576fecbcf20e679a
Instruction ID: 22aecfa839667eb4c5ae761a4adacfd4266828a4aac6cd1b1c875cc279b95594
Opcode Fuzzy Hash: a715cbf36b8059ca105641a28657babf65e7d26997542586576fecbcf20e679a
Instruction Fuzzy Hash: 04E026363095901F8300633CA804569BFE0EBD626130900AFE049C3A52D9104C0687A1

Function 03788800 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da906d6f63e3dd0dbaab25d209d71b8189a0345c5ac96d90082768ec806c410d
Instruction ID: 2564488c86d95aa6f49be3d6dee5863cd861b4500eb42247a6362c87f17bcdb0
Opcode Fuzzy Hash: da906d6f63e3dd0dbaab25d209d71b8189a0345c5ac96d90082768ec806c410d
Instruction Fuzzy Hash: 8EE08634A0924B8FCB04DF64D94576DBFB0FF45205F004569DC45A7B41EB305856DB81

Function 0378F3C0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea58f0172cf87474aabf004e2ee44ea52271769df840eba73ac0580db364f37e
Instruction ID: 75186123b2a9515559991647267dad91273f68afe86c405a136c648772cd65ec
Opcode Fuzzy Hash: ea58f0172cf87474aabf004e2ee44ea52271769df840eba73ac0580db364f37e
Instruction Fuzzy Hash: BFE01A70E011469F8780EFA8844016EFBF0EB48204B6084AED50CEB201EA329602CF81

Function 0378C590 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8417f1bad0ad2f87d856cee1eb356b1cc65058b74d269a48e7ca9776c729329a
Instruction ID: 0c0be5a76f154a9edb2d80e30577b058dacc511d58c9fea56282a92f09b97cd2
Opcode Fuzzy Hash: 8417f1bad0ad2f87d856cee1eb356b1cc65058b74d269a48e7ca9776c729329a
Instruction Fuzzy Hash: 63D0A7363009105B4204776DBC0565A77E9E7C9562304007FE60DC3740DE219C0693E4

Function 0378F3D0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 38ff49f6498347f4c6d709741ade2796211ac508265adc07685dcb737adfc8ea
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: A5D067B0D052099F8B80EFADD94156EFBF4EB58200F6085AAC91DE7301E7329A12CBD1

Function 03788748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7835e1d4242485ad689ffa9adb3e6cbdaa61b9e3c312df8ecb1c4ded0eb6947b
Instruction ID: 3b8868a199b13ba2a3376b907bacee0b369c2c0bd74658d2051c8655d6bc0c4c
Opcode Fuzzy Hash: 7835e1d4242485ad689ffa9adb3e6cbdaa61b9e3c312df8ecb1c4ded0eb6947b
Instruction Fuzzy Hash: EED067318051099BCB08FBA4EC5A5BDBB74FA14301F40416DDA1752691EA315A5BDAC5

Function 03788810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 413cb9b7f029a0f82623169cec47fafe467467231f414424c35a080776c7b75f
Instruction ID: 8606b4c324630b532283b105180766c3dbf1f557f2212c11068cbd978070f4d0
Opcode Fuzzy Hash: 413cb9b7f029a0f82623169cec47fafe467467231f414424c35a080776c7b75f
Instruction Fuzzy Hash: F0D05E34E0920E9FCB08EFA4E84696EBFB4EB44300F004169DD4A93740EA305C02DFC1

Function 03787E90 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a9b540131cb194fdcc3fff1dd9d565de76d386f427833298208eae67472ac29
Instruction ID: 99429cec5d07a4984e7c779ab9cda52e6ddb3312dbb40b1b80bfcd5fae24d4c4
Opcode Fuzzy Hash: 4a9b540131cb194fdcc3fff1dd9d565de76d386f427833298208eae67472ac29
Instruction Fuzzy Hash: 41C08C304083804FEF0787304C230013F30AA4320074B41E2C852CB0F3C92C8C46C7A3

Function 03787920 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c20fadbd3b5ceb250146ab8264910ae30d5ac3ce01c7a75e23d613d4e8fdf4
Instruction ID: 2e2cd15ab76e061f39abf0dfadf6a9ea7f2a0e594cbe9771952e41bf7c075827
Opcode Fuzzy Hash: a2c20fadbd3b5ceb250146ab8264910ae30d5ac3ce01c7a75e23d613d4e8fdf4
Instruction Fuzzy Hash: FBC080300417888FC309BF359404C247718FB0231278208D8E41B476A6DF359886CF40

Function 03787928 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2c22ee1181f77127730fe5c556580b11e15dd7103e5159ddc42cc32edfc1555
Instruction ID: 30876955ce75282be7354f3268b7c6fd4fd5abe94d33aea36f7e511557acd15c
Opcode Fuzzy Hash: e2c22ee1181f77127730fe5c556580b11e15dd7103e5159ddc42cc32edfc1555
Instruction Fuzzy Hash: 18B092300857088FC248AF7AA4048187729BB4232538008E9E82E0A2968E36E884CB84

Non-executed Functions

Function 0378ED50 Relevance: 5.5, Strings: 4, Instructions: 453COMMON

Download Yara Rule

Strings

0o6p, xrefs: 0378F19F
0o6p, xrefs: 0378F16D
0o6p, xrefs: 0378F1AB
,k2q, xrefs: 0378F0BB

Memory Dump Source

Source File: 0000000E.00000002.1371575326.0000000003780000.00000040.00000800.00020000.00000000.sdmp, Offset: 03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3780000_powershell.jbxd

Similarity

API ID:
String ID: ,k2q$0o6p$0o6p$0o6p
API String ID: 0-3764817192
Opcode ID: b8e9f4780fed3c47b2268b6e158b44666126daf9dd084063d14cf991367345f8
Instruction ID: a61378daec5836be8cc119eef4a23edb25aa22a43cdbfe8aaa10d77f5a3d178f
Opcode Fuzzy Hash: b8e9f4780fed3c47b2268b6e158b44666126daf9dd084063d14cf991367345f8
Instruction Fuzzy Hash: 54E109707502108FEB58FB79981472EB3E7AFC9A14B6944AAD806EF7A4DF70CC418791

Analysis Process: powershell.exePID: 5816, Parent PID: 7600COMMON

Executed Functions

Function 02BFB489 Relevance: 4.0, Strings: 3, Instructions: 254COMMON

Download Yara Rule

Strings

Ycp^, xrefs: 02BFB557
OS\e, xrefs: 02BFB68C
{Ycp^, xrefs: 02BFB6F0, 02BFB6F5

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID: OS\e${Ycp^$Ycp^
API String ID: 0-1101757818
Opcode ID: 6f1cc94d6075463d95e368627e34a471dd4042693074b09d3fa77a8d0fbcc2e6
Instruction ID: 525d7852dc2a1a2af488c723e5d8da9c31b1db72f85552e2afedab7e5c607f1e
Opcode Fuzzy Hash: 6f1cc94d6075463d95e368627e34a471dd4042693074b09d3fa77a8d0fbcc2e6
Instruction Fuzzy Hash: 88917E72F407145FDB19EBB988106AFBBE2FF84700B10899DD116AB740DF746A058BD6

Function 02BFB490 Relevance: 4.0, Strings: 3, Instructions: 252COMMON

Download Yara Rule

Strings

Ycp^, xrefs: 02BFB557
OS\e, xrefs: 02BFB68C
{Ycp^, xrefs: 02BFB6F0, 02BFB6F5

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID: OS\e${Ycp^$Ycp^
API String ID: 0-1101757818
Opcode ID: bd557ba8ba8c39111852f061034ae611889f2d8cb30ad08752b75ea4eaa3259f
Instruction ID: 51c7703fa9d01d61e19859c31f4c97025204c2b0e719dcf9f1827ce782412fc7
Opcode Fuzzy Hash: bd557ba8ba8c39111852f061034ae611889f2d8cb30ad08752b75ea4eaa3259f
Instruction Fuzzy Hash: 4B917EB2F407145FDB19EBB988106AFBBE2FF84700B10899CD116AB744DF746A058BD6

Function 02BFBAC0 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

OS\e, xrefs: 02BFBAE5

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID: OS\e
API String ID: 0-2803859473
Opcode ID: ccbaed0de15e069d1e97ea224d7d06798de7f5eaf355d830c0cb2a348a853455
Instruction ID: 762575731fc8993fe886d67edd910d21929a35747b34fe08801c8f92e7c9922b
Opcode Fuzzy Hash: ccbaed0de15e069d1e97ea224d7d06798de7f5eaf355d830c0cb2a348a853455
Instruction Fuzzy Hash: D9613971E012089FCB54DFA9D984B8DBBF1EF88314F148169E909AB354EB70AC45CB50

Function 02BFBAB0 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

OS\e, xrefs: 02BFBAE5

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID: OS\e
API String ID: 0-2803859473
Opcode ID: e82b9864a53e1582b56a23a7354b8481a26b4035c455bba94fc1d48ddd560c09
Instruction ID: 6532660a4e5de77abbe388fe7d9f7ea6c7cc4e9827538a0bcd8eeff11a42ee13
Opcode Fuzzy Hash: e82b9864a53e1582b56a23a7354b8481a26b4035c455bba94fc1d48ddd560c09
Instruction Fuzzy Hash: 0C5129B1E012489FCB54DFA9D984B9DFBF1EF88314F188069E919AB354DB709846CF50

Function 02BF93F0 Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

OS\e, xrefs: 02BF941C

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID: OS\e
API String ID: 0-2803859473
Opcode ID: 4d8ffe7d5b963c628c5cfaf75da5b4062312074d2d4f151a600dff62cc100ed8
Instruction ID: 63337f573bdcb06f45c433bf23caa54a3f4e6574897d3fd1145cead1ed1a71b6
Opcode Fuzzy Hash: 4d8ffe7d5b963c628c5cfaf75da5b4062312074d2d4f151a600dff62cc100ed8
Instruction Fuzzy Hash: 5E317AB5901B448BDBA0DF6AD4883DABBE2EB88320F28C49AD55D97205C77454858B61

Function 02BFAF98 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

OS\e, xrefs: 02BFB002

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID: OS\e
API String ID: 0-2803859473
Opcode ID: c197123cbb0088d7c55f18a243c7aebe4d13ed50c7d878327195a97e3e1d1b5f
Instruction ID: 51084216b59e2876482d34b4104ffc20578f461fc61da9a8efb29be651405118
Opcode Fuzzy Hash: c197123cbb0088d7c55f18a243c7aebe4d13ed50c7d878327195a97e3e1d1b5f
Instruction Fuzzy Hash: 0921A176A043588FCB14DFAAD4047AEBBF6EF88320F14846AD519E7340CB759845CBA5

Function 02BF9400 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

OS\e, xrefs: 02BF941C

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID: OS\e
API String ID: 0-2803859473
Opcode ID: 7253d7ba0f1237e8bf616d8edd8e64f6cca5fe1599da02a5a8f940e85d1222fc
Instruction ID: 3226b7efab1110b8b9e7537ec1eea1ce5fdfe3471a88fd08944816be87a0cdb0
Opcode Fuzzy Hash: 7253d7ba0f1237e8bf616d8edd8e64f6cca5fe1599da02a5a8f940e85d1222fc
Instruction Fuzzy Hash: 832168B5A01B448FDBA0CF6AD48838AFBF6EF88310F28C49ED95D97245C7746485CB61

Function 02BFDC90 Relevance: 1.3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

Strings

+/cp^, xrefs: 02BFDCBE

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID: +/cp^
API String ID: 0-3901097543
Opcode ID: 359ba33e83b72e0c9228023b16e7473c8c46c50e302c43e5dc914b41292ad3ce
Instruction ID: a9268f71125cc01cef7a4eb0701c280468367c83d3425df63da064bdb1e8e4c2
Opcode Fuzzy Hash: 359ba33e83b72e0c9228023b16e7473c8c46c50e302c43e5dc914b41292ad3ce
Instruction Fuzzy Hash: D7E07D3270061117C201931D640096F6397DFC5630300C46EE10ACB300CFE0DC058BD2

Function 02BFDC98 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

+/cp^, xrefs: 02BFDCBE

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID: +/cp^
API String ID: 0-3901097543
Opcode ID: 023474c25d71c861420e542c362001a2443508af9cc82aaf3482682b352cac81
Instruction ID: 51180132c804e073aa38ab49cbd51e33221084d9f8a954e300269b6bde1fe36f
Opcode Fuzzy Hash: 023474c25d71c861420e542c362001a2443508af9cc82aaf3482682b352cac81
Instruction Fuzzy Hash: D4E0C23270061117C611A72EA80095F77DBDFC5A71310C46EE15ACB300DFA4EC458BE6

Function 07292308 Relevance: .6, Instructions: 634COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1441586712.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7290000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598540db30c949ee3f2d27d8c1287cb3fe0261be5804c1390863bc5183fa3559
Instruction ID: 2fdac4968718925baad15773c91b55c4f4fa481e56a25c024d4f4eb22e54763f
Opcode Fuzzy Hash: 598540db30c949ee3f2d27d8c1287cb3fe0261be5804c1390863bc5183fa3559
Instruction Fuzzy Hash: 092223B1B20316EFDF249F6884407AAB7E6BF86211F1880BAD405DB351DB71DD45CBA2

Function 07293CE8 Relevance: .6, Instructions: 584COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1441586712.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7290000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88f7edcf2abe180e58237cba593695bde84b4e5ba2efa682b8810b81884d800
Instruction ID: 6105f2b7e36ce405582ed2afd32a58abcb4e73c724816cf07ad42b3c94a61076
Opcode Fuzzy Hash: d88f7edcf2abe180e58237cba593695bde84b4e5ba2efa682b8810b81884d800
Instruction Fuzzy Hash: 161249B1B20352CFDF159B6888107ABBBB29FC2211F28807AD545DB392DB71CD46C7A1

Function 02BF29F0 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c08df8b9540a44328723f2653f2dea76558c42a30ac19116cc9937e47a2950
Instruction ID: 07d67c5161355b887a061dfc2ce254cd78e4e37a65fd74e4fe85a645ba50676a
Opcode Fuzzy Hash: 29c08df8b9540a44328723f2653f2dea76558c42a30ac19116cc9937e47a2950
Instruction Fuzzy Hash: 9D91AF70A00605CFCB55CF58C494AAEFBB1FF88310B248699D915AB365C736EC91CFA0

Function 02BF7740 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c893bd4e8ac6b631f27cfccc13985f6c5d92b4e63aebd90d47f8cfd35132bc9
Instruction ID: 3f905f42a59d93729a6053d94aa65c7412d51edde7792b32b1873469c39b7094
Opcode Fuzzy Hash: 3c893bd4e8ac6b631f27cfccc13985f6c5d92b4e63aebd90d47f8cfd35132bc9
Instruction Fuzzy Hash: DD51AD757042019FD744DB6AD844B6AB7EAEFC9215F2484EAE509CB351DF31EC05CBA0

Function 07293CCC Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1441586712.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7290000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d2a8aff0ddf1bba3d9deb65357bd2d1ba247b9a16aabcf19b50ddef8c5152f5
Instruction ID: 628997a535cbda94f684f2bf2e2ed6297e68aa4017caece211de9d1e1ddfe9fe
Opcode Fuzzy Hash: 8d2a8aff0ddf1bba3d9deb65357bd2d1ba247b9a16aabcf19b50ddef8c5152f5
Instruction Fuzzy Hash: 984101F1A203438FCF25CB25C5206AABBB2AF84604F1C80BAD9019B393D731DD45C7A1

Function 02BF2C5C Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3358c2b7231e998b27da81e93d7c9d42328a4d3bdb5b10e6582082f77991d36
Instruction ID: e1eb8c5cd12f0d204455c7b61ec8d1f25a73c3c4cf9bfd515607a7c30bf7d956
Opcode Fuzzy Hash: e3358c2b7231e998b27da81e93d7c9d42328a4d3bdb5b10e6582082f77991d36
Instruction Fuzzy Hash: 5A41D07590D7829FD7078B68DCA07D9BFB0EF17224B0942D3C994CF1A3D629981AC762

Function 02BF6FE0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56025454892a415de4ebef03056f2de8a9d3f51fe5b19a3009cc50bc577a44c5
Instruction ID: c4e47699cf7e4931ba95f25e7dbf6cd7bce81982a6a7fba0a49fee15595846f4
Opcode Fuzzy Hash: 56025454892a415de4ebef03056f2de8a9d3f51fe5b19a3009cc50bc577a44c5
Instruction Fuzzy Hash: BA414834A042048FDB58DB68C468AAABBF2EF8D315F1440E9E502AB391DF35DD46DB61

Function 02BF2B00 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c0698f83afbcfa1033c88656ffc83d76209e0261983c1d1d0e30a8296daad15
Instruction ID: 283b2c6f3e524665827f3c2a24e468e6c8e2819004beca00d8d5fb959fc072ac
Opcode Fuzzy Hash: 4c0698f83afbcfa1033c88656ffc83d76209e0261983c1d1d0e30a8296daad15
Instruction Fuzzy Hash: 34414974A006059FDB09CF58C598AAEF7B1FF48314B218299CA15AB364C732FC91CFA0

Function 02BFC388 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb191fc15d3b6a2f53792d2d86f57498aff37e2d7a778b4d0ebf2b84de42667b
Instruction ID: b2a039eb7a4e52031ddf4805dfe385719ea2ec0fd8b98e02eb85ba6b0c18d96b
Opcode Fuzzy Hash: cb191fc15d3b6a2f53792d2d86f57498aff37e2d7a778b4d0ebf2b84de42667b
Instruction Fuzzy Hash: 9931A071301200AFD705DB79E844B9EB7A6EFC9210F048669D60ACB350DFB0A845CBA1

Function 02BF6FD1 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79a9a138921a3e8535f740215a2d12b550cce4965a4d90ee5fee583f8db574b9
Instruction ID: e5fd24c64c2f485a2189580760ca759ddec4ba5720edafb01cd189f569f9ac38
Opcode Fuzzy Hash: 79a9a138921a3e8535f740215a2d12b550cce4965a4d90ee5fee583f8db574b9
Instruction Fuzzy Hash: 50312834A002058FDB54CF65C998AAABBF2EF8D715F1440E8E902AB791DF31DD46DB60

Function 02BFAE60 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ace07fa45fb831ad70a9eb48338cb8ec60df0a736e287c1d8804f2aa8f4923bc
Instruction ID: d90ca4bd0b7a0efdec4237e49d42dda00bdee491af9dc4de08694bb003fcb86a
Opcode Fuzzy Hash: ace07fa45fb831ad70a9eb48338cb8ec60df0a736e287c1d8804f2aa8f4923bc
Instruction Fuzzy Hash: 66317CB5B012099FDB48DFB9D4947AEBBF6EF89300F118069E509EB350EB749C458B50

Function 02BFAD3D Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30d6409d77b62e186db1f94383dbe8b92af1e4d699a4847bd8a53aff3d5dcae5
Instruction ID: 93472dc0f48e45ab4ae9daf18bf76d906d7b3f54f5eae1aab303c0e1355297c4
Opcode Fuzzy Hash: 30d6409d77b62e186db1f94383dbe8b92af1e4d699a4847bd8a53aff3d5dcae5
Instruction Fuzzy Hash: 2E319CB4A402089FDB45DBB4D954ABE7BB3EF85300F21C4AAD205AB391DE799D01CF61

Function 02BFAE70 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61b383fbbe91fdeb177c1a6567a6b8a9e118f3c8ee4d07fe4c07b095eab55da8
Instruction ID: 2d6781c290de3a754ac6314154ec42349c8b28afee70a694c37acccaff395060
Opcode Fuzzy Hash: 61b383fbbe91fdeb177c1a6567a6b8a9e118f3c8ee4d07fe4c07b095eab55da8
Instruction Fuzzy Hash: A6318E71A012099FDB48DF69C4947AEBBF6EF89300F118069E509EB350EB749C458B50

Function 02BFAD28 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ac62ce146b60cab6d0160a7df57ced75569a96baeb72b03c84b07f4ae81760d
Instruction ID: 7767c57a2e76ee57c4e92210c6b1c8381c9226e916eed17856c2fa353b1181ac
Opcode Fuzzy Hash: 0ac62ce146b60cab6d0160a7df57ced75569a96baeb72b03c84b07f4ae81760d
Instruction Fuzzy Hash: 0131BFB4A402049FDB45DBA4D954AAE7BB3EF85300F21C4B9D205AB391CE799D01CFA0

Function 02BFAD38 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b168463c9139ddd102810c07ab6b39e037230f9c11d2b316754d166a74cc48b4
Instruction ID: 4d53c468bbebfea0975ac82cfcc737a03533378f2099220b5adf9ec6cf2141c0
Opcode Fuzzy Hash: b168463c9139ddd102810c07ab6b39e037230f9c11d2b316754d166a74cc48b4
Instruction Fuzzy Hash: 90315EB4E402089FDB44EBA4D954AAE7BB3EF85300F20C4B9D615AB394DE759D018F90

Function 02ACF3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1411722669.0000000002ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ACD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2acd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c81f42a11ea73fed62264d6846fd1f012d15375d1fb21af8f58497238147d32a
Instruction ID: 9f30c28f4189559eb0a00db9597a91ae9c2d5d296cea96158727ccea8198bbc3
Opcode Fuzzy Hash: c81f42a11ea73fed62264d6846fd1f012d15375d1fb21af8f58497238147d32a
Instruction Fuzzy Hash: 2121C776504300EFDB05DF50DAC0B16BB76FB88314F34C5AEE9098A656C736D456CBA1

Function 02ACF02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1411722669.0000000002ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ACD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2acd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c159c0d887c66bf7201ad8f4b4cfcdf48fdab933cf338a90012d4b6a5db836d6
Instruction ID: 547c5379c37e567985939e1f9f90f8d03074232727a6ee3d6ef548f14200ab0e
Opcode Fuzzy Hash: c159c0d887c66bf7201ad8f4b4cfcdf48fdab933cf338a90012d4b6a5db836d6
Instruction Fuzzy Hash: 1D216471504200DFDB14CF20C8C0B26BBA2FB94724F34C56ED80A8BA46DB3AC846CA62

Function 02ACF4CC Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1411722669.0000000002ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ACD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2acd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a88a439a14cfa30ce50ba9bce6e114c0acf4c852616ea1204156141cd314ccc0
Instruction ID: ba94a649089a984e0c790cb92b57a4a477001342e7cf9bda64d33160642f5fc1
Opcode Fuzzy Hash: a88a439a14cfa30ce50ba9bce6e114c0acf4c852616ea1204156141cd314ccc0
Instruction Fuzzy Hash: E82108B5544244DFDB24DF14D5C0B25BBA6FB84314F34C56EDA0A8B741CB36D446CA61

Function 02BF767C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f04cdb19713532dbac3c710a7236f7d0d8258f43d2836e1d8ae6543576e442d9
Instruction ID: d0a878e8483d32106f640ef6987fa86e41cedb55afcbb159afea9a0bef7f6dd6
Opcode Fuzzy Hash: f04cdb19713532dbac3c710a7236f7d0d8258f43d2836e1d8ae6543576e442d9
Instruction Fuzzy Hash: 2E111C7A700118CFCF04DBA8D940ADDB7F6EFC8225B1440A9E909EB714DB31DC558B90

Function 02ACF3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1411722669.0000000002ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ACD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2acd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97445b17e520f814378829faa67ba79061bab103a32ab6c15715ac3201c2f727
Instruction ID: 6f0b8c97aef0bf8dc7bab3d8f369afeb4929d5141a16f9d241eed82aa5318119
Opcode Fuzzy Hash: 97445b17e520f814378829faa67ba79061bab103a32ab6c15715ac3201c2f727
Instruction Fuzzy Hash: EF218C76504240DFCB06CF10DAC4B16BF72FB88314F28C5AED9498A656C33AD56ACB91

Function 02ACF027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1411722669.0000000002ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ACD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2acd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff28159916af3c1565c82e67f2b531337ed64e047a92009350b64a0d4c4a9ec
Instruction ID: 5885a4abb7c7984eef200220ea6c4ee47c9e83bd9885b58f4654ef54ca42b55f
Opcode Fuzzy Hash: 7ff28159916af3c1565c82e67f2b531337ed64e047a92009350b64a0d4c4a9ec
Instruction Fuzzy Hash: DB118E75504280DFDB15CF14D5C4B15BF62FB44624F38C6AED8498BA56C33AD44ACB51

Function 02BF79C2 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e8a043fbac5a8c37ee556e65deded5ffdfaf9086f13d30257f5ef8fa5c5229
Instruction ID: 0fcf50549be3dc490d8a7f546c94ac558e51e28efb590582a397e37017678b97
Opcode Fuzzy Hash: e4e8a043fbac5a8c37ee556e65deded5ffdfaf9086f13d30257f5ef8fa5c5229
Instruction Fuzzy Hash: 04014C717043445FCB61CB79AC10A7FBFF9EB8A621B0045EDD54AC7241DE319D0587A1

Function 02ACF4C7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1411722669.0000000002ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ACD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2acd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e69e57f9eb22a0ee7b7977b6bf74a2b8b9dcf83114222207a56fa92b8877d1
Instruction ID: 13914e12d31a4783dfa3a6782d0340963381f86cde2633ce904fae8183d7e555
Opcode Fuzzy Hash: b9e69e57f9eb22a0ee7b7977b6bf74a2b8b9dcf83114222207a56fa92b8877d1
Instruction Fuzzy Hash: 3E11BCB5504284CFDB25DF14D5C4B25BBB2EB44314F34C6AEC9498BA52C33AD44ACB92

Function 02BFBCE0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 956b8e15988792db331cd22be1eb9f23777dd7afa390e4a1e9e15307bedf85d5
Instruction ID: ec946acf08935ec4ba9e6c37a40ad174e482e1b7cba244d73521025ecd53b142
Opcode Fuzzy Hash: 956b8e15988792db331cd22be1eb9f23777dd7afa390e4a1e9e15307bedf85d5
Instruction Fuzzy Hash: 4E01F1326083449FD724CB29C594B6A7FE0EF49210F1484EED08ACB6A2CB20EC49C701

Function 02ACD006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1411722669.0000000002ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ACD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2acd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f0bb415d27e0e014d05cd3ab395e2b3c980da4ba0e4b49e6b2638b6f0e3132e
Instruction ID: 48029d7870e0a0e4d9b4e343a4974b28d941b232844501eb29b20d19f525c7c9
Opcode Fuzzy Hash: 4f0bb415d27e0e014d05cd3ab395e2b3c980da4ba0e4b49e6b2638b6f0e3132e
Instruction Fuzzy Hash: E5015E7240E7C09FD7128B258D94B62BFB4DF43224F1D80DBD8898F2A3C2695849CB72

Function 02ACD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1411722669.0000000002ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ACD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2acd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd35ac8ff768b6d3837c69b7e6f0af39eba5dad3d931a84e3777bea750a12a8
Instruction ID: 108fcf8684c9adec3c72162f4bfe07a138a2d4a9e5cc8ae3d541101a0d0a0f28
Opcode Fuzzy Hash: 9dd35ac8ff768b6d3837c69b7e6f0af39eba5dad3d931a84e3777bea750a12a8
Instruction Fuzzy Hash: 5901A7714047409BE7204F19DDC4767BBE8DF42274F28C47EED4A1B242CB799541CAB2

Function 02BF7958 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a3227f06b5bd8e2b10e76ac61ffe1e36041b49677a796e2c892ccc026ff905
Instruction ID: 24ade86dee640c2cb63949d81cbda7125adef2db5a239b3f49c1215b45846759
Opcode Fuzzy Hash: a0a3227f06b5bd8e2b10e76ac61ffe1e36041b49677a796e2c892ccc026ff905
Instruction Fuzzy Hash: E9F0F6716057505FC72187799C409AF7BF9EFC9A31B004AAEE14AC7641CE645C4A8BB1

Function 02BFBF10 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceba42bcf5b89043013330a8dc7ec1694f1bb2338232c156c3e29122f3cab350
Instruction ID: cb01b03fe84869eea6ad188508e0ea6bef3db62d962ca1864ad85df15b9a1d00
Opcode Fuzzy Hash: ceba42bcf5b89043013330a8dc7ec1694f1bb2338232c156c3e29122f3cab350
Instruction Fuzzy Hash: 75F0F6327082616FD7008A6ADC549BBBBEDEFC9620B04447AF945C7351CA70CC048AA0

Function 02BFC352 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ac2b05490469320f196de8638a6c53f822df76276c6e5aefef77ee684e09a33
Instruction ID: 0914fa8362e175d395032c5872618cceccee5229285209558a04d4e484291f48
Opcode Fuzzy Hash: 9ac2b05490469320f196de8638a6c53f822df76276c6e5aefef77ee684e09a33
Instruction Fuzzy Hash: 0101AD2220E3C05FD317C7349860B9A3FB09F8B314F0A40EBC5C9CB2A3D9299849C726

Function 02BFC4C0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e1b23e609507ebff88b9355c3db94dd7c41a19b6f9c8cb5acae0deac34cd81
Instruction ID: d91cf134692f376b7d8a7bbbd2f973ef4df20e7920485de3f43bb3a969c85ebf
Opcode Fuzzy Hash: f7e1b23e609507ebff88b9355c3db94dd7c41a19b6f9c8cb5acae0deac34cd81
Instruction Fuzzy Hash: 17F0BB721012046FC704E625E9409AAB796FFC1724760C57ED1098F611DF71AC49CBE1

Function 02BFBF18 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13dd248b56402cae6f965e5a04c4027b9c214c6c75bffd8b27359f99d5cfb62b
Instruction ID: a74ded465ae1544a85e326d56e93dc4020be4090bec935bf681e24499f8f6ed3
Opcode Fuzzy Hash: 13dd248b56402cae6f965e5a04c4027b9c214c6c75bffd8b27359f99d5cfb62b
Instruction Fuzzy Hash: B0F0BE327082616FD7108A6A9C84ABBBBEDEFC9620B0540BAB945C3351CA70CD048A60

Function 02ACD9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1411722669.0000000002ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ACD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2acd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8593612f96670495cacfca1dce34ce32b73053e701c27e7e5afaeecb2b1cde2
Instruction ID: 05210565199ac5bd879fb2661843498f53d194e2661d12160bee7ab52f956349
Opcode Fuzzy Hash: f8593612f96670495cacfca1dce34ce32b73053e701c27e7e5afaeecb2b1cde2
Instruction Fuzzy Hash: F4F0E776200600AF97249F0AD985C26FBA9EBD4674719C5AAE84A4BB52C771EC41CAA0

Function 02BFCB52 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6182a3fec4d42638ba3b1349c46aae1e31c2c987156ff39a752145b2043dec0
Instruction ID: 7242404cc4760bc391185e7b1740a598d628f37d310f596eac405c6189a80ac8
Opcode Fuzzy Hash: c6182a3fec4d42638ba3b1349c46aae1e31c2c987156ff39a752145b2043dec0
Instruction Fuzzy Hash: B1F05C723453002FC205922DAC904AEBFEEEEC267035484AFC14BDB900CE706C46C7B2

Function 02ACD998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1411722669.0000000002ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ACD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2acd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12011bf372d3823d070f4ce38a3bfa7b6a288e73466319ad70de491f62c2af42
Instruction ID: 564f291ab97caac9787bd43b6f14a286eeb8e238c1300936ce92038fd4c9dff5
Opcode Fuzzy Hash: 12011bf372d3823d070f4ce38a3bfa7b6a288e73466319ad70de491f62c2af42
Instruction Fuzzy Hash: 3BF0F979100A40AFD725CF06CD85D23BBB9EB89624B29849DA85A4B752C771FC42CF60

Function 02BF7968 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e40a63ed98030c05484b333d8b98f652d58a942d9b0160b1bc9559dce21a1454
Instruction ID: 93d16f1ee9d23e113e2a1210ea91fae793a9d25a9e28aac6b99e20bef9b7c5bc
Opcode Fuzzy Hash: e40a63ed98030c05484b333d8b98f652d58a942d9b0160b1bc9559dce21a1454
Instruction Fuzzy Hash: A5F027317002149FC7249659EC40A6FB7EAEBC8731B00442CE20AC3700CF70AC0587E0

Function 02BFC4D0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03616d224c5d3989fa4b65078707ba846484cf9b78768e6c86aa8af2d47ac5b1
Instruction ID: 0dc1442fd2c80f2cdf7cb566fe3d233465fd0ddaeff8d34e5671bab38a477d77
Opcode Fuzzy Hash: 03616d224c5d3989fa4b65078707ba846484cf9b78768e6c86aa8af2d47ac5b1
Instruction Fuzzy Hash: 53F082722002046BC704A629E94095BB79AEFC2664B50CA7ED1098B714DE72BC05CBA1

Function 02BFC4C8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e0932d6ac20f6c08329f66bad76c3c4161ed89900eaf32e8db6d0a5bd4cbc85
Instruction ID: db8bb418247077ecdb533db628e15649d56df482c303f671018db9331a7be4c9
Opcode Fuzzy Hash: 8e0932d6ac20f6c08329f66bad76c3c4161ed89900eaf32e8db6d0a5bd4cbc85
Instruction Fuzzy Hash: 14F027B22002006FC704A728E54096BB3A7FFC2324750CABEC10A8F714CF71AC06CBA1

Function 02BFDCD9 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 186c4d14c2e36f112fe80d6c73d0a31cc55e1df84980f4c6db10a4274019876d
Instruction ID: b59e2f547cef0ffea420a99b9cd4afc4c76d6fff211bca868b659f63b13fed4b
Opcode Fuzzy Hash: 186c4d14c2e36f112fe80d6c73d0a31cc55e1df84980f4c6db10a4274019876d
Instruction Fuzzy Hash: D5E0613670000557CB48855DF8004FCB769EBC8221F0080BFD61997740DB72581AC2F1

Function 02BF90E8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a423745a5c0fc4020680828dd0a5b5885a7d335e6fef422f3b3197dfdd3b8881
Instruction ID: 9a4126ac4404401e20b312692e6d339fb6d4111953c701373e7f246df8bbbcde
Opcode Fuzzy Hash: a423745a5c0fc4020680828dd0a5b5885a7d335e6fef422f3b3197dfdd3b8881
Instruction Fuzzy Hash: 1EF027F97441045BE744AB69C0153EF7BA7EBC0319F20816EC91947784CE352806CBD0

Function 02BF90E0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d6ecacaff4841c8fae7c8a83108d04c6d25aec4ac15e2194e20d93e4bf0897
Instruction ID: bd831c9ea6842758af86c4f2fe0354b7411258f3a21468d65e5485d69c583ecc
Opcode Fuzzy Hash: 11d6ecacaff4841c8fae7c8a83108d04c6d25aec4ac15e2194e20d93e4bf0897
Instruction Fuzzy Hash: 00F027F97441045BEB54AB39C0153EF7BA3EBC0319F20C16EC91A57788CE352806CB90

Function 02BF9158 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad97292121f96b3743bb1c4cc23d9a5c1788e36af3b80195f19bac2019ff50be
Instruction ID: a113966148db0596b03edd7c2895277bd8545a26a44df13ac399e9a3fe250862
Opcode Fuzzy Hash: ad97292121f96b3743bb1c4cc23d9a5c1788e36af3b80195f19bac2019ff50be
Instruction Fuzzy Hash: 17F08CB5902300ABD7609B79E49C3EA7BEAFB40321F00446AD21ED6240DB3969C58B90

Function 02BF7697 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63fa16f3f2927725a87e07daa5181eb0a2def7bde72392fb6672d7f9750612db
Instruction ID: d62f68a49505df91f16e82d5fbf81d6717908fea066bf7d77891e9833ef5b5e7
Opcode Fuzzy Hash: 63fa16f3f2927725a87e07daa5181eb0a2def7bde72392fb6672d7f9750612db
Instruction Fuzzy Hash: 30F0A0397002188FCB10CB6C9900B9AB7A6EFC9755B1541D8E909DB310DF70CC068B90

Function 02BFDE48 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f17fa0eb3d5779bd34ba71e2b61cb04bb39ccfd411f33234f1f18913a824b4ed
Instruction ID: 91f0426b9aaa0371ddc33585915d87cf145b5787656b3aadc34a0cddeee93092
Opcode Fuzzy Hash: f17fa0eb3d5779bd34ba71e2b61cb04bb39ccfd411f33234f1f18913a824b4ed
Instruction Fuzzy Hash: F7E0E5353002118F87109B1DD498D66B7FAEFCE66531910A9E649CB735DB61EC01CB90

Function 02BFC384 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa739bbaf7ff6117bcec0df2114ba7919ac05c1761b94606b69356b54a9d735
Instruction ID: c1e2f4f976797dabb2964bb38df7353b1c4b3ad8636fac39804b62cad8c6eced
Opcode Fuzzy Hash: 0fa739bbaf7ff6117bcec0df2114ba7919ac05c1761b94606b69356b54a9d735
Instruction Fuzzy Hash: 44E0D8363052005FC314C67AA854E6BBFE6DFC9360F1880BEDA49C7392D9718845C750

Function 02BF8969 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 815e6cae065d2baddcb88e5466d30cf0a4707dc1ba80ad6f7f5507efb41df6ce
Instruction ID: 969806b322e98780337592870f5f696586f05050b676aad3f1cf7feaf95b8012
Opcode Fuzzy Hash: 815e6cae065d2baddcb88e5466d30cf0a4707dc1ba80ad6f7f5507efb41df6ce
Instruction Fuzzy Hash: 55E0653570A2905BC70A2735681C2AD3F66AFC5725F05009BD70597282CF2D190587D5

Function 02BFCB68 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7024456a43c5cc2eafe1bc0a41cc2ece5efc59bad14522a4aa3ce5b35ea0b0e
Instruction ID: e937a326aaa2799d503ec3e944aac6249c6a6ddc195a27707c07dd87284ab156
Opcode Fuzzy Hash: d7024456a43c5cc2eafe1bc0a41cc2ece5efc59bad14522a4aa3ce5b35ea0b0e
Instruction Fuzzy Hash: 87E0D8727403002B8115A25EAC5052EB79FEEC56B0364C82DC10F97600DEB06C0187A2

Function 02BFCB60 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ae825e3d3ba0e0c6cb3b962b844bfd1ba2b273c29367adb8322e9fdfb676d2d
Instruction ID: 249a253a7bd83d2a370399747ddbc46c6bd86571b9c51efce303efaf33e26e55
Opcode Fuzzy Hash: 1ae825e3d3ba0e0c6cb3b962b844bfd1ba2b273c29367adb8322e9fdfb676d2d
Instruction Fuzzy Hash: 64E020B27403002F8115E22DAC9056EE79BEFC56B0364C96DC10F9B600CE706D458762

Function 02BF8975 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01e77d078084b4e156f922336068037a5de0570c6c139dc39dec1621687f1d08
Instruction ID: 6f6659315a30c88cccfa88e1a331f1ca3a738bc5a1c73ced1893001ed3097efe
Opcode Fuzzy Hash: 01e77d078084b4e156f922336068037a5de0570c6c139dc39dec1621687f1d08
Instruction Fuzzy Hash: 25E0923570651467CA082B76A80C2AE7B5BEBC4722F04006AE70583241CF39280547D5

Function 02BFDCDD Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7791dfbb6698407d44bba905aaf0e3baddfe94ca5bed35033400dc185de9067e
Instruction ID: 730e778b8a78edad2616e3b5464e21c3eea7cca837de83423f2bdef698be412e
Opcode Fuzzy Hash: 7791dfbb6698407d44bba905aaf0e3baddfe94ca5bed35033400dc185de9067e
Instruction Fuzzy Hash: E6E02636B00014A7CB488969E8004EDFBBAEFCD220F0080BFDA0AA7740DE725819C7E1

Function 02BF9168 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fce8803f7cba6fcc766647f69108379600b81d3330561f4bb71ff07371fffd8
Instruction ID: 310bd4149c0cb811351f12e0c414a6322e61a2ba8cbaed33a7c57c2f272990a5
Opcode Fuzzy Hash: 1fce8803f7cba6fcc766647f69108379600b81d3330561f4bb71ff07371fffd8
Instruction Fuzzy Hash: BFF06D709013049FD7649F79D89C39B7BEAFB44310F004469D21ED3340DB3968848B90

Function 02BF9160 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d36eff1ac68639c34d643aee6417e41de4f49bd36fe5792d9b8aa91242b4495
Instruction ID: b261b672bef30b1acbd0e51b0a217e43fd489fac7ee860f1d00224d548f5552b
Opcode Fuzzy Hash: 8d36eff1ac68639c34d643aee6417e41de4f49bd36fe5792d9b8aa91242b4495
Instruction Fuzzy Hash: 61F039709027009BD7A49B79D49C39A7BE6FB44311F004869D25ED2240CB3969848B50

Function 02BF8978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65039ecc7e79564acbf22237c5cce42c3f27f8de7888dd22ae896755e6c2b42a
Instruction ID: cee0cda6242e8b332923037416c7ccfb2632c1da54e524e4c4f0374a533bfa9b
Opcode Fuzzy Hash: 65039ecc7e79564acbf22237c5cce42c3f27f8de7888dd22ae896755e6c2b42a
Instruction Fuzzy Hash: B3E04F35706614ABCB093B7AA81C2AE7B9BFBD4725F04006AE70683381CF79690587D9

Function 02BF9550 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcfe02543d811e115bf2e0131abe3bf0ba0a88e9418754174e213bf0bfe7f4e3
Instruction ID: de5ecd83db81311400cdee58fc6ab9b981efb132fe5ecdc6eceec4ed5ced2fdd
Opcode Fuzzy Hash: bcfe02543d811e115bf2e0131abe3bf0ba0a88e9418754174e213bf0bfe7f4e3
Instruction Fuzzy Hash: CAD05E927026292705D4A0BE19007BB91CFCBC45A470500FEDB09C3242EE50DC0A47E1

Function 02BFDCE8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: 2bde34746ff8d2c10056380d4afe706fb5f9b2451557b05a654284f0f16cb7c2
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: 99E08635B1001497CB489959D4104EDFBAADBCD220F0480BADA0AA7340DA325919C6E1

Function 02BFDCE1 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4ff5509d489d8a3db8522b4ba6d5e6bd6ab6bab5dbf24111e60aac976dc5a84
Instruction ID: 7cee3683f9a54659ea5443a8c873d26d4200b04634d4dd502c73ac978258f704
Opcode Fuzzy Hash: e4ff5509d489d8a3db8522b4ba6d5e6bd6ab6bab5dbf24111e60aac976dc5a84
Instruction Fuzzy Hash: 82E0CD35B1001497CB4C8958D4104FDF776EFCD210F14C4BFDA0AA7340DA725919C7A0

Function 02BFF3C0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5075272de1ddae85036b8adf95c4c629bb956aa9c4c57b59e45c101dcd7f7df6
Instruction ID: 2fb21cea304eff9ec6820bc4fc84748441f0dc6a4917a58d03a1c60528ee7244
Opcode Fuzzy Hash: 5075272de1ddae85036b8adf95c4c629bb956aa9c4c57b59e45c101dcd7f7df6
Instruction Fuzzy Hash: 9CE0C271D001598FCB80DFA8C99166AFFF0FB4A200B1581EAC949EB615E6316A11CB92

Function 02BFC590 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93e460df4ede60b43898f4173032625c329ac5cbf8269e85ff7159766487b100
Instruction ID: ea04979dd4c5e16e08c04d4171f43c3492a17b68758ca2220950d758da51b085
Opcode Fuzzy Hash: 93e460df4ede60b43898f4173032625c329ac5cbf8269e85ff7159766487b100
Instruction Fuzzy Hash: 36D0A7323020107B8204635EB40A859B7DEE7CAA71308007AE60EC7380CE25BC0187D5

Function 02BF8808 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f3f48e54b765cc8834c271fc80b31966d41a4f4e6de17552f504ab024b14f1
Instruction ID: c4eaf1eae24b9a33242aa5ecbfc1a796a844d2fcd2c73d82eae59764eb934b2c
Opcode Fuzzy Hash: 52f3f48e54b765cc8834c271fc80b31966d41a4f4e6de17552f504ab024b14f1
Instruction Fuzzy Hash: 6AE0EC39A0920A9BC758DB65E48B4AABFB8A745205B008155EE09A7740EA306855CBD5

Function 02BF8806 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5b36061d956ef2409631ce52db1055ba396ee2ba48d001ce85815d1ed50554c
Instruction ID: 0b13a05ff6a5e7461037b85a7371eef18f60366773fa262d67679d076f892bd6
Opcode Fuzzy Hash: f5b36061d956ef2409631ce52db1055ba396ee2ba48d001ce85815d1ed50554c
Instruction Fuzzy Hash: FDE0123590920A9BC758DF65E4474BDBFB4E745200F0081A5DF0593740EA306845CBC1

Function 02BFF3D0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 696b3da47fa0912470e38754131ce7f77df61a1e7ec7a13c590d0ea6a0c2c925
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 1BD067B0D042099F8B80EFADC94156EFBF4EB48200F6485AA8919E7341E7329A12CBD1

Function 02BF873C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd07a9346095284810e2904cecab11ebf486ba38e4aad0e9aeccf6c28bbfb310
Instruction ID: f34385801b3f071fe8d17ab1ac5da0a0800c1ff819cba0b8da2a9671492d1cf9
Opcode Fuzzy Hash: cd07a9346095284810e2904cecab11ebf486ba38e4aad0e9aeccf6c28bbfb310
Instruction Fuzzy Hash: 8CD06231D06009DBCB48EBA5E45A5FD7F34FB54301B404199DB07A2590DA351A5ACF91

Function 02BF8748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4de16b23867f3ec60b50f8f626d1c9ee0e594823a03eef603021bdce9f063e6
Instruction ID: 389cd34189c75fd98fe2370fb1cba6cf23788917e54d189d929700bfa80cc03e
Opcode Fuzzy Hash: f4de16b23867f3ec60b50f8f626d1c9ee0e594823a03eef603021bdce9f063e6
Instruction Fuzzy Hash: ACD06731D06109DBCB08ABA5E85B4FDBB78FB54301F4041A9DA0762590EE352A5ACBD5

Function 02BF8810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187cd5bc23496ce059da3aa2c669551121d5ce9603c31f29a637c6f80df89a0e
Instruction ID: 52afe31939c645f85b44deca85c730d5f976d27a78f0214653b8d30a13f2b33d
Opcode Fuzzy Hash: 187cd5bc23496ce059da3aa2c669551121d5ce9603c31f29a637c6f80df89a0e
Instruction Fuzzy Hash: A4D0123490920A9BC748DF65D44646DBFB4E745200F004155DE0593340EA306801CBC1

Function 02BF7932 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4342fa48cbad1719af5d5de5e9cb8160b4432c12335f7f7b3b8c3c7263f38a60
Instruction ID: d2215b0a3521c7e794fb7622d56cf60a034629b1583e289f73dd00a936f0ef07
Opcode Fuzzy Hash: 4342fa48cbad1719af5d5de5e9cb8160b4432c12335f7f7b3b8c3c7263f38a60
Instruction Fuzzy Hash: F9D0227100C3C48FC7CA0B7188340503F38FF8B20979208DEE4498B1B3C921A90DCBA4

Function 02BF7EA0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00ff65d122eb102d839177186271d5d173c22d662b1736524e4350ad0251e518
Instruction ID: 14c171215fa951fab9320f5c3ed582062186755689ac3d21673983a42407b1af
Opcode Fuzzy Hash: 00ff65d122eb102d839177186271d5d173c22d662b1736524e4350ad0251e518
Instruction Fuzzy Hash: 51C09B659393801FEF4292310C6A1553F71D7A3D157474FD2D851EB162D815C80FF761

Function 02BFDC88 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47a0f6545c8644ac56064d78b15b5787750082f33310cb272f71ce0ce30a0bbe
Instruction ID: 9372ba85ed553e3771b5dbcab86fa07ccfe7b882114cf0fdffaecce546092629
Opcode Fuzzy Hash: 47a0f6545c8644ac56064d78b15b5787750082f33310cb272f71ce0ce30a0bbe
Instruction Fuzzy Hash: F0C04C2F669416D389855895BA015EDAB1AD6C61B670404F3D7165581413A2026C89E3

Function 02BF7940 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1412396571.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2bf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a272c63a1443d06bd3b8bf582a07656574044cbebed5c8da4aaa6345089b36b2
Instruction ID: 13d52427ebdb5c2d889ef43f75c3676dcfd7c311ca4371a85591a0320f895300
Opcode Fuzzy Hash: a272c63a1443d06bd3b8bf582a07656574044cbebed5c8da4aaa6345089b36b2
Instruction Fuzzy Hash: BDB09B300447088FC2585F759414414771DBB4031574004DDD41E066568E35D444CB84

Analysis Process: powershell.exePID: 3276, Parent PID: 7600COMMON

Execution Graph

Execution Coverage:	5.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 04A9B490 Relevance: 2.8, Strings: 2, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{Yyn^, xrefs: 04A9B6F0, 04A9B6F5
Yyn^, xrefs: 04A9B557

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID: {Yyn^$Yyn^
API String ID: 0-2351100980
Opcode ID: e209406a3f2b74ff0c295dfb3cf7fdeb0b6749d9c488a77cb0d0b2d528c5308e
Instruction ID: 57aa7cac5b25b2fea059163ea46177256e472a6553202a66857ddce748f77374
Opcode Fuzzy Hash: e209406a3f2b74ff0c295dfb3cf7fdeb0b6749d9c488a77cb0d0b2d528c5308e
Instruction Fuzzy Hash: 09916F75B407145FEB19DFB98810AAE7BE2FBC4700B408959E166AB340DF34AE058BD6

Function 08B36821 Relevance: 1.6, APIs: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE(F270085F), ref: 08B3688A

Memory Dump Source

Source File: 00000013.00000002.1520288530.0000000008B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_8b30000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: 262c0b45cb7a8da88f81a5e8ca871b00931b23f89829656f0730a68d01c59260
Instruction ID: 8d6b12e3db270b2dbd9194b767f9a046836c99edb9bbaaeb6eab07f3ae6ddcef
Opcode Fuzzy Hash: 262c0b45cb7a8da88f81a5e8ca871b00931b23f89829656f0730a68d01c59260
Instruction Fuzzy Hash: 781146B59003088FCB10DF9AD484BDEFBF4EF49320F24842AD519A7610C7B4A844CFA4

Function 08B36828 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE(F270085F), ref: 08B3688A

Memory Dump Source

Source File: 00000013.00000002.1520288530.0000000008B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_8b30000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: d498d27465efbdf2750a331290ca249c5c5fbaff4b46d9c7b7a706afdb6fb88c
Instruction ID: fb5df397bba67422f30e6357965c23fe0da4e767aff02121a37352969fa2e558
Opcode Fuzzy Hash: d498d27465efbdf2750a331290ca249c5c5fbaff4b46d9c7b7a706afdb6fb88c
Instruction Fuzzy Hash: 941113B59003098FDB10DF9AD884B9EFBF8EB49220F24841AD418A7210D774A9448BA5

Function 079C2308 Relevance: .6, Instructions: 640COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1515357975.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_79c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4581ecf41b9a80f95258ba62a46c6283e3aaef0bb1d3654198fa82dc37834e1b
Instruction ID: eee6c47d1d9ccd2aa85287789d4b2e8392047f4a7340e1bf137d77ea077542e9
Opcode Fuzzy Hash: 4581ecf41b9a80f95258ba62a46c6283e3aaef0bb1d3654198fa82dc37834e1b
Instruction Fuzzy Hash: 7C2221B1B003068FDF24DF6888417AAB7EABF86218F1480AED505DB351DB75D945C7A2

Function 079C3CE8 Relevance: .6, Instructions: 597COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1515357975.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_79c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43971158bf8ad036b3f30f312e99c6d9862b539a77d0be191b71e0d05b8f9f14
Instruction ID: 5acb5865741b487da8d16d91929be5bd718dc57ffef23b56d95f7e95ad22b1ee
Opcode Fuzzy Hash: 43971158bf8ad036b3f30f312e99c6d9862b539a77d0be191b71e0d05b8f9f14
Instruction Fuzzy Hash: FB1247F1B003528FEF15CB68881176ABBBA9BD2219F14846ED542DB3A1DA31CD45C7A3

Function 04A929F0 Relevance: .2, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bb321ef8d42bff782d9d98e18785412f965cad0f6879bdb4d38ee9e6bceb2f2
Instruction ID: 787c2104596971de676d3bcadc40ee1f6af08125e74239cae7769fe1e2fb0ab8
Opcode Fuzzy Hash: 3bb321ef8d42bff782d9d98e18785412f965cad0f6879bdb4d38ee9e6bceb2f2
Instruction Fuzzy Hash: 0E91AA75A006059FCB15CF59C494AAAFBF1FF88310B248A99D915AB361C736FC91CFA0

Function 04A9AC1F Relevance: .2, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b517237f27b698e2589aab68e3a0cee0bfd85f63b7a512f198c15eb0dc86b1eb
Instruction ID: 1a8ea9df780e37a6b7e6d4544a33adb47a3cd182b8f0e33759fb1b587b9cf59e
Opcode Fuzzy Hash: b517237f27b698e2589aab68e3a0cee0bfd85f63b7a512f198c15eb0dc86b1eb
Instruction Fuzzy Hash: 3F61AF75A043489FDF02DFA8D844AEEBFF1FF49210F1480AAE554AB252C635AD41CBA1

Function 04A97728 Relevance: .2, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8145e52534dfbb81c6f16386c142151a8ae1046eb6825928a7baef587895b07
Instruction ID: 9192c808d78b9a0a663218b9d0554a37a0003d5c6a61c74f45fec103406d70e4
Opcode Fuzzy Hash: e8145e52534dfbb81c6f16386c142151a8ae1046eb6825928a7baef587895b07
Instruction Fuzzy Hash: 1251ED78314200DFDB05DB69D844B2BB7EAFFC9214B1588A9E509CB352EB31EC45CBA0

Function 04A9BAC0 Relevance: .2, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc8a86dad2780554eb8e7206bb5481d63bbb75769e62d8defc6977a58ebe5d97
Instruction ID: 954188c9b4d638f400931f036c654ec35418bad6fe0964ba152c7c5009a934dd
Opcode Fuzzy Hash: bc8a86dad2780554eb8e7206bb5481d63bbb75769e62d8defc6977a58ebe5d97
Instruction Fuzzy Hash: 76610575E002489FDB14DFA9D984B9DBBF1FF88310F14812AE819AB254EB74AC45CB60

Function 04A9BAB0 Relevance: .2, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee20d01ed0b62b026b4f01433635cf62fba937c4a1fa156196ccdb6018864b7b
Instruction ID: 5ffcb1fa6803925509fa1da8272f681839862e272bc17af556136ec7f8027f6e
Opcode Fuzzy Hash: ee20d01ed0b62b026b4f01433635cf62fba937c4a1fa156196ccdb6018864b7b
Instruction Fuzzy Hash: 10511875E002489FDB14DFA9D984B9DBBF1FF88310F14802AE819AB354EB74AD45CB61

Function 079C3CC4 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1515357975.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_79c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 474fa6b8c7c5bc2eae6584bedd91012614f7b18a8cb2cec9e42a547d8fa8ff21
Instruction ID: 98285fe75054e22059cfb526a984594a14b6f735eb57dce02366f410d693a5c0
Opcode Fuzzy Hash: 474fa6b8c7c5bc2eae6584bedd91012614f7b18a8cb2cec9e42a547d8fa8ff21
Instruction Fuzzy Hash: D34125F0A10202DFDF20CB148501AAA7BBA9F8124CF05C49ED901AF3A5D731DD49C7AB

Function 04A96FC8 Relevance: .1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fbceb9f712d44d11cb839b658d70d9adc9d3c5cae6d56126e8b34b37a0e5945
Instruction ID: e268ccaea094c0494f825af3048e337b6e2b26c83939e6f858ab1490ea212223
Opcode Fuzzy Hash: 8fbceb9f712d44d11cb839b658d70d9adc9d3c5cae6d56126e8b34b37a0e5945
Instruction Fuzzy Hash: E7414834B14204DFEB18DFA4C458AAEBBF2AF8D315F148499E506AB391DA35EC01CB60

Function 04A92B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ed7650cd459f6aeb095a988cfbb903d179cb463f69d83f5156c7d9dcd0c805
Instruction ID: f679f34275f48eb4f71ab73013f6d51570b3c62ec841d247a302bf93712a0c29
Opcode Fuzzy Hash: 19ed7650cd459f6aeb095a988cfbb903d179cb463f69d83f5156c7d9dcd0c805
Instruction Fuzzy Hash: A841F879A00605AFCB09CF59C498EAAF7F1FF48310B158999D915AB364C732FC91CBA4

Function 04A96FA0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8544c53a04c249429d07d264855cfc73eb4e5fefb86b1f9d1f1e6d496a08538b
Instruction ID: be2cf228a923c1660ad586666da1af5af2d9859926a300f627ae3ed3bce619fc
Opcode Fuzzy Hash: 8544c53a04c249429d07d264855cfc73eb4e5fefb86b1f9d1f1e6d496a08538b
Instruction Fuzzy Hash: BA416E34A14244DFDF16CFA4C558AA9BBF1EF8A314F1480A9D545EB3A1DB75EC01CB60

Function 04A9C388 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 988fad325b22a8f616eea97cb8592465cf3ab30ec4b81c8f06eabfd5f861043c
Instruction ID: aed607286d4111785092d1796d25b536a2f9256dc47ef8661312f01500bc5a53
Opcode Fuzzy Hash: 988fad325b22a8f616eea97cb8592465cf3ab30ec4b81c8f06eabfd5f861043c
Instruction Fuzzy Hash: 06318B353006019FD719EB78E854B9EB7E6EFC9261F008529E64ACB351DFB0AC45CBA1

Function 04A9AE60 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bae93ade74d50d45d738de080b37f20fe1aee6963dd6b1b0c2c08a395107a185
Instruction ID: 56ee90ae05a7ef0778a314689294be50cfb5925a85943a46c48e574552e35177
Opcode Fuzzy Hash: bae93ade74d50d45d738de080b37f20fe1aee6963dd6b1b0c2c08a395107a185
Instruction Fuzzy Hash: 14314A70A006499FDF18DFA9D594BAEBBF2AF88310F14802EE405EB294EB749C458B54

Function 04A9AD28 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79f668f730cfcb43d40932a5d849af3da30685d1b80b6e9951c0027ae5e5aa6a
Instruction ID: b530a0198f3ea3a272b6a012d78819d0c30189f1c7e28f2a9240ea0b914a58b5
Opcode Fuzzy Hash: 79f668f730cfcb43d40932a5d849af3da30685d1b80b6e9951c0027ae5e5aa6a
Instruction Fuzzy Hash: 103192B8A003449FDB01DBA4D854AAE7BB2EF89300F1184ADD215AF396CB35AD418F50

Function 04A9AE70 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 713766a18780cdb7d8a4ccfef014d5b97b1cb1b8c20484ca13f72eecf890c54b
Instruction ID: 856641955b71f021b500b09bde4e07fd83fb67395d6de3231c315f58758411ab
Opcode Fuzzy Hash: 713766a18780cdb7d8a4ccfef014d5b97b1cb1b8c20484ca13f72eecf890c54b
Instruction Fuzzy Hash: E3314C70A006499FDF18DFA9D5947AEBAF6EF88310F10802AE405EB390EB749C458B64

Function 04A9AF98 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3611b2f1c8e459a95c1ecd7d9465e12b3f4a8ea6fa5bbe0fb68c7bfbc44b4f8a
Instruction ID: ff4315a2824493ed1607222562f2d0e14f552a7b372a997cc05fc4d3be6e6990
Opcode Fuzzy Hash: 3611b2f1c8e459a95c1ecd7d9465e12b3f4a8ea6fa5bbe0fb68c7bfbc44b4f8a
Instruction Fuzzy Hash: E121D175A043588FDB24DFAED40079EBBF6EF88220F14846AD418E7340CB75A8458BA5

Function 04A9AD38 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d0c8cbb423239f20b3feb62fbd1fc43aa5ff4a953c88579b4ac51bd13c840d5
Instruction ID: b9c56431f8d83705769a5ffe2aa6233d146cd5a93447267812314cea833ac66a
Opcode Fuzzy Hash: 9d0c8cbb423239f20b3feb62fbd1fc43aa5ff4a953c88579b4ac51bd13c840d5
Instruction Fuzzy Hash: 683132B8A007089FDB04DBA4D854AAE77B6FF88300F118469D615AB395DF35ED018F90

Function 031FF3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1480435872.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_31fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad45fb7e2156161af7410a0d0fee09072007d36f8b606792f07637c3771c0ad3
Instruction ID: 663ef52193fda0db2a5187a6153bf3458e452ecbe5fd0e9391bf5980c32e3265
Opcode Fuzzy Hash: ad45fb7e2156161af7410a0d0fee09072007d36f8b606792f07637c3771c0ad3
Instruction Fuzzy Hash: 6E21F476508704EFDB09DF10D9C0B26BB65FB8C314F28C5ADEA090A256C3B6D457CBA1

Function 079C2700 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1515357975.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_79c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b19c9aaa2fe49606412b520ad89ecfdfa636fc87badac2c82f2dc3108b4369e4
Instruction ID: 5735ddb7d46643095a526b545d14f309b7169b3ac5b3e75fcc5fb1573d176c7b
Opcode Fuzzy Hash: b19c9aaa2fe49606412b520ad89ecfdfa636fc87badac2c82f2dc3108b4369e4
Instruction Fuzzy Hash: A4216BB5A00206DFDF20CF59C586B6977E9BB45669F04806EE908DB360C374E944CB63

Function 04A993F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c126c30e4f432df0d08e5176857842d9dbb6cf24857c626c0c6e1f2a65d972b5
Instruction ID: 2c918f925c73eabc22660eae91a158a77aac67740733fd6fbcf676b827d3ebae
Opcode Fuzzy Hash: c126c30e4f432df0d08e5176857842d9dbb6cf24857c626c0c6e1f2a65d972b5
Instruction Fuzzy Hash: 6731ABB5A057449EDB60CF6AD0883CAFFF6EF89320F28842EC45D9B305D67468858B51

Function 031FF02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1480435872.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_31fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e84c1d4ede20fcced4939bc4ba34a2cf7e7d5a6ef71f029906a1852ec4b3349
Instruction ID: 42ffd69c10f010ee86b11b453a0e8bbbf51b6653c8ea589851bacd68c6ecf0a9
Opcode Fuzzy Hash: 1e84c1d4ede20fcced4939bc4ba34a2cf7e7d5a6ef71f029906a1852ec4b3349
Instruction Fuzzy Hash: EA212975604344DFDB14DF14D9C0B16BBA6FB88314F28C5ADDA0A4B246C3B6D447CA61

Function 04A99400 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 467b80a3cbefce2068401f97a56a1568cb372c3efb3bf412135950bbdfe8c5f0
Instruction ID: 3a791d2f832e3215f56c437a5311f5079f6f03aadd402230f39649b958a56f80
Opcode Fuzzy Hash: 467b80a3cbefce2068401f97a56a1568cb372c3efb3bf412135950bbdfe8c5f0
Instruction Fuzzy Hash: 7C216BB5A057449FDB60CF6AC0883CAFBF6EB89310F28C41DD85D9B345D67468858B61

Function 04A97664 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78ea9d9b66f268e22d263947298e2a73be4537329c58249d363024de4daeec17
Instruction ID: 9e8ba515aa35159f9ecd6dc2651082eafecdcd8ccd02061475f79fd28b6ed04b
Opcode Fuzzy Hash: 78ea9d9b66f268e22d263947298e2a73be4537329c58249d363024de4daeec17
Instruction Fuzzy Hash: BA11D739700218CFDB04DFA8E840A9D77F6EFC8255B0540A4E609DB755DB35ED558BA0

Function 079C28E8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1515357975.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_79c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c1297c5a23d88d46a65f6d7ef01cec1f7d14c7bf1a86e8ebad7cec82a79f75
Instruction ID: 067c1c12559caa68d6b7d6f23019b30820cb148cf2a3a81ec4acc42fdacb6188
Opcode Fuzzy Hash: e0c1297c5a23d88d46a65f6d7ef01cec1f7d14c7bf1a86e8ebad7cec82a79f75
Instruction Fuzzy Hash: 181101F1A00306DFCF20CF58C684B6AB7E9BB45229F0880AED50887211C770E840CBA3

Function 031FF3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1480435872.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_31fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97445b17e520f814378829faa67ba79061bab103a32ab6c15715ac3201c2f727
Instruction ID: a437972604b508173de9cf11eb9f2d866e885e2ed4c7682e5c385b1bd9b4491d
Opcode Fuzzy Hash: 97445b17e520f814378829faa67ba79061bab103a32ab6c15715ac3201c2f727
Instruction Fuzzy Hash: 3821CD76508640DFCF16CF10D9C0B16BF72FB88314F28C5A9DA494A666C33AD46ACF91

Function 031FF027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1480435872.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_31fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff28159916af3c1565c82e67f2b531337ed64e047a92009350b64a0d4c4a9ec
Instruction ID: e43b43fd21b8db6c53d46907343fe6c170e6ba3fbc32e1e6e7c33bf3d70d4427
Opcode Fuzzy Hash: 7ff28159916af3c1565c82e67f2b531337ed64e047a92009350b64a0d4c4a9ec
Instruction Fuzzy Hash: 7611BB7A504280CFCB12CF10D5C0B15BFA2FB88324F28C6AAD9494B656C37AD44ACB61

Function 04A9BCE0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b813b78113742791312ac55afb09a25edab20fe9ad1b2fd6229b51d0bdfc0cd4
Instruction ID: 13e8d013d3562b49296bae9840212dc9f69301316524cc18c2077bb238096954
Opcode Fuzzy Hash: b813b78113742791312ac55afb09a25edab20fe9ad1b2fd6229b51d0bdfc0cd4
Instruction Fuzzy Hash: 3701C4312087445FD715CB79D994A997FE0AF49210F1848EED189CB6A2C621FC85C711

Function 04A9DC98 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15222b6110ca59199f4b687921898d68576e849d58887c36b692bac686f2b96c
Instruction ID: bd8ee4e9af319d10488754ec3095b465f56cece1e11d13a499a93dbf12d3d331
Opcode Fuzzy Hash: 15222b6110ca59199f4b687921898d68576e849d58887c36b692bac686f2b96c
Instruction Fuzzy Hash: 61110934204754CFC728DF75D08489AB7F6EF8921572489ADD04A87BA0CB32FC45CB50

Function 04A9DF20 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a895d08731274483d900deac494169c2f1e09d18b4d2df47e9c9646bc1fda0a8
Instruction ID: a859d9ccebc48b004392b1c0925bae1fb3270ee5111dc594b0a6eb6a7eb6799a
Opcode Fuzzy Hash: a895d08731274483d900deac494169c2f1e09d18b4d2df47e9c9646bc1fda0a8
Instruction Fuzzy Hash: A4019235B00214CFCB159F74EC08AAEBBF6FB88315F00406DE50AD7242DB325905DB90

Function 031FD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1480435872.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_31fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1392454bf9584707f0e295934f2b49f0343a3bd28a6baf5a772fd6ee67751e
Instruction ID: c4c24d1497562036ede421acd3da183845f2e74abd4985d53aa94aabd3b62c7a
Opcode Fuzzy Hash: 4a1392454bf9584707f0e295934f2b49f0343a3bd28a6baf5a772fd6ee67751e
Instruction Fuzzy Hash: 15012B714043409FE720CE15EC80777FB98DF4A224F1CC45AEE490F24AC7799981CAB1

Function 031FD006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1480435872.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_31fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66462a10b1f4b43ea5e673f3295bfb8c5c6a0ad8107cc790222953fae11aeb85
Instruction ID: ada032fbd67032ec5097d271597b03de21fda14e8cbcc74d3512ce245dab5ff4
Opcode Fuzzy Hash: 66462a10b1f4b43ea5e673f3295bfb8c5c6a0ad8107cc790222953fae11aeb85
Instruction Fuzzy Hash: D501407240E3C05FD7128B25D894B62BFB4DF47224F1D81DBD9888F6A7C2699848CB72

Function 04A9BF10 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a899464d1959dc1fea6504db75c997b8ccc3cba3bd0a5d4aab195ae091fa8b
Instruction ID: 2c30f72daf0a2dc708d31f1fd414b54119e2eb4339e81dacf5d4d0693bb06638
Opcode Fuzzy Hash: 42a899464d1959dc1fea6504db75c997b8ccc3cba3bd0a5d4aab195ae091fa8b
Instruction Fuzzy Hash: D1F0AF3630D3A05FD7018A79AC549BB7FEAEFC6620B0945BBF584C72A2CA60CC048760

Function 04A97940 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93a8ae3c05a8fe736ecbd5f288f2bb0ad6c251a94114c97cb880b0b33eb5fa6b
Instruction ID: 91c2698a2d2aa5eb48e756be6ece10ceee9c9f363d483c8736032120393ca2ab
Opcode Fuzzy Hash: 93a8ae3c05a8fe736ecbd5f288f2bb0ad6c251a94114c97cb880b0b33eb5fa6b
Instruction Fuzzy Hash: 1AF046317063519FDB029B20D8409AF7BF4EF8A620700096EE04AC77A0CF746C81C7B1

Function 04A990D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcc4d1aa92207644525a8a26b8516f86479350d85f842ef9a2259201260941fe
Instruction ID: a18194da18fcdbda6b4c406d7ae3961fa1f9bb600d65ce97bef70b5f9aee80c0
Opcode Fuzzy Hash: dcc4d1aa92207644525a8a26b8516f86479350d85f842ef9a2259201260941fe
Instruction Fuzzy Hash: F001497560C7409FD701AB74C41479BBBA5DFC2315F1180AFD5058B281CE382806C7A1

Function 031FD9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1480435872.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_31fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a71b41d9db9133b3d87e3e170cd78bcedd24f51c75d94bacc8645255e088311
Instruction ID: 37167b9123d6d679869d813124586ea75f2e493320d2d1d3389be72902c72569
Opcode Fuzzy Hash: 1a71b41d9db9133b3d87e3e170cd78bcedd24f51c75d94bacc8645255e088311
Instruction Fuzzy Hash: 82F0E776200600AF9724DF0AD985C22FBA9EBD8670719C55AE94A4BB12C771EC41CAA0

Function 04A9DEC1 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f8d384b5a8a8e18bc4624f5379599a376ae54600b85a07aa617ae3ee69b7696
Instruction ID: 2b1d146cd1b9f901d6de591d15d1ce98477874bc56d55b2f33ba32f424fdf77e
Opcode Fuzzy Hash: 9f8d384b5a8a8e18bc4624f5379599a376ae54600b85a07aa617ae3ee69b7696
Instruction Fuzzy Hash: 6FF058353046818FC7119B2DD49486ABBF6AFCA22132900ABE189CF372CA61DC46C7A0

Function 04A99158 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7ca27af13f5493943d9b45aa72c5af1d8d0fc75baabdb4aba9b6535c6d76625
Instruction ID: 7d2a26dfb1cd3b3f44478efbb81a2f9480db0fe3d9cd2029e9a4889cc2e76fbf
Opcode Fuzzy Hash: a7ca27af13f5493943d9b45aa72c5af1d8d0fc75baabdb4aba9b6535c6d76625
Instruction Fuzzy Hash: 59F0B4706093444FD7658B78D89838A7FE5EB42310F0044AED15ECB282CB356885C750

Function 04A97950 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 365d7349593423cea186043cc96f6d904a3869e190ceb98891fecdcbf4ce5e7b
Instruction ID: cc5a464ac441ee12c9d67b73a87a87aee806bf35daa8b94b091f12a04a5de726
Opcode Fuzzy Hash: 365d7349593423cea186043cc96f6d904a3869e190ceb98891fecdcbf4ce5e7b
Instruction Fuzzy Hash: DBF0A7757007149FDB10AB55D844A6F77E9EB89671B00092DE14BD3740DF70AD418774

Function 031FD998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1480435872.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_31fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8941bf4929309157a0e0994ee984cf117b7e88ea000dd53aec44d64a9722b06c
Instruction ID: 28538727e25bca25499ba4dbbc23478fcdf1dbc2d95fd7f898cbab72a75415fb
Opcode Fuzzy Hash: 8941bf4929309157a0e0994ee984cf117b7e88ea000dd53aec44d64a9722b06c
Instruction Fuzzy Hash: FAF0F975100640AFD725CF06DD85D23BBBAEB89624B198489E85A4B752C771FC42CFA0

Function 04A9DD0F Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01207f39198a1889fc125f11054c650bcf5cd8b1a140daf5c86618de41eb9a0
Instruction ID: 6b9ca070ba0369d5803e7a466097e2390fe9db41950d724133ddb34978fa5ab3
Opcode Fuzzy Hash: f01207f39198a1889fc125f11054c650bcf5cd8b1a140daf5c86618de41eb9a0
Instruction Fuzzy Hash: CDF0E5353057901BC712976CB80489EBFE6CEC617130445AED14ADB202DF95DC0787A2

Function 04A9767F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 725e5a702087064530bd702f06d75725dc0d5bed45bc64c45a556c32071539e5
Instruction ID: 7742a644436a46d4c8bf3dfbf41d4a1cd857337657ecc6dc19ed4e6ace7ca5f5
Opcode Fuzzy Hash: 725e5a702087064530bd702f06d75725dc0d5bed45bc64c45a556c32071539e5
Instruction Fuzzy Hash: 69F0A039300204CFDB00EFAC9840A9977E2EFC96557054198E709DB311DF34DC028BA0

Function 04A990E8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ecfdf5ff830ef2679d26064dec25f6b6b6728dcfae672c6034d8051301c71cb
Instruction ID: 9d864e9ee7bd0bcd889c409c45f548bc830d03e72b593987fa6e4275eff16280
Opcode Fuzzy Hash: 8ecfdf5ff830ef2679d26064dec25f6b6b6728dcfae672c6034d8051301c71cb
Instruction Fuzzy Hash: BAF0E2796046148FE744AF69D0047AFBB96EBC5325F10816AD9194B384CE3978058BE0

Function 04A9DED0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44bbc72c3d876261b3a434db01adff7b7caa3a25a910873218f8da0af53536a8
Instruction ID: 7da442c693f8add09821acdd3e68ef26d28a721acca1d15eb349a5ebc3ff18ff
Opcode Fuzzy Hash: 44bbc72c3d876261b3a434db01adff7b7caa3a25a910873218f8da0af53536a8
Instruction Fuzzy Hash: 8CE065353002118F87009F1DD488D26B7EAEFCE62132900A9E549CB331DAA1EC418B90

Function 04A99542 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b91df65b4d5e26fdbae8023d48d358fcc1aa35790e3c1a786c1003c8ffc8df
Instruction ID: d42dd7afb5fd0372dd253633608ee48c3680b14eeac2c8f728b6bd1e3a08b56f
Opcode Fuzzy Hash: b0b91df65b4d5e26fdbae8023d48d358fcc1aa35790e3c1a786c1003c8ffc8df
Instruction Fuzzy Hash: CFE0DF22B0A2E12BCB5666BD15105BF6FE94EC70A570A01FFC949CF253D8489C0A83E2

Function 04A9DD60 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af25a9ff799796ea8357ed73b10282d7b695dfb75725add85864c71e356ade2f
Instruction ID: b1a37972ebab112efab69010e20a521cafdcf813009abe26d8cadfe4e183f0fe
Opcode Fuzzy Hash: af25a9ff799796ea8357ed73b10282d7b695dfb75725add85864c71e356ade2f
Instruction Fuzzy Hash: B5E0E532B041849A8B08866DE4414EDBFB19FC8220B0484BFD54A9B312C9325886C791

Function 04A9896A Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cff8a0ef1b80fbc51fe1bc8c0e4311e231f87456fc215e3ced246282c81da63
Instruction ID: 729312024119f0114e1e7d2889b302423cd178ed55c9154120fcfef572ecfdb3
Opcode Fuzzy Hash: 4cff8a0ef1b80fbc51fe1bc8c0e4311e231f87456fc215e3ced246282c81da63
Instruction Fuzzy Hash: 3DF0A03930D6A08FDB0E6778A8182ED7FA59FC6265F0400AFE6068B247CF6809099395

Function 04A9AF88 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a48d48fe68d5758f7d1baf24fd8ec4b628036ded76b1fe04a6998717a74f4e
Instruction ID: 58a8a4ab9485ec8328ace0751ed0359ec5689cf99a39accab1a30a8d73a2eda3
Opcode Fuzzy Hash: 37a48d48fe68d5758f7d1baf24fd8ec4b628036ded76b1fe04a6998717a74f4e
Instruction Fuzzy Hash: 09E0DF2630D2E11A8F16823DA4604EAAFF28AC323030D81FFE088CF683D8519C4683A1

Function 04A99168 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b71d734970c47009d1e2be9046ec574234a595c55bd1059264b23bfb32362f60
Instruction ID: ea4db227f7b5b531e575a5b32f8fb91fc648532890b7bd53e662c47882f5ded5
Opcode Fuzzy Hash: b71d734970c47009d1e2be9046ec574234a595c55bd1059264b23bfb32362f60
Instruction Fuzzy Hash: 95F039B49003049FD764DB78D89839ABBE9FB44310F00442DE21EC7380DB35A8848B90

Function 04A98978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 958cd8e6a00c0e7a6e030184f986582d0c720091c8c9d98316165a5e1099a089
Instruction ID: 166815e71573131c6d1ca9c0d3f7e5f3b4e7b4e4d87d91887c1b7a13714fca4e
Opcode Fuzzy Hash: 958cd8e6a00c0e7a6e030184f986582d0c720091c8c9d98316165a5e1099a089
Instruction Fuzzy Hash: B2E026393086148BDB0C3B78A80C2AE7A9AEBC4765F00002EF6068B345CF785E0593D5

Function 04A99550 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75a19a265bc4584fde3db289dc20228a7cfcba2d3c89ec131e1557072b8f65ea
Instruction ID: c4a1ff922355cb9f3e0f25b8f6b69d31d3f242641daf59f037658cd82a1f8894
Opcode Fuzzy Hash: 75a19a265bc4584fde3db289dc20228a7cfcba2d3c89ec131e1557072b8f65ea
Instruction Fuzzy Hash: A3D05E52B16121279E9435BA1A006BBA5CE8BCB4A5B06017EDA09CB341EC4CFC0A03F1

Function 04A9DD20 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b4607b7890b678391b36d223a5f7c8bd9ba5a9033cfaa781e22dcbe0b77fba
Instruction ID: 6df8fb71a0680e0eb8e63f20c6fe5d18536b15a39747b27dfff997ba059e4dd1
Opcode Fuzzy Hash: 41b4607b7890b678391b36d223a5f7c8bd9ba5a9033cfaa781e22dcbe0b77fba
Instruction Fuzzy Hash: EFE0C235300B100B8615A75EA80095FB7DBDFC99B1344882EE05ACB300DFA4EC468BE5

Function 04A9DD70 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: db8c65944423fc8d286f7bcdf78370cb4b66e588e2b85699ddf952dde2dcb84c
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: 82E08631B00018978B089599D4504D9F7F5DFCC220F04847ED90AA7340DA326D568691

Function 04A98739 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 312de354880119b732572e1a5bfd46b61dc902104a3b8a2f74a1cabd8eba04c5
Instruction ID: 243a13089215bb821d76afbab7596139760a6afab669d7a6c35230b82bd83936
Opcode Fuzzy Hash: 312de354880119b732572e1a5bfd46b61dc902104a3b8a2f74a1cabd8eba04c5
Instruction Fuzzy Hash: AAE04F36A041498BCF09ABA4EC1A4ED7F74EA05311F4001ADEA5B5A192EAA1198ACBC0

Function 04A98800 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c9032cecd8c68abfa1a74da79c0137d3cbe40fcaa3b863902f2cba5bfc324ab
Instruction ID: f5ae91d13554bedc024bb648b2d5036055485e04b79faede89a6655489a3cc8a
Opcode Fuzzy Hash: 3c9032cecd8c68abfa1a74da79c0137d3cbe40fcaa3b863902f2cba5bfc324ab
Instruction Fuzzy Hash: 42E04835A082468BCB19DBBCE4464ADBFB0DF46210F0042AEE9499B207D6311896DF81

Function 04A9F460 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e6bca8c9e86acb2068cae44c1a3c1bcfa5d85581673ecfc5c6fac84528cd2f6
Instruction ID: a34f53f6517950f7b0a13e411728f34c9063ba57bf2437c65eecd2084f70e4ef
Opcode Fuzzy Hash: 0e6bca8c9e86acb2068cae44c1a3c1bcfa5d85581673ecfc5c6fac84528cd2f6
Instruction Fuzzy Hash: 4FE01A70E4014A8E8B80DFBDC4415A9FFF0EB59200B1489AED989D3301E2328611CB81

Function 04A9F470 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: f7cf5ac06dc198da3df41e021bc5b1b19986d67433c619d7583c61ceba58cd31
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: C6D067B0D042099F8B80EFADC94156EFBF4EB48200F6085AA9919E7301F7329A12CBD5

Function 04A98748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 688aa8261ef2b98fb67702274793df114879681c94376891dcfc3fae6708bcf5
Instruction ID: 1a97f5eb56c0f044e3c433e6221b53eb9c1c7fbfbce469002ca761b98e3c0c8f
Opcode Fuzzy Hash: 688aa8261ef2b98fb67702274793df114879681c94376891dcfc3fae6708bcf5
Instruction Fuzzy Hash: C2D067319041098BCF0CABA5E85A4BDBB78FA14301F40416DE91756195EA712A5ADEC5

Function 04A98810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d1b53c8ec6f016ed7c792e8a61194bc82f1fd0f0b300379a6251b04b64f995
Instruction ID: ffd80d03b58f253f1d4ee2bf07dbd3ccbcde254041ae7d6d94183c3615ec392d
Opcode Fuzzy Hash: 45d1b53c8ec6f016ed7c792e8a61194bc82f1fd0f0b300379a6251b04b64f995
Instruction Fuzzy Hash: 06D01734E0820A8F8B48EFA4E84686EBBF8EB45200F00816DE90A97344EA306D05DBC1

Function 04A97E90 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baba6f5d725dc4c007cd1a57f58d599f4d6a6b06ee4a1d801eecc8685ad9a7a9
Instruction ID: 4315cece21230dc7fb337393b0c62810771f79664b1dfadb792140a0a7b13de0
Opcode Fuzzy Hash: baba6f5d725dc4c007cd1a57f58d599f4d6a6b06ee4a1d801eecc8685ad9a7a9
Instruction Fuzzy Hash: 20C002315193904FEF07972558A61453FB1DE4371470A55D69981CF1B2C9288C45C7E5

Function 04A97920 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afd1a427099848ec0097c6b7ea8a488c6c57f8314f65d66de32437f46f06c753
Instruction ID: 1a2f2800e645f4b7c87a91777b6bde69d37c6f2a9b744c7bebc6e741bcb6f879
Opcode Fuzzy Hash: afd1a427099848ec0097c6b7ea8a488c6c57f8314f65d66de32437f46f06c753
Instruction Fuzzy Hash: 74C0123804A345DFCF56AF39D0448487B60EF5125571105DCD41B0FB66CA719C45CF50

Function 04A97928 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 552b35504cad43ec98e89ac19ad8a7db0f7139ad5452cb1378d2eac9ddfb9ccf
Instruction ID: 17f7d317e8f10c7e2bc818b01b31dc5fc652883f9b4bd6710eb886efaf19bab1
Opcode Fuzzy Hash: 552b35504cad43ec98e89ac19ad8a7db0f7139ad5452cb1378d2eac9ddfb9ccf
Instruction Fuzzy Hash: 90B092300897088FC248AF7AE4088187729FB4021578004E9E82E0A2968E36E884CB88

Non-executed Functions

Function 04A9EDE8 Relevance: 5.5, Strings: 4, Instructions: 453COMMON

Download Yara Rule

Strings

,k2q, xrefs: 04A9F153
0o6p, xrefs: 04A9F205
0o6p, xrefs: 04A9F237
0o6p, xrefs: 04A9F243

Memory Dump Source

Source File: 00000013.00000002.1481450262.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4a90000_powershell.jbxd

Similarity

API ID:
String ID: ,k2q$0o6p$0o6p$0o6p
API String ID: 0-3764817192
Opcode ID: fd67401c9a04e61d34e8628f8a95f403259311fa7ecad7bf370f0eda8690f1ce
Instruction ID: aed3d6af968ae52d0b4ba52efbe70b55aa82fe33d6b981777d7dcb274f76691f
Opcode Fuzzy Hash: fd67401c9a04e61d34e8628f8a95f403259311fa7ecad7bf370f0eda8690f1ce
Instruction Fuzzy Hash: 9AE106747102218FEF189F79881473E73E6AFC9B14B6544AAE506EF3A1EE70EC418791

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\Temp\WER628D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER64C1.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6510.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0k3srmay.njf.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2kjh2l1s.oq1.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3sgbyx4z.na4.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3xmbsoyw.evx.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b3k35ztk.tpn.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ccpktzlr.d4q.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_flyghtq1.x2t.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ikzmqees.beb.psm1

Windows Analysis Report
DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe