Edit tour

Windows Analysis Report
DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Overview

General Information

Sample name:	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe renamed because original name is a hash value
Original sample name:	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO66158152 WKH2406122.scr.exe
Analysis ID:	1519263
MD5:	c9f0c69a4cd0b678f239a9e7aae10202
SHA1:	e2ae9b8c6074e9dbfe76a9a65e7d0ca8367ccc20
SHA256:	5b18e86b916afe8f7f7e4ced40194c8a24b4c731bbbe175b52485de2a6b0bbb2
Tags:	exeuser-threatcat_ch
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe (PID: 6704 cmdline: "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe" MD5: C9F0C69A4CD0B678F239A9E7AAE10202)

DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe (PID: 7116 cmdline: "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe" MD5: C9F0C69A4CD0B678F239A9E7AAE10202)

DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe (PID: 7156 cmdline: "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe" MD5: C9F0C69A4CD0B678F239A9E7AAE10202)

powershell.exe (PID: 2304 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1700 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7140 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 916 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["104.250.180.178"], "Port": "7061", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1695289605.0000000002911000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1695289605.0000000002911000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1a46c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xadf78:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc1c64:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1a509:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xae015:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xc1d01:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1a61e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xae12a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc1e16:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1995e:$cnc4: POST / HTTP/1.1 0xad46a:$cnc4: POST / HTTP/1.1 0xc1156:$cnc4: POST / HTTP/1.1
00000003.00000002.4152855220.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000003.00000002.4152855220.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10068:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10105:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1021a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf55a:$cnc4: POST / HTTP/1.1
00000003.00000002.4157659471.0000000002B01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe PID: 6704	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe PID: 6704	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe PID: 7156	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
3.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10268:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10305:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1041a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf75a:$cnc4: POST / HTTP/1.1
0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xe468:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xe505:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xe61a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xd95a:$cnc4: POST / HTTP/1.1
0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.29946f0.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.29946f0.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.29946f0.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x2a888:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x3e574:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2a925:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x3e611:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2aa3a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x3e726:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x29d7a:$cnc4: POST / HTTP/1.1 0x3da66:$cnc4: POST / HTTP/1.1
0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.299dd08.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.299dd08.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.299dd08.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x21270:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x34f5c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2130d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x34ff9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x21422:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x3510e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x20762:$cnc4: POST / HTTP/1.1 0x3444e:$cnc4: POST / HTTP/1.1
0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10268:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa3d74:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xb7a60:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10305:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa3e11:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xb7afd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1041a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xa3f26:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xb7c12:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf75a:$cnc4: POST / HTTP/1.1 0xa3266:$cnc4: POST / HTTP/1.1 0xb6f52:$cnc4: POST / HTTP/1.1
Click to see the 8 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe", ParentImage: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, ParentProcessId: 7156, ParentProcessName: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe', ProcessId: 2304, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe", ParentImage: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, ParentProcessId: 7156, ParentProcessName: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe', ProcessId: 2304, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, ProcessId: 7156, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe", ParentImage: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, ParentProcessId: 7156, ParentProcessName: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe', ProcessId: 2304, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T09:30:02.802636+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:30:08.962164+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:30:20.973253+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:30:32.889033+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:30:33.412087+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:30:45.002007+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:30:57.012454+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:02.823186+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:04.412709+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:07.882357+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:15.562221+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:15.802470+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:16.042648+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:19.782731+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:27.192457+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:27.442501+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:28.742668+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:32.813207+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:40.782127+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:42.692372+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:42.932564+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:48.052358+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:49.702634+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:32:01.842445+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:32:02.813443+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:32:05.562477+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:32:17.572248+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:32:19.431312+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:32:19.482480+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:32:25.203003+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:32:28.158775+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:32:32.807536+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:32:39.892313+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:32:48.582506+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:32:56.132081+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:02.812362+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:08.152178+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:11.595965+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:11.772678+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:12.262393+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:14.302148+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:16.882548+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:17.102313+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:27.612367+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:27.842075+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:28.342318+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:30.210763+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:30.219256+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:31.272656+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:33.442643+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:33.442773+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:33.442812+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:39.902399+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T09:30:08.964287+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:30:20.975460+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:30:33.413633+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:30:45.005280+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:30:57.014370+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:04.414742+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:07.883802+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:15.563682+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:15.807134+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:16.046972+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:19.785121+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:27.194140+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:27.446848+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:28.745385+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:40.788167+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:42.693996+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:42.933779+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:43.183952+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:43.193856+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:48.055078+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:49.705554+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:32:01.844448+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:32:05.565501+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:32:17.574542+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:32:19.433395+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:32:19.484480+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:32:25.209578+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:32:28.160298+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:32:39.899093+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:32:48.585058+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:32:56.133895+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:08.155208+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:11.599125+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:11.775468+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:12.029641+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:12.037697+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:12.266913+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:14.303636+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:16.884758+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:17.104126+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:17.586354+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:27.619218+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:27.844008+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:28.344263+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:30.215414+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:31.274158+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:39.903361+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T09:30:02.802636+0200	2852874	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:30:32.889033+0200	2852874	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:02.823186+0200	2852874	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:32.813207+0200	2852874	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:32:02.813443+0200	2852874	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:32:32.807536+0200	2852874	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:02.812362+0200	2852874	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:33.442643+0200	2852874	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:33.442773+0200	2852874	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:33.442812+0200	2852874	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.4	49741	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T09:31:42.525665+0200	2853193	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.250.180.178	7061	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.1695289605.0000000002911000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["104.250.180.178"], "Port": "7061", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 3.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack	String decryptor: 104.250.180.178
Source: 3.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack	String decryptor: 7061
Source: 3.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack	String decryptor: <123456789>
Source: 3.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack	String decryptor: <Xwormmm>
Source: 3.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack	String decryptor: XWorm V5.2
Source: 3.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack	String decryptor: USB.exe
Source: 3.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack	String decryptor: %AppData%
Source: 3.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack	String decryptor: XClient.exe

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: yPhv.pdbSHA256 source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, XClient.exe.3.dr
Source:	Binary string: yPhv.pdb source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, XClient.exe.3.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 104.250.180.178:7061 -> 192.168.2.4:49741
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 104.250.180.178:7061 -> 192.168.2.4:49741
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49741 -> 104.250.180.178:7061
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49741 -> 104.250.180.178:7061
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49741 -> 104.250.180.178:7061

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 104.250.180.178

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.29946f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.299dd08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49741 -> 104.250.180.178:7061

Source: Joe Sandbox View

IP Address: 104.250.180.178 104.250.180.178

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178

Source: powershell.exe, 0000000C.00000002.1931436415.0000000008743000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 0000000C.00000002.1931436415.0000000008768000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microso
Source: powershell.exe, 0000000C.00000002.1931436415.0000000008768000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000004.00000002.1759461319.0000000005608000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1798429624.00000000058F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1847804492.0000000005BB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1917450792.0000000005C28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000C.00000002.1890067884.0000000004D16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1885772234.0000000003147000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.1753255534.00000000046F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1787557027.00000000049E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1829335893.0000000004D50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1890067884.0000000004D16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000003.00000002.4157659471.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1753255534.00000000045A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1787557027.0000000004891000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1829335893.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1890067884.0000000004BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.1753255534.00000000046F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1787557027.00000000049E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1829335893.0000000004D50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1890067884.0000000004D16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000000C.00000002.1890067884.0000000004D16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1885772234.0000000003147000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: powershell.exe, 0000000C.00000002.1931436415.0000000008768000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micr.
Source: powershell.exe, 00000007.00000002.1804108576.00000000074DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000004.00000002.1762650445.000000000715A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.dgx
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 00000004.00000002.1753255534.00000000045A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1787557027.0000000004891000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1829335893.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1890067884.0000000004BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBdq
Source: powershell.exe, 0000000C.00000002.1917450792.0000000005C28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000C.00000002.1917450792.0000000005C28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000C.00000002.1917450792.0000000005C28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000C.00000002.1890067884.0000000004D16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1885772234.0000000003147000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.1759461319.0000000005608000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1798429624.00000000058F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1847804492.0000000005BB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1917450792.0000000005C28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.29946f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.299dd08.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1695289605.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.4152855220.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 0_2_00EFDE4C	0_2_00EFDE4C
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 0_2_04DF7368	0_2_04DF7368
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 0_2_04DF0040	0_2_04DF0040
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 0_2_04DF0007	0_2_04DF0007
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 0_2_04DF1090	0_2_04DF1090
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 0_2_04DF7358	0_2_04DF7358
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 0_2_04DF9D47	0_2_04DF9D47
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 3_2_00D144C7	3_2_00D144C7
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 3_2_00D14AC0	3_2_00D14AC0
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 3_2_00D11458	3_2_00D11458
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Code function: 3_2_00D11A68	3_2_00D11A68
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0443B490	4_2_0443B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_08523E98	4_2_08523E98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_02F8B490	7_2_02F8B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_02F8B470	7_2_02F8B470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_02F81FBD	7_2_02F81FBD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0307B490	9_2_0307B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0307B470	9_2_0307B470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_032BB490	12_2_032BB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_032BB470	12_2_032BB470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_08BA3E98	12_2_08BA3E98

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1695289605.0000000002911000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000000.1678175059.00000000004F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameyPhv.exeD vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701925085.00000000071C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1694041318.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1697581417.0000000003919000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000003.00000002.4170437401.0000000003B01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameyPhv.exeD vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000003.00000002.4172944980.0000000005B19000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000003.00000002.4152855220.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Binary or memory string: OriginalFilenameyPhv.exeD vs DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.29946f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.299dd08.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1695289605.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.4152855220.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: XClient.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, 0jpphwwqZqta9yNAU1rmvPgO8j.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, LQsPA89PDgnCWG85KTzaHUxHxV.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, LQsPA89PDgnCWG85KTzaHUxHxV.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, MA7oxPPspVKDSv5kbor4FnogXhSLqN9jk8XGyoEg4DmabG3T3zwnypMQ3ZJUTHsOLdOneQe3sw7pXikdZGn4uDbXtV5HzjkClf7.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, MA7oxPPspVKDSv5kbor4FnogXhSLqN9jk8XGyoEg4DmabG3T3zwnypMQ3ZJUTHsOLdOneQe3sw7pXikdZGn4uDbXtV5HzjkClf7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, XXDmbLd9uuG89CX5aB.cs	Security API names: _0020.SetAccessControl
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, XXDmbLd9uuG89CX5aB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, XXDmbLd9uuG89CX5aB.cs	Security API names: _0020.AddAccessRule
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, JAcPXIgusCSiVYBJ5V.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, XXDmbLd9uuG89CX5aB.cs	Security API names: _0020.SetAccessControl
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, XXDmbLd9uuG89CX5aB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, XXDmbLd9uuG89CX5aB.cs	Security API names: _0020.AddAccessRule
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, JAcPXIgusCSiVYBJ5V.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, XXDmbLd9uuG89CX5aB.cs	Security API names: _0020.SetAccessControl
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, XXDmbLd9uuG89CX5aB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, XXDmbLd9uuG89CX5aB.cs	Security API names: _0020.AddAccessRule
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, JAcPXIgusCSiVYBJ5V.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@17/21@0/1

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7048:120:WilError_03
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Mutant created: \Sessions\1\BaseNamedObjects\f8RKHn3SOlVxjC9t

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

File read: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe"
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe"
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe"
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: XClient.lnk.3.dr

LNK file: ..\..\..\..\..\XClient.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: yPhv.pdbSHA256 source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, XClient.exe.3.dr
Source:	Binary string: yPhv.pdb source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, XClient.exe.3.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{WDu24wMlQIEWaQwpfHXwdgNG7RJ4K5Y3bc5hVwls9Fj1cTY3HpvtBcqLeH6gaDiVDpDYXKIIuXaOlu2lCAJTOwdsnqwm1PXfsVw.kpaiBhymIJGBuLt851gqZoLAoD2fiZkc0DA3Lc823wxxdIa6PYsvKZlA56OH12YQ41sSLHjT4iWQJiKp8tggB2I54feK1c86Mqm,WDu24wMlQIEWaQwpfHXwdgNG7RJ4K5Y3bc5hVwls9Fj1cTY3HpvtBcqLeH6gaDiVDpDYXKIIuXaOlu2lCAJTOwdsnqwm1PXfsVw.zZbnUIep0vWxKxGVBok7L3PrzjZoEnwL0TSMXbwigCiaVp6nuwuxywUGaEN9dKldJ3TrYBoPGwVErMlqUaYHm6AAkBixXvLS97V,WDu24wMlQIEWaQwpfHXwdgNG7RJ4K5Y3bc5hVwls9Fj1cTY3HpvtBcqLeH6gaDiVDpDYXKIIuXaOlu2lCAJTOwdsnqwm1PXfsVw._1fd035fDiEoy57pBpWpWQTfLABgAwu559F98CfIdCDdRJ74x4qfREzt6LaVDN65xSX6mXNev2t5WO73ujfaH60MUncnZRoGV4vj,WDu24wMlQIEWaQwpfHXwdgNG7RJ4K5Y3bc5hVwls9Fj1cTY3HpvtBcqLeH6gaDiVDpDYXKIIuXaOlu2lCAJTOwdsnqwm1PXfsVw.IW9FNA672lsDi2tCYs0XmXfyWkYhTHM1nl8C6baQ9lTI8YY8Qyto5zkIeoHh2Zcqmqyiuv94riMmQCcGwepP0z2tUnSyyl1yoCb,LQsPA89PDgnCWG85KTzaHUxHxV.WufUBprPTFHXMI553kXybp9FaY()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_9CLWboLL8arHgBpNMCHih5iKc1[2],LQsPA89PDgnCWG85KTzaHUxHxV.WL37fsRxQxlu6tAK1xjQRngPmh(Convert.FromBase64String(_9CLWboLL8arHgBpNMCHih5iKc1[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { _9CLWboLL8arHgBpNMCHih5iKc1[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.29946f0.2.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.54e0000.5.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, XXDmbLd9uuG89CX5aB.cs	.Net Code: oOfkVKSLEE System.Reflection.Assembly.Load(byte[])
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, XXDmbLd9uuG89CX5aB.cs	.Net Code: oOfkVKSLEE System.Reflection.Assembly.Load(byte[])
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.299dd08.1.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	.Net Code: HFKY311DFA0CknBmafbCyAhvOzvwUW3ViyV49tKstRpT8xAE2GnNPEVulKkb5ija7d4jHOKsf5tq0JZu3yzP System.AppDomain.Load(byte[])
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	.Net Code: iXIBZqNvKivS6RYy8lRx3sDnEn System.AppDomain.Load(byte[])
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	.Net Code: iXIBZqNvKivS6RYy8lRx3sDnEn
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, XXDmbLd9uuG89CX5aB.cs	.Net Code: oOfkVKSLEE System.Reflection.Assembly.Load(byte[])
Source: XClient.exe.3.dr, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 3.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3b05570.1.raw.unpack, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Static PE information: 0xA253E3D7 [Wed Apr 19 21:53:27 2056 UTC]

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_02F8629D push eax; ret	7_2_02F86351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_02F8633D push eax; ret	7_2_02F86351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0307632D push eax; ret	9_2_03076341
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_03073A9C push ebx; retf	9_2_03073ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_032B629D push eax; ret	12_2_032B6351

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Static PE information: section name: .text entropy: 7.792568924601146
Source: XClient.exe.3.dr	Static PE information: section name: .text entropy: 7.792568924601146

Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.29946f0.2.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.54e0000.5.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, JUB65gENfsG0iP8C7s.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'LNPNC2Kcll', 'LBjN2cydxc', 'kQyNzJFyqQ', 'Jomh1DMPX2', 'UCvhYy8jit', 'wj4hNkPIgg', 'J7fhhMxn7T', 'dwHcfwWQGqQvHrnhBZP'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, fgvd8dYhAflbBDpDvTZ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yZJXDAx5f3', 'ifIXHLGPEp', 'y6bX9jKhE3', 'V8EXvfuEtH', 'v3AXaOvYml', 'VAZXtieWcG', 'jQSXB11emv'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, XXDmbLd9uuG89CX5aB.cs	High entropy of concatenated method names: 'X4nhpZ7Kn1', 'UIChLsqNZ2', 'Ocuh0yvHxP', 'XuVhE2LgQa', 'QSkhlnO9gG', 'e0LhIZWR47', 'kZnh8c4EQC', 'UYVhdbLvS9', 'mybhmrOgCB', 'X73hbNFPTf'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, m2wd9sCHDG1M5sEkYc.cs	High entropy of concatenated method names: 'WrGi5NeHQr', 'hdviZIf00O', 'BVuiGpoOxZ', 'nEIiKXHmZu', 'jnJiD3f9q1', 'rNUiRaW2md', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, JibAjpvD5PxaPydrtT.cs	High entropy of concatenated method names: 'gfXTbyVYU5', 'a80TJRwu1j', 'ToString', 'WZsTLpahwZ', 'A6wT03vplf', 'sRSTEstDsu', 'nsGTlkNgDq', 'S7sTIohyu9', 'UleT80v3ls', 'zMJTd3IkkS'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, V3XIkc5uc7tqoLOPiN.cs	High entropy of concatenated method names: 'TdZIpfx0Yv', 'hTrI03QBRp', 'hTqIlF327v', 'FJhI8JllIy', 'BcuIdnNVmY', 'V7ElaDt14a', 'IvxltYfeBT', 'AhRlBXmUDx', 'VXBl4FTDdi', 'jsrlC0DGc4'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, cUTqJeMfeeolr70tjM.cs	High entropy of concatenated method names: 'xagEq1irBr', 'znnEFOT5kG', 'Gf1EgZmmsO', 'LF7EM9pjK5', 'EI9EwsMP5j', 'kSjErdXrUu', 'jPBETGft9P', 'LykEiZHCUL', 'VrJEnDPw2T', 'vZnEXSZEXM'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, YYd3ckPpsqIPtPvdOh.cs	High entropy of concatenated method names: 'hell7Mpbmk', 'vlNljrl8Fy', 'n1nEG2sQau', 'zSjEKGQ2qF', 'PLEERZx1x7', 'cnxEWYGyTZ', 'hBaEAW1b12', 'gl4EOORHFV', 'L9oE305W0n', 'atbEuIO7ws'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, BshbxMDXZdfCcPj3wL.cs	High entropy of concatenated method names: 'CV8wu3Vvwc', 'YkewfAqXr4', 'qVrwDe16yb', 'J73wHhCBkF', 'zRPwZsjaw1', 'zYIwGLS8dD', 'BiGwKHQq0y', 'llXwR0KsBq', 'dCmwWNSk5P', 'VnIwAUvi4v'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, dHRUqJ4OirhIgE8nF3.cs	High entropy of concatenated method names: 'rwbiLYXUFZ', 'FhWi0V9yZH', 'GLNiESGQrj', 'zulilNIPxp', 'Eq5iITCwjM', 'WNii8AhbpI', 'qS6idGPnT1', 'r11imCJyjl', 'AtGib1qdSj', 'A1qiJvKIkB'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, oB1Og3k0NYb990Ae35.cs	High entropy of concatenated method names: 'UWWY8AcPXI', 'NsCYdSiVYB', 'ufeYbeolr7', 'gtjYJM2Yd3', 'FvdYwOht3X', 'ikcYruc7tq', 'c7moWyTryEaFmuSlYO', 'UARxs89LcfrJAfEXVY', 'JT4YYOmipl', 'mTLYhADi4t'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, XmRYtHtEGiTolgw2RG.cs	High entropy of concatenated method names: 'gcvT4aRS5u', 'v2TT2Zv528', 'S1Oi1nVggl', 'HmgiYOauS0', 'D7wTsKqP3d', 'ELTTfxicsi', 'sb3T6iOKEA', 'zHhTDaC0jf', 'QTsTH8qEFm', 'WSvT98HDUP'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, BdFO0OAtpJtT4Uebio.cs	High entropy of concatenated method names: 'Uqt8LC9fW2', 'SEY8E16UF9', 'Jfo8IvQuEi', 'THwI2QJJsl', 'MToIzaE0Kv', 'APp81HQjcy', 'cZK8YqGsbo', 'mqt8NOs7Oj', 'BCn8hEMF2M', 'BaG8kQUEYc'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, BBwwaoz63p12C4XmDq.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'c4KnQ4Zb0H', 'Elunw9YmQB', 'B69nrEfCPj', 'TYmnT8AcDB', 'gijni8erlv', 'KhvnnyGYby', 'c6tnX2DoTl'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, WqTkcP2NCvqM6IhxAp.cs	High entropy of concatenated method names: 'ztYnYsgLuX', 'EeHnhwntmm', 'jMZnkaQGjA', 'ubZnLMTTDU', 'u34n0OQx6E', 'fkqnlmoiSX', 'furnIKXoct', 'mebiBANs95', 'd6Oi4S1qj3', 'mM7iC7KCxo'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, alwGGMWCCL34v7eV6q.cs	High entropy of concatenated method names: 'sTlI9rUMUh', 'XehIvooCtJ', 'DPfIaL1YNX', 'ToString', 'BZ1ItRxSSC', 'CZsIBsOibE', 'tcFWw8CAlDLcyjdk7sl', 'dEH8D0C266yh1sMr4rX', 'N3YQohCLvaRgF1pG2Kh'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, JAcPXIgusCSiVYBJ5V.cs	High entropy of concatenated method names: 'dc70DPyhn0', 'GJR0HyRSZx', 'rNX092Wbov', 'bX90v1poIE', 'KfY0aiv0Rr', 'UZX0tdvKxu', 'T1v0B2M1B9', 'Rnu040ltdP', 'YjW0CJiTxA', 'vAm02VvSD0'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, VHi3s3NtEH1RWinr0v.cs	High entropy of concatenated method names: 'n64V2YEtB', 'VauqsXFrx', 'MiEFHINwL', 'QCyj8if9f', 'LLlMEvaYu', 'XgXPiY4Je', 'R74N42nW7tI3J74u0l', 'TtLrfeMqfCXhLPurCs', 'xqUimEP9T', 'zewXYHTYq'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, GmJ0wL0x4SgGlmvjuw.cs	High entropy of concatenated method names: 'Dispose', 'btWYCPyqY4', 'cQjNZiWqbR', 'cP5QQg2sdp', 'TkHY2RUqJO', 'rrhYzIgE8n', 'ProcessDialogKey', 'C3bN12wd9s', 'SDGNY1M5sE', 'eYcNN4qTkc'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, IfS7Uv38KYyX97WBrY.cs	High entropy of concatenated method names: 'AWm8yWuGJB', 'TSV8cVNAlm', 'quh8V94svP', 'PCk8qKBpaE', 'OEQ87QivoQ', 'biE8FPdhIB', 'yGS8jEjD6Q', 'Egi8gxdZds', 'CAE8MjHeNE', 'yFt8POEYg5'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, JBwEig6TuyiTxGBKtp.cs	High entropy of concatenated method names: 'rZlQgxhawD', 'IMxQMb1Qvr', 'KMjQ5ZCeWs', 'BHxQZZDkPb', 'IGfQKjeQVC', 'hueQR6LPEY', 'SMnQAQBj2B', 'x9xQOqCjqS', 'IbiQuLTcVJ', 'SXCQs0NgQt'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, Mlxon49XHd9jTYuKRQ.cs	High entropy of concatenated method names: 'ToString', 'XJsrshkvti', 'B8ErZjFbTH', 'Dq7rGUlEup', 'iKdrK00dVW', 'VLurRvVJPO', 'yVprWIDbHA', 'vTQrA4Iqq0', 'fg7rOa8ZmF', 'Bslr3kDy03'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, N9JKP1Y19rw0lMPMcpg.cs	High entropy of concatenated method names: 'mLpnyB3Iev', 'O63ncf8cRO', 'udknVBSdRG', 'J3Jnqtk7a0', 'OGen711jAA', 'LRPnFXJhTF', 'k5RnjfJ4Ba', 'BgnngKxgMB', 'OaYnMk8dHJ', 'N3vnPyKswx'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.71c0000.6.raw.unpack, UBRWdiZ9HZOJSbONkK.cs	High entropy of concatenated method names: 'scDK2MCFJQcNiaPOWyt', 'vIJ7iUCoWNNCv16mEMH', 'FfXIikwsnX', 'tGRInTHm4L', 'KXJIXB12PB', 'o0ra80CB3X8yE7j7VeL', 'F5Z0kDCy9AICHquO5IZ'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, JUB65gENfsG0iP8C7s.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'LNPNC2Kcll', 'LBjN2cydxc', 'kQyNzJFyqQ', 'Jomh1DMPX2', 'UCvhYy8jit', 'wj4hNkPIgg', 'J7fhhMxn7T', 'dwHcfwWQGqQvHrnhBZP'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, fgvd8dYhAflbBDpDvTZ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yZJXDAx5f3', 'ifIXHLGPEp', 'y6bX9jKhE3', 'V8EXvfuEtH', 'v3AXaOvYml', 'VAZXtieWcG', 'jQSXB11emv'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, XXDmbLd9uuG89CX5aB.cs	High entropy of concatenated method names: 'X4nhpZ7Kn1', 'UIChLsqNZ2', 'Ocuh0yvHxP', 'XuVhE2LgQa', 'QSkhlnO9gG', 'e0LhIZWR47', 'kZnh8c4EQC', 'UYVhdbLvS9', 'mybhmrOgCB', 'X73hbNFPTf'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, m2wd9sCHDG1M5sEkYc.cs	High entropy of concatenated method names: 'WrGi5NeHQr', 'hdviZIf00O', 'BVuiGpoOxZ', 'nEIiKXHmZu', 'jnJiD3f9q1', 'rNUiRaW2md', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, JibAjpvD5PxaPydrtT.cs	High entropy of concatenated method names: 'gfXTbyVYU5', 'a80TJRwu1j', 'ToString', 'WZsTLpahwZ', 'A6wT03vplf', 'sRSTEstDsu', 'nsGTlkNgDq', 'S7sTIohyu9', 'UleT80v3ls', 'zMJTd3IkkS'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, V3XIkc5uc7tqoLOPiN.cs	High entropy of concatenated method names: 'TdZIpfx0Yv', 'hTrI03QBRp', 'hTqIlF327v', 'FJhI8JllIy', 'BcuIdnNVmY', 'V7ElaDt14a', 'IvxltYfeBT', 'AhRlBXmUDx', 'VXBl4FTDdi', 'jsrlC0DGc4'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, cUTqJeMfeeolr70tjM.cs	High entropy of concatenated method names: 'xagEq1irBr', 'znnEFOT5kG', 'Gf1EgZmmsO', 'LF7EM9pjK5', 'EI9EwsMP5j', 'kSjErdXrUu', 'jPBETGft9P', 'LykEiZHCUL', 'VrJEnDPw2T', 'vZnEXSZEXM'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, YYd3ckPpsqIPtPvdOh.cs	High entropy of concatenated method names: 'hell7Mpbmk', 'vlNljrl8Fy', 'n1nEG2sQau', 'zSjEKGQ2qF', 'PLEERZx1x7', 'cnxEWYGyTZ', 'hBaEAW1b12', 'gl4EOORHFV', 'L9oE305W0n', 'atbEuIO7ws'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, BshbxMDXZdfCcPj3wL.cs	High entropy of concatenated method names: 'CV8wu3Vvwc', 'YkewfAqXr4', 'qVrwDe16yb', 'J73wHhCBkF', 'zRPwZsjaw1', 'zYIwGLS8dD', 'BiGwKHQq0y', 'llXwR0KsBq', 'dCmwWNSk5P', 'VnIwAUvi4v'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, dHRUqJ4OirhIgE8nF3.cs	High entropy of concatenated method names: 'rwbiLYXUFZ', 'FhWi0V9yZH', 'GLNiESGQrj', 'zulilNIPxp', 'Eq5iITCwjM', 'WNii8AhbpI', 'qS6idGPnT1', 'r11imCJyjl', 'AtGib1qdSj', 'A1qiJvKIkB'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, oB1Og3k0NYb990Ae35.cs	High entropy of concatenated method names: 'UWWY8AcPXI', 'NsCYdSiVYB', 'ufeYbeolr7', 'gtjYJM2Yd3', 'FvdYwOht3X', 'ikcYruc7tq', 'c7moWyTryEaFmuSlYO', 'UARxs89LcfrJAfEXVY', 'JT4YYOmipl', 'mTLYhADi4t'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, XmRYtHtEGiTolgw2RG.cs	High entropy of concatenated method names: 'gcvT4aRS5u', 'v2TT2Zv528', 'S1Oi1nVggl', 'HmgiYOauS0', 'D7wTsKqP3d', 'ELTTfxicsi', 'sb3T6iOKEA', 'zHhTDaC0jf', 'QTsTH8qEFm', 'WSvT98HDUP'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, BdFO0OAtpJtT4Uebio.cs	High entropy of concatenated method names: 'Uqt8LC9fW2', 'SEY8E16UF9', 'Jfo8IvQuEi', 'THwI2QJJsl', 'MToIzaE0Kv', 'APp81HQjcy', 'cZK8YqGsbo', 'mqt8NOs7Oj', 'BCn8hEMF2M', 'BaG8kQUEYc'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, BBwwaoz63p12C4XmDq.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'c4KnQ4Zb0H', 'Elunw9YmQB', 'B69nrEfCPj', 'TYmnT8AcDB', 'gijni8erlv', 'KhvnnyGYby', 'c6tnX2DoTl'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, WqTkcP2NCvqM6IhxAp.cs	High entropy of concatenated method names: 'ztYnYsgLuX', 'EeHnhwntmm', 'jMZnkaQGjA', 'ubZnLMTTDU', 'u34n0OQx6E', 'fkqnlmoiSX', 'furnIKXoct', 'mebiBANs95', 'd6Oi4S1qj3', 'mM7iC7KCxo'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, alwGGMWCCL34v7eV6q.cs	High entropy of concatenated method names: 'sTlI9rUMUh', 'XehIvooCtJ', 'DPfIaL1YNX', 'ToString', 'BZ1ItRxSSC', 'CZsIBsOibE', 'tcFWw8CAlDLcyjdk7sl', 'dEH8D0C266yh1sMr4rX', 'N3YQohCLvaRgF1pG2Kh'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, JAcPXIgusCSiVYBJ5V.cs	High entropy of concatenated method names: 'dc70DPyhn0', 'GJR0HyRSZx', 'rNX092Wbov', 'bX90v1poIE', 'KfY0aiv0Rr', 'UZX0tdvKxu', 'T1v0B2M1B9', 'Rnu040ltdP', 'YjW0CJiTxA', 'vAm02VvSD0'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, VHi3s3NtEH1RWinr0v.cs	High entropy of concatenated method names: 'n64V2YEtB', 'VauqsXFrx', 'MiEFHINwL', 'QCyj8if9f', 'LLlMEvaYu', 'XgXPiY4Je', 'R74N42nW7tI3J74u0l', 'TtLrfeMqfCXhLPurCs', 'xqUimEP9T', 'zewXYHTYq'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, GmJ0wL0x4SgGlmvjuw.cs	High entropy of concatenated method names: 'Dispose', 'btWYCPyqY4', 'cQjNZiWqbR', 'cP5QQg2sdp', 'TkHY2RUqJO', 'rrhYzIgE8n', 'ProcessDialogKey', 'C3bN12wd9s', 'SDGNY1M5sE', 'eYcNN4qTkc'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, IfS7Uv38KYyX97WBrY.cs	High entropy of concatenated method names: 'AWm8yWuGJB', 'TSV8cVNAlm', 'quh8V94svP', 'PCk8qKBpaE', 'OEQ87QivoQ', 'biE8FPdhIB', 'yGS8jEjD6Q', 'Egi8gxdZds', 'CAE8MjHeNE', 'yFt8POEYg5'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, JBwEig6TuyiTxGBKtp.cs	High entropy of concatenated method names: 'rZlQgxhawD', 'IMxQMb1Qvr', 'KMjQ5ZCeWs', 'BHxQZZDkPb', 'IGfQKjeQVC', 'hueQR6LPEY', 'SMnQAQBj2B', 'x9xQOqCjqS', 'IbiQuLTcVJ', 'SXCQs0NgQt'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, Mlxon49XHd9jTYuKRQ.cs	High entropy of concatenated method names: 'ToString', 'XJsrshkvti', 'B8ErZjFbTH', 'Dq7rGUlEup', 'iKdrK00dVW', 'VLurRvVJPO', 'yVprWIDbHA', 'vTQrA4Iqq0', 'fg7rOa8ZmF', 'Bslr3kDy03'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, N9JKP1Y19rw0lMPMcpg.cs	High entropy of concatenated method names: 'mLpnyB3Iev', 'O63ncf8cRO', 'udknVBSdRG', 'J3Jnqtk7a0', 'OGen711jAA', 'LRPnFXJhTF', 'k5RnjfJ4Ba', 'BgnngKxgMB', 'OaYnMk8dHJ', 'N3vnPyKswx'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3accdc0.3.raw.unpack, UBRWdiZ9HZOJSbONkK.cs	High entropy of concatenated method names: 'scDK2MCFJQcNiaPOWyt', 'vIJ7iUCoWNNCv16mEMH', 'FfXIikwsnX', 'tGRInTHm4L', 'KXJIXB12PB', 'o0ra80CB3X8yE7j7VeL', 'F5Z0kDCy9AICHquO5IZ'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.299dd08.1.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, WDu24wMlQIEWaQwpfHXwdgNG7RJ4K5Y3bc5hVwls9Fj1cTY3HpvtBcqLeH6gaDiVDpDYXKIIuXaOlu2lCAJTOwdsnqwm1PXfsVw.cs	High entropy of concatenated method names: 'nzpq34I2Owdcl9fMv5UC2J5bWAhYRAKaulM2epxdlOUgYAwStJcbsQF2LV7', '_3TV7y1L0UdqugSHqWSFDQgjIB1RLAMta0zbdfnGtgjiEucMaYzlPshW9VtV', 'pjvrCbuiTImLYchYZBIntOVyvPn3ZfSMtWVvNsM0Nvur9iH1fX2B8axAglC', 'jI7KmqV1ayX8qwmay9TzwN1cwR8kqb0h8EMRQLIOnFHgagzy7qGeZFVymwQ'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, 8vDNxxr6KA56TLeIORtyRLSVXe.cs	High entropy of concatenated method names: '_00wnbuD6N1v3u4tAFw3wul2CM0', 'fbuqWesh3CVNj2RtuGY4FmHJps', 'HFqUUv7DJAEEhvrSsywavqaOIT', 'lO3fdbWbA8cdJSM60XZlTyTo1nRw6RJ0TkcvaWTmeXkk', 'o454lDfZaM893ftJX7v3O4qrjBaqZgXKn8MLidOK6Wep', 'dGQ7XoqybmSzxfRt5TDkZgPg2kC5INkjb6ybBBTnIQBQ', 'qnxpDMttXO5Q6RWMOugTF1OB5xiLTvjjuAAVGH4HMLQO', 'HeZsr9e5BNhQhw2tx7EzDGOu3oFSOtiNHoENJsbWOQXf', 'DJjUyYbm7hNYuN3aTC7191TEVjaM3TCFuJXKVoTOyfXP', 'gZOiEnnJ6n7BiHg1PhnYUfFDonaGra3pPadwz8Md8Lwa'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, TvXNMPQzFStCY57ElDLFZF5wAWyu0HVKP74m0eYWEhLZU5ek0outej2CSyzPAywwqGzOP32wGaNx3OfXdD6rsa5uWywfJM4PgHN.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'cqdgMqYlqVr2WPbYU5d9YHP80OHFw99M9Y6CT3Cr4bu1pDH343obGJOq7xC', 'g5ZfxcIQ2yYANiEqDIDYC5MiH24kf8WoOop4sg9QRmMmIwIekfETxLRXPUs', '_26HTuFzrNZYByDsAEiZbqNFA59SdHCtVcYm4RrYlYDtfKTpyB7EqJpy61DM', 'Hta5nog2yoVHh9zNcyUS7cXHn92CKJeikSJ96C9reTxLwGxghqe54UiXCun'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, JJqNIbmAEnE7SiPqGMTQm6czGZ9oDVL8xeYwvixsqiqWp3UZE3bbHqW0DPuSoU7Yz04fIfeMVsV3xLKVxXwRTrLXVvtHRM473Hj.cs	High entropy of concatenated method names: '_0wZ0aYgmMl7kCbvj6Ou4SqrdhKMFXGYofIhw64PZvBBBcVwz8edGsmoVjHZbxfJWPFhXcFK7G5Pkh3B9nMhjygTmnsyHZe5BwKO', 'wKAxAa74PvSccIjVWKrzIU9aAbAaHgp2F7R6H71jGdpLfaJQlfMmCgmIYeOq3bhY2kwGWp326CXODtRaQ1K7UejHfChjJCsd4w6', 'mblvCI5AALNqM17akKxCiwWFqw4LHtX9ugJUzGVJ5hX19rmDg285YT5yERlcJs18nWe8lJA3wuvI431UqKVZVz65vnGkNFR36WN', '_7CaW1EWN4UJVbiroC1AJiLX9lGWRa1euvVKutGGoR8xtke3Xu7QmRXrUL6xaZijXX9TQVdzIzydglyCWCssa48rnFFFPU2xct98', 'GywKF26peTAjyqmA0CwBA9qjJy4zhnHgjQ3LQ24bOXCR5e8HHJQUHzAMBVF6ruq9Qx8IW2od06bo2WNzKmI5vXL99DfhdVs0lR0', 'wJj4dvHtMignilEHYXN1NqGKGCvTZPsAQfYt5ZUtqcHgRruffEstHQHFzzP', 'z8wKUA2RKriNaMffEKpb4ppJCmTntUt8oajciBxfzbgAWeF0darr6JKmGCE', 'gDKN5mrHJddJ7SGyk37vE8BX8FDQO4LE9MUKXE6gr3ZBhTUKPL1dpb7nZJU', 'q59SA0UWlBieLpkTGLZQ2MuXoOR0y6UAwZUuPLi7j5XLYpj5l0PTYnG4bR2', '_5HnHp0XZFWIe58Rxw2X8ec6Ak3NpUsaEP4gwO8SsoiNMr9hESe9256VyQLT'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, 0jpphwwqZqta9yNAU1rmvPgO8j.cs	High entropy of concatenated method names: '_1Rspokhmbe63QRMYYW7YaeFX0v', 'yq2uAsopTtMnLlhOp3DDOI5x0D3nFRlhWfKcOXT4v4gy', 'P6kUAuGkBsoDc6hkTCoEjAFeZebruUYkj9lWD5A2Wa30', '_5fL5nT5bzWd4k9YU5fI6Mpi6WWp4SBBmZ5CDOZK7cqqb', 'OZMMPGeVcmQdHwJF9epKtonlDSwhlOm5WEq7HAmYKxkl'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, Q2VLf67ZeHqHFizIAZhVexibwwBCU1qqCtwKctsvWtFDiqJPT9GKM3qd0DpkVXm58k5C2RCzfG05ymKuUh92.cs	High entropy of concatenated method names: 'LdFLkiKlLrIfANYkDqDQXycHmXxIRUaNL4TkP4RHu7gZe8lku41k0ght9Et3VdaNL2d3xxicXkR3nKgFLeTJ', 'HFKY311DFA0CknBmafbCyAhvOzvwUW3ViyV49tKstRpT8xAE2GnNPEVulKkb5ija7d4jHOKsf5tq0JZu3yzP', '_0Sb0jSn74vlKCTBycSpeKCKh8YVnIEDot37X0YY8eiqItyMOkMMnEHcDx87GiyxSyRglhdcD2PfetzhD4OQv', 'oaGsaY395ldYCvAX6WxuCpu4ToG9fV2z5tOYwsJcZ5WUXesjqC4oPF69K1QpSsQ7gFX5LmiVjo2HXeH06dJ3', 'Jvg1iNjm2BnGEK9IIpgoplw6Fr0GV7T4vOumLInDXwY0x4C7t6WTPgLEDEOjf44CUQacC30IEtGAWjL1KcxM', 'erIkWKvNLiY2o8ryEih0Eq4ui5nGIqCHNiSsMAnAy9xaqzkqpDDH8VaOOFprVmT3M2Ikaye65nLjquYxw1E0', 'XZN7O3p3PknQ8oiGMcm2nUKm2u4J2dqNsvpWsGAEBCnitAPO84VpGDc6njiiTqqghHeXC3ltqdDBds0326Am', 'GanNgRzx9YmKSxobPaRmKvYnZEBvFAUCoPdDSV29IjNGNpAsix8wOUqtZnIRoKjLONyRAl2amIDRhhSMEsvR', 'aSPD3e3gL7inuMeKBXU5aaNxfyuloxHqiCgBrqZNzpio6yary8g4U7qoSVAKB9M5aK8JZ4JL7frwEPIWLNii', 'tMNw0i1eU1cZcutvPHlHjmT4OmNObT1BsuhC6uw8Dnbb4boPq9pTjoXX239rQ1OxsNBiYEUDmDjXfN7SxgnS'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, kaHZoyXSlsqJiGMDmYfIITVF1t.cs	High entropy of concatenated method names: '_6Uc2JxshDBPfgjJCqPzKspkSU6', '_0EOkSBhN5BPczbdrIiryIEVhy9Jcydn0pQbJMd8zvSPb', 'xq6aEromiLWyTaoNny5Z75jxKNwfdMWW98IhSvJ6oZpR', 'U9ZFrYbS9G7idln1Gk7gDwUXZHcoxvNGRUMapKTfcdMn', 'ywQd4pM6VBs57Lkeaqj7cUzstOyB2LDnY1mqhMKk3XiZ'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, MA7oxPPspVKDSv5kbor4FnogXhSLqN9jk8XGyoEg4DmabG3T3zwnypMQ3ZJUTHsOLdOneQe3sw7pXikdZGn4uDbXtV5HzjkClf7.cs	High entropy of concatenated method names: 'bCUGVYnUqZyhFAZbEOF8KW3BuhcghQFp4XbpthrY6K0XxuF4hMaEIWAIpnB3sTgPgCko4dcZKitOlvJ4V9gmqXXdcZBfSDK9PWi', 'gDbp8urZptnAbj0zWQ7gFA2VSwEQMOJWyzCYgjq8ln8fED06jOLIa7FsNFZl81vOShWbUSbuI29QzqPYJpDv', 'l2qBqfPnflox0oUMwDgwc6T2D0lpuAvDPkD4apKf5Wd14y3XcjfkBS1Ndh3Gc8tw5VLgrW3tjRK8zSoKU0aU', 'hoypSSF61Ev12VdcpSWsuCsz8EiMN0p8VwXX510nTgecdRq3auorXQHedcwtI5XSdv3Jd1tDQQJqUMUluGmb', 'YV1XISLVVJ5Y0mBVcHk1dNPhFHKtppPBBjKUhzkde4VTAu2v4uTmDptxzRPlgs8IOiTvVMXi4VuQJk2v9LPM', 'Uo8HKkXeQThRMnP47TFhsmst4pNfLPDeHcfjtIgOLBoBIOlIOPHVs8TPXtX8A6Po5jCiQgFkesG3YNZjzcF7', 'XbuhqAjsSjImWGTWc0QyDqw4o38ZrGLkTeO7gQZHxpjqTP2daTBnRUPSuLKXqlSvS3PhLJwzRrIQQzIUfZs9', 'HCdwGWSVOU9ZMemoUSROkkB37ldP2pm0vIb58nnbPUZ5niX0gO6PXVkJ3d6wXEGpbO7ygUwE4Y4divvJYUCm', 'UmQJWM9T5XTdAv5EWIqg0EbL73yYEejk7kvUSMPBkUrj5MBOxAgEkqWEnW47gLT9HaKc0isLagCWLN4qPZj6', 'ijmQHVULTzVwclrwpq3xcMYgi1lhxhpu2IixdEaz11jtj8gwM8u23SVGpFCmLZxJ53H9WIkqaguItBf4PvKG'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, LQsPA89PDgnCWG85KTzaHUxHxV.cs	High entropy of concatenated method names: '_4csOR5COJp8Nw3svOgBiOEei9M', 'oveHTjECO0IF9XGehFIVHW7lat', 'yRio6ujIz4vsYwBFUmeCDplhI8', '_2lHxdw84riTaEpvOtTBEqGkKfx', 'vGXLg0twHPePs16E9gmC5qtgJi', 'amALwgZEgu6vjk9VJ0l2nLE3Ld', 'rSUlQxAaBUIsMYMhkDoSbV6fZj', 'wJ3YLoJiM8fEsrTjaaxtEvrjUC', 'cjkSPRge0PhwjImVXL1VszhHEk', 'caCxIgsVfZKzYuJ3bbMJuPWieY'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, xtLYoziFoUXIYcdlBH3lx0uJoM.cs	High entropy of concatenated method names: 'DyiS7GCf6yJBfx6mBb9DkUiW0c', 'fiQpyAo0IBbeBuurlZXXD0ovlh', '_8WbDzYCEqnK691DDZQiYMS38tS', 'uxjvrYaAM1okWt3r2WV930uiBi', '_5tnbXy7KCwX4Q0gToPZK5Hx9h9', 'kFc8o3QG5lEqswQDaulholu0z4', 'nDwUZxUoLoII7NnxtAegToyTjy', 'fWo08S8ROrOcbRLfn78U2ZYTED', 'TJbvllUdEJV2xqcRQt0BGAMsWD', 'bjftBidTyaRZhAraXSu114o6Sd'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, JUB65gENfsG0iP8C7s.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'LNPNC2Kcll', 'LBjN2cydxc', 'kQyNzJFyqQ', 'Jomh1DMPX2', 'UCvhYy8jit', 'wj4hNkPIgg', 'J7fhhMxn7T', 'dwHcfwWQGqQvHrnhBZP'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, fgvd8dYhAflbBDpDvTZ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yZJXDAx5f3', 'ifIXHLGPEp', 'y6bX9jKhE3', 'V8EXvfuEtH', 'v3AXaOvYml', 'VAZXtieWcG', 'jQSXB11emv'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, XXDmbLd9uuG89CX5aB.cs	High entropy of concatenated method names: 'X4nhpZ7Kn1', 'UIChLsqNZ2', 'Ocuh0yvHxP', 'XuVhE2LgQa', 'QSkhlnO9gG', 'e0LhIZWR47', 'kZnh8c4EQC', 'UYVhdbLvS9', 'mybhmrOgCB', 'X73hbNFPTf'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, m2wd9sCHDG1M5sEkYc.cs	High entropy of concatenated method names: 'WrGi5NeHQr', 'hdviZIf00O', 'BVuiGpoOxZ', 'nEIiKXHmZu', 'jnJiD3f9q1', 'rNUiRaW2md', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, JibAjpvD5PxaPydrtT.cs	High entropy of concatenated method names: 'gfXTbyVYU5', 'a80TJRwu1j', 'ToString', 'WZsTLpahwZ', 'A6wT03vplf', 'sRSTEstDsu', 'nsGTlkNgDq', 'S7sTIohyu9', 'UleT80v3ls', 'zMJTd3IkkS'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, V3XIkc5uc7tqoLOPiN.cs	High entropy of concatenated method names: 'TdZIpfx0Yv', 'hTrI03QBRp', 'hTqIlF327v', 'FJhI8JllIy', 'BcuIdnNVmY', 'V7ElaDt14a', 'IvxltYfeBT', 'AhRlBXmUDx', 'VXBl4FTDdi', 'jsrlC0DGc4'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, cUTqJeMfeeolr70tjM.cs	High entropy of concatenated method names: 'xagEq1irBr', 'znnEFOT5kG', 'Gf1EgZmmsO', 'LF7EM9pjK5', 'EI9EwsMP5j', 'kSjErdXrUu', 'jPBETGft9P', 'LykEiZHCUL', 'VrJEnDPw2T', 'vZnEXSZEXM'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, YYd3ckPpsqIPtPvdOh.cs	High entropy of concatenated method names: 'hell7Mpbmk', 'vlNljrl8Fy', 'n1nEG2sQau', 'zSjEKGQ2qF', 'PLEERZx1x7', 'cnxEWYGyTZ', 'hBaEAW1b12', 'gl4EOORHFV', 'L9oE305W0n', 'atbEuIO7ws'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, BshbxMDXZdfCcPj3wL.cs	High entropy of concatenated method names: 'CV8wu3Vvwc', 'YkewfAqXr4', 'qVrwDe16yb', 'J73wHhCBkF', 'zRPwZsjaw1', 'zYIwGLS8dD', 'BiGwKHQq0y', 'llXwR0KsBq', 'dCmwWNSk5P', 'VnIwAUvi4v'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, dHRUqJ4OirhIgE8nF3.cs	High entropy of concatenated method names: 'rwbiLYXUFZ', 'FhWi0V9yZH', 'GLNiESGQrj', 'zulilNIPxp', 'Eq5iITCwjM', 'WNii8AhbpI', 'qS6idGPnT1', 'r11imCJyjl', 'AtGib1qdSj', 'A1qiJvKIkB'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, oB1Og3k0NYb990Ae35.cs	High entropy of concatenated method names: 'UWWY8AcPXI', 'NsCYdSiVYB', 'ufeYbeolr7', 'gtjYJM2Yd3', 'FvdYwOht3X', 'ikcYruc7tq', 'c7moWyTryEaFmuSlYO', 'UARxs89LcfrJAfEXVY', 'JT4YYOmipl', 'mTLYhADi4t'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, XmRYtHtEGiTolgw2RG.cs	High entropy of concatenated method names: 'gcvT4aRS5u', 'v2TT2Zv528', 'S1Oi1nVggl', 'HmgiYOauS0', 'D7wTsKqP3d', 'ELTTfxicsi', 'sb3T6iOKEA', 'zHhTDaC0jf', 'QTsTH8qEFm', 'WSvT98HDUP'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, BdFO0OAtpJtT4Uebio.cs	High entropy of concatenated method names: 'Uqt8LC9fW2', 'SEY8E16UF9', 'Jfo8IvQuEi', 'THwI2QJJsl', 'MToIzaE0Kv', 'APp81HQjcy', 'cZK8YqGsbo', 'mqt8NOs7Oj', 'BCn8hEMF2M', 'BaG8kQUEYc'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, BBwwaoz63p12C4XmDq.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'c4KnQ4Zb0H', 'Elunw9YmQB', 'B69nrEfCPj', 'TYmnT8AcDB', 'gijni8erlv', 'KhvnnyGYby', 'c6tnX2DoTl'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, WqTkcP2NCvqM6IhxAp.cs	High entropy of concatenated method names: 'ztYnYsgLuX', 'EeHnhwntmm', 'jMZnkaQGjA', 'ubZnLMTTDU', 'u34n0OQx6E', 'fkqnlmoiSX', 'furnIKXoct', 'mebiBANs95', 'd6Oi4S1qj3', 'mM7iC7KCxo'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, alwGGMWCCL34v7eV6q.cs	High entropy of concatenated method names: 'sTlI9rUMUh', 'XehIvooCtJ', 'DPfIaL1YNX', 'ToString', 'BZ1ItRxSSC', 'CZsIBsOibE', 'tcFWw8CAlDLcyjdk7sl', 'dEH8D0C266yh1sMr4rX', 'N3YQohCLvaRgF1pG2Kh'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, JAcPXIgusCSiVYBJ5V.cs	High entropy of concatenated method names: 'dc70DPyhn0', 'GJR0HyRSZx', 'rNX092Wbov', 'bX90v1poIE', 'KfY0aiv0Rr', 'UZX0tdvKxu', 'T1v0B2M1B9', 'Rnu040ltdP', 'YjW0CJiTxA', 'vAm02VvSD0'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, VHi3s3NtEH1RWinr0v.cs	High entropy of concatenated method names: 'n64V2YEtB', 'VauqsXFrx', 'MiEFHINwL', 'QCyj8if9f', 'LLlMEvaYu', 'XgXPiY4Je', 'R74N42nW7tI3J74u0l', 'TtLrfeMqfCXhLPurCs', 'xqUimEP9T', 'zewXYHTYq'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, GmJ0wL0x4SgGlmvjuw.cs	High entropy of concatenated method names: 'Dispose', 'btWYCPyqY4', 'cQjNZiWqbR', 'cP5QQg2sdp', 'TkHY2RUqJO', 'rrhYzIgE8n', 'ProcessDialogKey', 'C3bN12wd9s', 'SDGNY1M5sE', 'eYcNN4qTkc'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, IfS7Uv38KYyX97WBrY.cs	High entropy of concatenated method names: 'AWm8yWuGJB', 'TSV8cVNAlm', 'quh8V94svP', 'PCk8qKBpaE', 'OEQ87QivoQ', 'biE8FPdhIB', 'yGS8jEjD6Q', 'Egi8gxdZds', 'CAE8MjHeNE', 'yFt8POEYg5'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, JBwEig6TuyiTxGBKtp.cs	High entropy of concatenated method names: 'rZlQgxhawD', 'IMxQMb1Qvr', 'KMjQ5ZCeWs', 'BHxQZZDkPb', 'IGfQKjeQVC', 'hueQR6LPEY', 'SMnQAQBj2B', 'x9xQOqCjqS', 'IbiQuLTcVJ', 'SXCQs0NgQt'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, Mlxon49XHd9jTYuKRQ.cs	High entropy of concatenated method names: 'ToString', 'XJsrshkvti', 'B8ErZjFbTH', 'Dq7rGUlEup', 'iKdrK00dVW', 'VLurRvVJPO', 'yVprWIDbHA', 'vTQrA4Iqq0', 'fg7rOa8ZmF', 'Bslr3kDy03'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, N9JKP1Y19rw0lMPMcpg.cs	High entropy of concatenated method names: 'mLpnyB3Iev', 'O63ncf8cRO', 'udknVBSdRG', 'J3Jnqtk7a0', 'OGen711jAA', 'LRPnFXJhTF', 'k5RnjfJ4Ba', 'BgnngKxgMB', 'OaYnMk8dHJ', 'N3vnPyKswx'
Source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.3a78fa0.4.raw.unpack, UBRWdiZ9HZOJSbONkK.cs	High entropy of concatenated method names: 'scDK2MCFJQcNiaPOWyt', 'vIJ7iUCoWNNCv16mEMH', 'FfXIikwsnX', 'tGRInTHm4L', 'KXJIXB12PB', 'o0ra80CB3X8yE7j7VeL', 'F5Z0kDCy9AICHquO5IZ'

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File created: \draft bl - cls930 khh-toledo(via nyc) so6615#u21928152 wkh2406122.scr.exe	Jump to behavior

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

File created: C:\Users\user\AppData\Roaming\XClient.exe

Jump to dropped file

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe PID: 6704, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Memory allocated: EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Memory allocated: 2910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Memory allocated: 2850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Memory allocated: 7B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Memory allocated: 8B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Memory allocated: 8D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Memory allocated: 9D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Memory allocated: D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Memory allocated: 2B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Memory allocated: 2770000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Window / User API: threadDelayed 377	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Window / User API: threadDelayed 9478	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7006	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2768	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1600	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7922	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7100	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2630	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7249
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1047

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe TID: 6784	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe TID: 7124	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe TID: 2000	Thread sleep count: 377 > 30	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe TID: 2000	Thread sleep count: 9478 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7080	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3128	Thread sleep count: 1600 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3128	Thread sleep count: 7922 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2484	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4476	Thread sleep count: 7100 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4476	Thread sleep count: 2630 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5828	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3384	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5600	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000003.00000002.4154902010.0000000000E29000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQ

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe'
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe'

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe "C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 3.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.29946f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.299dd08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1695289605.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4152855220.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4157659471.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe PID: 6704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe PID: 7156, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 3.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.29946f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.299dd08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.291b204.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1695289605.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4152855220.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4157659471.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe PID: 6704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe PID: 7156, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	2 Registry Run Keys / Startup Folder	11 Process Injection	1 Masquerading	OS Credential Dumping	211 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	1 DLL Side-Loading	2 Registry Run Keys / Startup Folder	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	29%	ReversingLabs
DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\XClient.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\XClient.exe	29%	ReversingLabs

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://www.fontbureau.com	0%	URL Reputation	safe
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	Avira URL Cloud	safe
104.250.180.178	0%	Avira URL Cloud	safe
http://crl.microsoft	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Avira URL Cloud	safe
http://www.microsoft.	0%	Avira URL Cloud	safe
http://www.microsoft.dgx	0%	Avira URL Cloud	safe
http://crl.microso	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
http://crl.micro	0%	Avira URL Cloud	safe
https://aka.ms/pscore6lBdq	0%	Avira URL Cloud	safe
http://www.micr.	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
104.250.180.178	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000004.00000002.1759461319.0000000005608000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1798429624.00000000058F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1847804492.0000000005BB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1917450792.0000000005C28000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000C.00000002.1890067884.0000000004D16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1885772234.0000000003147000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000004.00000002.1753255534.00000000046F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1787557027.00000000049E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1829335893.0000000004D50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1890067884.0000000004D16000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.microsoft	powershell.exe, 0000000C.00000002.1931436415.0000000008768000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000C.00000002.1890067884.0000000004D16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1885772234.0000000003147000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 0000000C.00000002.1917450792.0000000005C28000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000000C.00000002.1917450792.0000000005C28000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoft.	powershell.exe, 00000007.00000002.1804108576.00000000074DA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000000C.00000002.1890067884.0000000004D16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1885772234.0000000003147000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.dgx	powershell.exe, 00000004.00000002.1762650445.000000000715A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.micro	powershell.exe, 0000000C.00000002.1931436415.0000000008743000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.microso	powershell.exe, 0000000C.00000002.1931436415.0000000008768000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6lBdq	powershell.exe, 00000004.00000002.1753255534.00000000045A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1787557027.0000000004891000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1829335893.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1890067884.0000000004BC1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000004.00000002.1753255534.00000000046F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1787557027.00000000049E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1829335893.0000000004D50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1890067884.0000000004D16000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 0000000C.00000002.1917450792.0000000005C28000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.1759461319.0000000005608000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1798429624.00000000058F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1847804492.0000000005BB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1917450792.0000000005C28000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.micr.	powershell.exe, 0000000C.00000002.1931436415.0000000008768000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000003.00000002.4157659471.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1753255534.00000000045A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1787557027.0000000004891000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1829335893.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1890067884.0000000004BC1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe, 00000000.00000002.1701380532.0000000006AC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.250.180.178	unknown	United States		9009	M247GB	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519263
Start date and time:	2024-09-26 09:28:37 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe renamed because original name is a hash value
Original Sample Name:	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO66158152 WKH2406122.scr.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@17/21@0/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 298 Number of non-executed functions: 53
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 1700 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7140 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Simulations

Behavior and APIs

Time	Type	Description
03:29:29	API Interceptor	7838827x Sleep call for process: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe modified
03:29:34	API Interceptor	47x Sleep call for process: powershell.exe modified
08:29:59	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.250.180.178	6122.scr.exe	Get hash	malicious	Remcos	Browse
	6122.scr.exe	Get hash	malicious	Remcos	Browse
	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Get hash	malicious	XWorm	Browse
	BNE400266900B - RLS SO# W317pdf.scr.exe	Get hash	malicious	Remcos	Browse
	BNE400266900A - BL NO.BNE400266900.pdf.scr.exe	Get hash	malicious	XWorm	Browse
	(Draft) - SO# L539-SE2409060 Cut off #Uff19-15 - CHR# 487700191.scr.exe	Get hash	malicious	Remcos	Browse
	SEA - SO#L539 (SO+INV+PKG+ISF+VGM).scr.exe	Get hash	malicious	XWorm	Browse
	rSO3315RCOHBLKHRTMP249013CO240913.pdf.scr.exe	Get hash	malicious	Remcos	Browse
	rBLNO.KHRTMP249013-SINGAPOREEXPRESSV.002W.scr.exe	Get hash	malicious	XWorm	Browse
	SO#5087 (SO+INV+PKG+ISF+VGM) #U8acb#U67e5#U6536.scr.exe	Get hash	malicious	Remcos	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
M247GB	6122.scr.exe	Get hash	malicious	Remcos	Browse	104.250.180.178
	6122.scr.exe	Get hash	malicious	Remcos	Browse	104.250.180.178
	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Get hash	malicious	XWorm	Browse	104.250.180.178
	file.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer	Browse	91.202.233.158
	file.exe	Get hash	malicious	Amadey, CryptOne, PureLog Stealer, RedLine, Stealc, Vidar, Zhark RAT	Browse	91.202.233.158
	SecuriteInfo.com.Linux.Siggen.9999.31454.15725.elf	Get hash	malicious	Unknown	Browse	158.46.140.169
	BNE400266900B - RLS SO# W317pdf.scr.exe	Get hash	malicious	Remcos	Browse	104.250.180.178
	BNE400266900A - BL NO.BNE400266900.pdf.scr.exe	Get hash	malicious	XWorm	Browse	104.250.180.178
	jD6b7MZOhT.exe	Get hash	malicious	Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine	Browse	91.202.233.158
	aL8prAD2gL.js	Get hash	malicious	XWorm	Browse	82.102.27.171

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.log

Download File

Process:	C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.37859781817162
Encrypted:	false
SSDEEP:	48:YWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugeC/ZvUyus:YLHxvIIwLgZ2KRHWLOugMs
MD5:	1F82C60AA85E60E61C4A04C0D499EC02
SHA1:	B7D0189CD0D580E7B0FC6AD1129CD2D41D22D34D
SHA-256:	6ECEF0FFDB1FF7C6BC74AA5C63898D3BF274B6DD64B5A590E88C2578853AEEEE
SHA-512:	18FE94F5C7662327B0B69BE43EA7A590CC492AE7812556013F21098D820CFED67933D7DEF58FD5ED6031FE1232CAC2D75612BC495DC7D9E36A8F1A3FD3441F5E
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.598349098128234
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsra:EFYJKDoWra
MD5:	2C11513C4FAB02AEDEE23EC05A2EB3CC
SHA1:	59177C177B2546FBD8EC7688BAD19D08D32640DE
SHA-256:	BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
SHA-512:	08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
Malicious:	false
Preview:	....### explorer ###..[WIN]r

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ekzbwv0.p1r.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2wjuv0yg.gdq.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_45trmmj0.et1.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4affsnnl.cx0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4k4ffrjg.rsw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5d2ki1vs.kv5.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cp2etgf2.dg3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dqkphgh1.ems.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_esz3eelj.ihu.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ghjd1qdr.q0h.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ji3rva4a.kx0.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l52mmcxd.dra.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n1wssa4w.kiu.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nobnflej.mbh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_voj25otp.zt1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z53vlonu.rh4.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Download File

Process:	C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Sep 26 06:29:55 2024, mtime=Thu Sep 26 06:29:55 2024, atime=Thu Sep 26 06:29:55 2024, length=467456, window=hide
Category:	dropped
Size (bytes):	764
Entropy (8bit):	5.066230599922801
Encrypted:	false
SSDEEP:	12:8p/E1249YWC05cgdY//Qe307LQB+jAsPyrHkgTBmV:8yp9DRX+oe30/eCAsaYgTBm
MD5:	90077EB2380C3B64872D35EB6004BCCB
SHA1:	5BC8DEAB9D6348C1A7139FC062D99D8ADF4565EA
SHA-256:	0FD147D5E4F068A37F938A6233BCFEBB86CE97DDCD2E4B4011A8FCA65A6B0BBE
SHA-512:	901003129D3465FF4DA6FBE9881E58270D7249E90457598B024C8D5194C66A79D2A28C00B643FBFFFB1BA87D9312ACA2910688A0A5376EC3223BF391C082EE75
Malicious:	false
Preview:	L..................F.... ............................"......................v.:..DG..Yr?.D..U..k0.&...&......vk.v....g.~................t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^:Y.;...........................%..A.p.p.D.a.t.a...B.V.1.....:Y.;..Roaming.@......CW.^:Y.;..............................R.o.a.m.i.n.g.....b.2.."..:Y.; .XClient.exe.H......:Y.;:Y.;..........................7w.X.C.l.i.e.n.t...e.x.e.......Y...............-.......X....................C:\Users\user\AppData\Roaming\XClient.exe........\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.`.......X.......648351...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\XClient.exe

Download File

Process:	C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	467456
Entropy (8bit):	7.781161232242831
Encrypted:	false
SSDEEP:	12288:233e8Afk0P3AzBJoIBkO0cTmhNrDjJlkxhjCRdtTJ8y:2Ifk0P3AzTmlcCfnJmzj
MD5:	C9F0C69A4CD0B678F239A9E7AAE10202
SHA1:	E2AE9B8C6074E9DBFE76A9A65E7D0CA8367CCC20
SHA-256:	5B18E86B916AFE8F7F7E4CED40194C8A24B4C731BBBE175B52485DE2A6B0BBB2
SHA-512:	4BCFBE3A29BB342470D7DD8422C66DC48C04C04F7E77CC0EF564CACD05D593970EC1EAC2AA7191507A7D2CB233AF8BC4BF9F61DACE222C84863E6F067B3C7C2B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...............0.............J7... ...@....@.. ....................................@..................................6..O....@.......................`....... ..p............................................ ............... ..H............text...P.... ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B................,7......H........]...3......#....................................................{...."..}........0..f...........3...%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%..r...p.}.....(........0.._........s....}.....s....}......}.....(.......(......{....(.......{....(......{....(.......{....(.......0............{....r...po.......o.....+d..(.......{......3...%..oB....%.r...p.%..oF......(.....%.r...p.%..oD......(.....%.(.....(....o........(....-...........o ...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.781161232242831
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
File size:	467'456 bytes
MD5:	c9f0c69a4cd0b678f239a9e7aae10202
SHA1:	e2ae9b8c6074e9dbfe76a9a65e7d0ca8367ccc20
SHA256:	5b18e86b916afe8f7f7e4ced40194c8a24b4c731bbbe175b52485de2a6b0bbb2
SHA512:	4bcfbe3a29bb342470d7dd8422c66dc48c04c04f7e77cc0ef564cacd05d593970ec1eac2aa7191507a7d2cb233af8bc4bf9f61dace222c84863e6f067b3c7c2b
SSDEEP:	12288:233e8Afk0P3AzBJoIBkO0cTmhNrDjJlkxhjCRdtTJ8y:2Ifk0P3AzTmlcCfnJmzj
TLSH:	DAA40245260EDA03D4DB57F40661D2F85778DECDB626D603AFEA3DEBB8AAB401840743
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....S...............0.............J7... ...@....@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x47374a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xA253E3D7 [Wed Apr 19 21:53:27 2056 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x736f8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x74000	0x5bc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x76000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x72090	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x71750	0x71800	8e4dd1fbe878348186418cfc87e3b716	False	0.9142281284416299	data	7.792568924601146	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x74000	0x5bc	0x600	0de094e7d14d67e457c4e465604c4bc2	False	0.421875	data	4.111859359927468	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x76000	0xc	0x200	c6c3feccfb43d348448fb3fcc506283b	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x74090	0x32c	data			0.42857142857142855
RT_MANIFEST	0x743cc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-26T09:30:02.802636+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:30:02.802636+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:30:08.628620+0200	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:30:08.962164+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:30:08.964287+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:30:20.973253+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:30:20.975460+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:30:32.889033+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:30:32.889033+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:30:33.412087+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:30:33.413633+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:30:45.002007+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:30:45.005280+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:30:57.012454+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:30:57.014370+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:02.823186+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:02.823186+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:04.412709+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:04.414742+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:07.882357+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:07.883802+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:15.562221+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:15.563682+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:15.802470+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:15.807134+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:16.042648+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:16.046972+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:19.782731+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:19.785121+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:27.192457+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:27.194140+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:27.442501+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:27.446848+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:28.742668+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:28.745385+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:32.813207+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:32.813207+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:40.782127+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:40.788167+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:42.525665+0200	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:42.692372+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:42.693996+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:42.932564+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:42.933779+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:43.183952+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:43.193856+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:48.052358+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:48.055078+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:31:49.702634+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:31:49.705554+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:32:01.842445+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:32:01.844448+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:32:02.813443+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:32:02.813443+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:32:05.562477+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:32:05.565501+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:32:17.572248+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:32:17.574542+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:32:19.431312+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:32:19.433395+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:32:19.482480+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:32:19.484480+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:32:25.203003+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:32:25.209578+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:32:28.158775+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:32:28.160298+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:32:32.807536+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:32:32.807536+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:32:39.892313+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:32:39.899093+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:32:48.582506+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:32:48.585058+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:32:56.132081+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:32:56.133895+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:02.812362+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:02.812362+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:08.152178+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:08.155208+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:11.595965+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:11.599125+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:11.772678+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:11.775468+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:12.029641+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:12.037697+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:12.262393+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:12.266913+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:14.302148+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:14.303636+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:16.882548+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:16.884758+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:17.102313+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:17.104126+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:17.586354+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:27.612367+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:27.619218+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:27.842075+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:27.844008+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:28.342318+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:28.344263+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:30.210763+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:30.215414+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:30.219256+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:31.272656+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:31.274158+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP
2024-09-26T09:33:33.442643+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:33.442643+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:33.442773+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:33.442773+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:33.442812+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:33.442812+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:39.902399+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.4	49741	TCP
2024-09-26T09:33:39.903361+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49741	104.250.180.178	7061	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 09:29:56.526504040 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:29:56.531426907 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:29:56.533459902 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:29:56.612713099 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:29:56.617695093 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:30:02.802635908 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:30:02.853404045 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:30:08.628619909 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:30:08.633564949 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:30:08.962163925 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:30:08.964287043 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:30:08.969022036 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:30:20.634859085 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:30:20.639740944 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:30:20.973253012 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:30:20.975460052 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:30:20.981620073 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:30:32.650618076 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:30:32.655628920 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:30:32.889033079 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:30:32.947086096 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:30:33.412086964 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:30:33.413633108 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:30:33.419147968 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:30:44.666408062 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:30:44.671216965 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:30:45.002007008 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:30:45.005280018 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:30:45.010202885 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:30:56.681967020 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:30:56.687021017 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:30:57.012454033 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:30:57.014369965 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:30:57.019260883 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:02.823185921 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:02.868957996 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:04.072721958 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:04.077744007 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:04.412708998 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:04.414741993 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:04.419758081 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:07.556755066 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:07.561901093 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:07.882356882 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:07.883801937 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:07.889377117 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:15.228825092 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:15.233897924 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:15.259876013 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:15.264890909 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:15.338078976 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:15.343040943 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:15.562221050 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:15.563682079 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:15.568510056 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:15.802469969 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:15.807133913 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:15.812062025 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:16.042648077 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:16.046972036 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:16.051805973 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:19.447535992 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:19.452828884 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:19.782731056 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:19.785120964 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:19.790457010 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:26.869273901 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:26.874284983 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:26.884838104 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:26.889688015 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:27.192456961 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:27.194139957 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:27.198981047 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:27.442501068 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:27.446847916 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:27.451642036 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:28.416299105 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:28.421147108 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:28.742667913 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:28.745384932 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:28.750174046 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:32.813206911 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:32.853405952 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:40.431988955 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:40.436937094 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:40.782126904 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:40.788167000 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:40.792988062 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:42.369468927 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:42.374382973 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:42.431869030 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:42.436793089 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:42.447545052 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:42.452454090 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:42.463052034 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:42.467904091 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:42.478624105 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:42.483472109 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:42.510051012 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:42.514859915 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:42.525665045 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:42.530757904 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:42.692372084 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:42.693995953 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:42.699148893 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:42.932564020 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:42.933779001 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:42.938739061 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:43.182143927 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:43.183952093 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:43.188864946 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:43.188915968 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:43.193744898 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:43.193856001 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:43.198632002 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:47.713249922 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:47.718101978 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:48.052357912 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:48.055078030 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:48.059895992 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:49.373687029 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:49.380865097 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:49.702634096 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:31:49.705554008 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:31:49.710544109 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:01.385453939 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:32:01.390526056 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:01.842444897 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:01.844448090 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:32:01.850424051 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:02.813442945 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:02.853504896 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:32:05.228734016 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:32:05.233716965 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:05.562477112 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:05.565500975 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:32:05.570373058 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:17.244385958 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:32:17.249389887 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:17.572247982 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:17.574542046 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:32:17.579551935 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:18.932631016 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:32:18.937711954 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:18.948345900 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:32:18.953241110 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:19.431312084 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:19.433394909 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:32:19.438281059 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:19.482480049 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:19.484479904 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:32:19.489340067 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:24.869465113 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:32:24.874425888 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:25.203002930 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:25.209578037 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:32:25.215620041 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:27.556941032 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:32:27.762938023 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:28.158775091 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:28.160298109 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:32:28.165179968 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:32.807535887 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:32.853487015 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:32:39.572468996 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:32:39.577569962 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:39.892313004 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:39.899092913 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:32:39.903913021 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:48.259979963 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:32:48.264947891 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:48.582505941 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:48.585057974 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:32:48.589878082 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:55.807249069 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:32:55.812215090 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:56.132081032 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:32:56.133894920 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:32:56.138832092 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:02.812361956 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:02.853569031 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:07.822447062 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:07.827526093 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:08.152178049 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:08.155208111 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:08.160114050 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:11.181931019 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:11.187350035 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:11.197649956 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:11.202486038 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:11.244472027 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:11.249882936 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:11.259968042 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:11.264795065 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:11.595964909 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:11.599124908 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:11.604041100 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:11.772677898 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:11.775468111 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:11.780365944 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:11.793633938 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:11.798434019 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:12.023282051 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:12.029640913 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:12.035526991 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:12.037697077 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:12.042687893 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:12.262392998 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:12.266912937 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:12.271882057 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:13.963103056 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:13.968084097 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:14.302148104 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:14.303636074 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:14.308413029 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:16.541366100 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:16.546802044 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:16.556907892 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:16.561674118 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:16.588257074 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:16.593065977 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:16.603837013 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:16.608607054 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:16.650593996 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:16.655412912 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:16.775693893 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:16.780587912 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:16.853859901 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:16.858855009 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:16.869390011 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:16.874200106 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:16.882548094 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:16.884757996 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:16.935311079 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:16.935359955 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:16.940180063 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:16.963155985 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:16.967931032 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:17.102313042 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:17.104125977 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:17.108848095 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:17.584492922 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:17.585478067 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:17.585496902 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:17.585566044 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:17.585566044 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:17.586354017 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:17.591145039 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:17.591337919 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:17.596189976 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:17.596370935 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:17.601139069 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:27.103996038 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:27.284784079 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:27.284903049 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:27.289695978 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:27.612366915 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:27.619218111 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:27.624080896 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:27.775897026 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:27.781140089 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:27.842075109 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:27.844007969 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:27.848910093 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:28.342318058 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:28.344263077 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:28.349134922 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:29.635147095 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:29.640084982 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:30.210762978 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:30.215414047 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:30.219255924 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:30.219480038 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:30.220138073 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:30.619621992 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:30.624492884 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:31.272655964 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:31.274158001 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:31.279036045 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:33.442642927 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:33.442773104 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:33.442811966 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:33.442826986 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:33.442842007 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:39.572606087 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:39.580302954 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:39.902399063 CEST	7061	49741	104.250.180.178	192.168.2.4
Sep 26, 2024 09:33:39.903361082 CEST	49741	7061	192.168.2.4	104.250.180.178
Sep 26, 2024 09:33:39.909802914 CEST	7061	49741	104.250.180.178	192.168.2.4

Target ID:	0
Start time:	03:29:28
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe"
Imagebase:	0x4f0000
File size:	467'456 bytes
MD5 hash:	C9F0C69A4CD0B678F239A9E7AAE10202
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1695289605.0000000002911000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1695289605.0000000002911000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:29:30
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe"
Imagebase:	0x240000
File size:	467'456 bytes
MD5 hash:	C9F0C69A4CD0B678F239A9E7AAE10202
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:29:30
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe"
Imagebase:	0x680000
File size:	467'456 bytes
MD5 hash:	C9F0C69A4CD0B678F239A9E7AAE10202
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.4152855220.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.4152855220.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.4157659471.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	03:29:33
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe'
Imagebase:	0x2a0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:29:33
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:29:37
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe'
Imagebase:	0x2a0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:29:37
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:29:41
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Imagebase:	0x2a0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:29:41
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:29:47
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Imagebase:	0x2a0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:29:47
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exePID: 6704, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.7%
Total number of Nodes:	149
Total number of Limit Nodes:	7

Executed Functions

Function 04DF7358 Relevance: 3.3, Strings: 1, Instructions: 2040
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ppdq, xrefs: 04DF7636

Memory Dump Source

Source File: 00000000.00000002.1700653028.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID: Ppdq
API String ID: 0-2552977383
Opcode ID: 9c2553a53582da75de4b436dc40aff6b8c3801ad8d45e2eee1ca72f3e2232843
Instruction ID: bccd659141f9d3389016165aaf469fba536eb8ed5eceb79dd0455f5e55d6a4c0
Opcode Fuzzy Hash: 9c2553a53582da75de4b436dc40aff6b8c3801ad8d45e2eee1ca72f3e2232843
Instruction Fuzzy Hash: C523E534A10218CFDB25DF64C894AD9B7B5FF8A304F5191E9E609AB361DB31AE85CF40

Function 04DF7368 Relevance: 3.3, Strings: 1, Instructions: 2020
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ppdq, xrefs: 04DF7636

Memory Dump Source

Source File: 00000000.00000002.1700653028.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID: Ppdq
API String ID: 0-2552977383
Opcode ID: 574f2ca4b4789914c5bf2b314bca511920039f6b37b3fd05263b56f7604c797e
Instruction ID: c46ae4ec5ffd57ad72ce986f5a6f1ec63520dee75b6e412ca77c8df81d200b4a
Opcode Fuzzy Hash: 574f2ca4b4789914c5bf2b314bca511920039f6b37b3fd05263b56f7604c797e
Instruction Fuzzy Hash: 5823E534A10218CFDB25DF64C894AD9B7B5FF8A304F5191E9E609AB361DB31AE85CF40

Function 00EFB0A8 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00EFB2FE

Memory Dump Source

Source File: 00000000.00000002.1694921212.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b46521b065a32c6f7d05bc6ad6231cf04154a56ef9faca8e324e726205cbdae8
Instruction ID: 60e84f3494dec0fd7517ee538fabac70140c14a425a6bbc690630349b3a126ec
Opcode Fuzzy Hash: b46521b065a32c6f7d05bc6ad6231cf04154a56ef9faca8e324e726205cbdae8
Instruction Fuzzy Hash: 0D711470A00B098FD724DF29D45576ABBF1FF88304F008A2DD58AEBA50DB75E945CB91

Function 00EF590C Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00EF59C9

Memory Dump Source

Source File: 00000000.00000002.1694921212.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c7aa4e30361c4eedd0407648c1c482584cedd06bc8bb1f40a05513487121fa4f
Instruction ID: a7aaaf84882b507417ce91cf3add530ade5d4f73605ec1575108ea95095b6b8a
Opcode Fuzzy Hash: c7aa4e30361c4eedd0407648c1c482584cedd06bc8bb1f40a05513487121fa4f
Instruction Fuzzy Hash: 8441F2B1C00B1DCBDB24DFA9C885BDEBBB5BF49314F20816AD508AB251DB716946CF90

Function 00EF5A84 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1694921212.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 406ebdbd328502e4e0175c95353498e53a5ec4161e3886420c9f089a47694517
Instruction ID: cc64505289ce44c038db755fa2d8e87046008ce3059cc99c634a7e7bbdf12e5e
Opcode Fuzzy Hash: 406ebdbd328502e4e0175c95353498e53a5ec4161e3886420c9f089a47694517
Instruction Fuzzy Hash: 8C4102B2C04B4DCFDB14CFA8C8452EDBBF0EFA6324F208189C255AB251D775A906CB51

Function 04DF155C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04DF4381

Memory Dump Source

Source File: 00000000.00000002.1700653028.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: e2df4b1c513f8e011ff0de2306ac52bcd89eab8e4fda8edcda664561d2ad23f4
Instruction ID: 0e444e7a3fa2900f871c046cd7d8fc254adc51d0284b77f0d8b9d8df96c2cbc1
Opcode Fuzzy Hash: e2df4b1c513f8e011ff0de2306ac52bcd89eab8e4fda8edcda664561d2ad23f4
Instruction Fuzzy Hash: 834149B4A003099FDB14CF99C848AABBBF5FF98314F25C459D619AB321D734A841CBA1

Function 00EF44B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00EF59C9

Memory Dump Source

Source File: 00000000.00000002.1694921212.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7ddd9367e2755aea451024c48d9f699c624c53686930ca822ffe7f30f05b2a9b
Instruction ID: 1caf43d661dc9a43e7a5d2073f823dc465e29ba8ebfb205fb0d33cce2a39eb57
Opcode Fuzzy Hash: 7ddd9367e2755aea451024c48d9f699c624c53686930ca822ffe7f30f05b2a9b
Instruction Fuzzy Hash: 1141D2B1C00B1DCBDB24DFA9C844B9EBBB5BF88314F20816AD509BB251DB756949CF90

Function 00EFD0B8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00EFD54E,?,?,?,?,?), ref: 00EFD60F

Memory Dump Source

Source File: 00000000.00000002.1694921212.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5fbb329f367264e42a29907a75bf51081e416030fb8b291a12c9c3db2cdb89ac
Instruction ID: 255b7056c352355567e4129c1a7c9b0e0f214f618271d2979c7bc7884ce91b32
Opcode Fuzzy Hash: 5fbb329f367264e42a29907a75bf51081e416030fb8b291a12c9c3db2cdb89ac
Instruction Fuzzy Hash: 4D2105B59002089FDB10CF99D884AEEBFF5EB48314F14801AE918B3310D374AA54CFA0

Function 00EFD581 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00EFD54E,?,?,?,?,?), ref: 00EFD60F

Memory Dump Source

Source File: 00000000.00000002.1694921212.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e2d7ce6ac6c9fb10121e4ab27a5af4c24aa1b63ae545d46976b05670dec6e395
Instruction ID: dff05177ac2e0b0b5cc15fd6ca0ce37d6238e24280bf50927f7d360036a50617
Opcode Fuzzy Hash: e2d7ce6ac6c9fb10121e4ab27a5af4c24aa1b63ae545d46976b05670dec6e395
Instruction Fuzzy Hash: 5221E0B59002099FDB10CFA9D984AEEBBF5FB48310F14841AE918A3250D778AA54CF65

Function 00EFB298 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00EFB2FE

Memory Dump Source

Source File: 00000000.00000002.1694921212.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: cca734f6a94f9afc8d8bad99a1b8328289d3cec15c5fba2ea75ad42192ff3d1c
Instruction ID: 28c1b6fa0ddc1696467cd8b978c361493b992c2d28c3bf3bda07abf65fb3b3cc
Opcode Fuzzy Hash: cca734f6a94f9afc8d8bad99a1b8328289d3cec15c5fba2ea75ad42192ff3d1c
Instruction Fuzzy Hash: F5110FB5C003498FCB10DF9AC844A9EFBF8AB88324F10841AD919B7210C375A645CFA1

Function 00D4D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694640827.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d4d000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef432853cc0d62da71f74940c5e2c255ce21edb134bae835212515bd540a508
Instruction ID: a3cf90f88eb54b6de1191011c91c384dc15411d2337ef1a5481250c20e4a77b2
Opcode Fuzzy Hash: aef432853cc0d62da71f74940c5e2c255ce21edb134bae835212515bd540a508
Instruction Fuzzy Hash: 922137B1604240DFCB05DF14D9C0B26BF66FB98328F24C66DE9490B256C736D816CBB1

Function 00D5D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694707550.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d5d000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbe8fb67a3969aadec2acacf75707ecf97f759ea2dedfc183ed84bd47f463443
Instruction ID: 1d05ef15a605964298557f6e199ca4f4ce9979db859c1dbf3d1344dfdcd320bc
Opcode Fuzzy Hash: dbe8fb67a3969aadec2acacf75707ecf97f759ea2dedfc183ed84bd47f463443
Instruction Fuzzy Hash: BB21D375604200DFDF24DF18D9C4B16BBA6EB94315F24C569DC4A4B396C33AD80BCA71

Function 00D5D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694707550.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d5d000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1db5566f92892dd2a1666a8ed3bce78865412e4d3f2737cf2d1083dcd994d273
Instruction ID: 6d048eb84ac6ddd023c3ce324f58868940cb536d496f873851956f6cdd7c1d08
Opcode Fuzzy Hash: 1db5566f92892dd2a1666a8ed3bce78865412e4d3f2737cf2d1083dcd994d273
Instruction Fuzzy Hash: F1215E755093808FDB12CF24D994715BF72EB46314F28C5EADC498B6A7C33A980ACB72

Function 00D4D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694640827.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d4d000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: daa70cc6d67ad9f2fb185435b9361b8a35db6054e06734f285a71d2e6a2648d7
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: 8211E676504280CFCF16CF14D5C4B16BF72FB94324F28C6A9D8494B656C336D85ACBA1

Function 00D4D731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694640827.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d4d000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 120a20953d63d6e3890685d116a211f1d81568ac69e6dff5f1b8a49d8330a001
Instruction ID: a34292cad6aebcf7d71615f8e8eb920638e11e77fc16041cc00f1a8343fdc3f7
Opcode Fuzzy Hash: 120a20953d63d6e3890685d116a211f1d81568ac69e6dff5f1b8a49d8330a001
Instruction Fuzzy Hash: 4201F2710083449BE7108A29CDC4B66BFE9EF61366F2CC81AEC4A0A282C2789C40C6B1

Function 00D4D730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694640827.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d4d000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73ee7b163c731413eb305d34445b321f5151e57e3a0ac59750a434bf0533d24f
Instruction ID: 90229aae31f1bade21af54301ef78f75a97c02721aca39a7c6e32943f2b58684
Opcode Fuzzy Hash: 73ee7b163c731413eb305d34445b321f5151e57e3a0ac59750a434bf0533d24f
Instruction Fuzzy Hash: 64F0C2320043449BE7108A19CD84B62FFD8EB91335F18C55AED090A282C2799C44CAB0

Non-executed Functions

Function 04DF1090 Relevance: 1.5, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

, xrefs: 04DF11E9

Memory Dump Source

Source File: 00000000.00000002.1700653028.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3162483948
Opcode ID: d3717aa3b2997a57518dceb54b86fbd1d646be0c3b2aea355c871fe5a58a1068
Instruction ID: b10f56f154521b2d07ae7841cbeb77d53eaa1a16ad3816544d88ec2abe2aee9c
Opcode Fuzzy Hash: d3717aa3b2997a57518dceb54b86fbd1d646be0c3b2aea355c871fe5a58a1068
Instruction Fuzzy Hash: 7AA18870A007059FDB15EF79D89056EBBE1FF883007048A6AD54ADB356EB74EC46CB90

Function 04DF0040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700653028.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b721d9c496032db98fb821e4229bac4def4d3b04c701908e8bf261ff67952a8
Instruction ID: 7bfacbd238367cbc2f2333aa1fb846ecbffa1b6da1e42a28cdfeb1cf4b3cdf9f
Opcode Fuzzy Hash: 3b721d9c496032db98fb821e4229bac4def4d3b04c701908e8bf261ff67952a8
Instruction Fuzzy Hash: FF12CABAC82B458BE390DF25E94C9893BB1B740314FD14A29D3625F2E5D7BC216ACF44

Function 00EFDE4C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694921212.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8665398d470d97f8e8c622ea69b5f5de3e95b7b430957ea32787ad49dccbb3a1
Instruction ID: e2c7c61f40d9b4cb88802c2c90c999db0163a0ebd3ed602771e3e7dd7da1d56b
Opcode Fuzzy Hash: 8665398d470d97f8e8c622ea69b5f5de3e95b7b430957ea32787ad49dccbb3a1
Instruction Fuzzy Hash: 75A15D36E002098FCF05DFA4C8805AEBBB2FF88304B15557AEA05BB265DB71ED15CB80

Function 04DF0007 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700653028.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9762b24c822053f63f5242864d9818f02b9f046ca7105838f588983176883fde
Instruction ID: 0cfd2c3a2881d02d8b12786f5fef675fccefb799f3b6dd7f772528809a67dac7
Opcode Fuzzy Hash: 9762b24c822053f63f5242864d9818f02b9f046ca7105838f588983176883fde
Instruction Fuzzy Hash: 02C14EBAC427458FE790DF24E84C9893BB1BB85314F914A19D3616F2E5DBBC216ACF40

Function 04DF9D47 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700653028.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 297e721fe83af7c96b5c7bcb0d2156d1d3cf1630266fe6cdc7c22304cc889f18
Instruction ID: 6663434ea966acee165a8020b105e84b79dcc8f3facd4fc2167be57245f4bd40
Opcode Fuzzy Hash: 297e721fe83af7c96b5c7bcb0d2156d1d3cf1630266fe6cdc7c22304cc889f18
Instruction Fuzzy Hash: 91316C0299AE79DBEB6114A74CE77C62BD0C36B23AF005740D33C902D2F88844EBC386

Analysis Process: DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exePID: 7156, Parent PID: 6704COMMON

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	14
Total number of Limit Nodes:	0

Executed Functions

Function 00D1AFBC Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00D1B5EE,?,?,?,?,?), ref: 00D1B6AF

Memory Dump Source

Source File: 00000003.00000002.4154195373.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7920a010992c1488f2bdb3ad94e95c6bb618aeaa00872cdef7c399f9fddcf423
Instruction ID: 7ac61a36d68813bcd2bbf538da93878cba2c7273240cd420cff1da7540bc1e7e
Opcode Fuzzy Hash: 7920a010992c1488f2bdb3ad94e95c6bb618aeaa00872cdef7c399f9fddcf423
Instruction Fuzzy Hash: E321E5B5900308AFDB10DF9AD984AEEBBF4EB48320F14841AE914A7350D775A954CFA4

Function 00D1B620 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00D1B5EE,?,?,?,?,?), ref: 00D1B6AF

Memory Dump Source

Source File: 00000003.00000002.4154195373.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e8d0e60f7416b4d45b8f9748f0bb8ef3dc85d05b2d78d05ad0cb109836faf42f
Instruction ID: 9434ebffa7dbe93fff696d71775bc9e8220eaa769aa0006f10b688590a808cc3
Opcode Fuzzy Hash: e8d0e60f7416b4d45b8f9748f0bb8ef3dc85d05b2d78d05ad0cb109836faf42f
Instruction Fuzzy Hash: 6C2116B5900308AFDB10CFAAD984ADEFFF4EB48320F14841AE918A7350D374A944CFA0

Function 00D162A0 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 00D16323

Memory Dump Source

Source File: 00000003.00000002.4154195373.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 84957d3ed770c28c8ee1e2a06b8c1958de88f7a06831961c7a2b4b3e40577e57
Instruction ID: f25f2965212ba18438abeef445f8b0b3aa48b5b250cfaf43e93bd56d7a4b3c6e
Opcode Fuzzy Hash: 84957d3ed770c28c8ee1e2a06b8c1958de88f7a06831961c7a2b4b3e40577e57
Instruction Fuzzy Hash: 4D2134B5900209DFCB14CFA9D944BEEBBF5FF48320F14842AD459A7290CB74A944CFA0

Function 00D162A8 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 00D16323

Memory Dump Source

Source File: 00000003.00000002.4154195373.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 35714820be8c6d9f3c586ce7f28ea2c7bd503003815d57b9cbae001da1bccad4
Instruction ID: fccec52eb3f6b2bb493b7757e37e6ccb73ee41b7f76dd8c5dadf2aac2bd2b207
Opcode Fuzzy Hash: 35714820be8c6d9f3c586ce7f28ea2c7bd503003815d57b9cbae001da1bccad4
Instruction Fuzzy Hash: 592127B1D002099FCB14DFA9D844BDEFBF5EB88310F14842AD419A7290CB74A944CFA1

Function 00C6D428 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4153626683.0000000000C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c6d000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa4cc3a15c8e53b6910863e9a04c7acad50228b7e47158fa43dc07e7010d63b1
Instruction ID: 27771cda9842116c6cec0d6057badb945a401c67183ca0098fdb73d2e4ab2474
Opcode Fuzzy Hash: aa4cc3a15c8e53b6910863e9a04c7acad50228b7e47158fa43dc07e7010d63b1
Instruction Fuzzy Hash: F42136B1A00200DFDB21DF14D9C0B26BF65FBA8324F20C569E80B0A246C736EC56C7A1

Function 00C8D0FC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4153881574.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c8d000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13e96e5047a0b6666e055e0b1afdadc016d458e009ebb086e91647c6d4fe326b
Instruction ID: 592a113cc1a367fd862f0876d40a68672eab22ef39923d40c91393dc5f07f442
Opcode Fuzzy Hash: 13e96e5047a0b6666e055e0b1afdadc016d458e009ebb086e91647c6d4fe326b
Instruction Fuzzy Hash: B421F575604204AFDB05EF14D9C8B2ABBA5FF94328F24C96DD80B4B296C736D846CB61

Function 00C8D01C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4153881574.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c8d000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b0e77055d7d757cd21e5e33c8c0ab9d6def6e0bc0413ad0b573c82bc964fd4e
Instruction ID: 69b74dfa75d599c53cb5ef6b09a16a21b4c3bc6411f88c5fdafbe69cbfdf3ee5
Opcode Fuzzy Hash: 6b0e77055d7d757cd21e5e33c8c0ab9d6def6e0bc0413ad0b573c82bc964fd4e
Instruction Fuzzy Hash: B121C271644300EFDB14EF24D9C4B26BBA5EB94318F24C66DD90A4B391C336D847C765

Function 00C8D005 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4153881574.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c8d000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5271c1adcee243a7b9b732084fda03c55e79054349ddb3af5863e249c78ed02b
Instruction ID: 778f4eb9e5b58bdf356df7ebc1a5b3ca0e850e17edfc7f8f07754b3e757fd74a
Opcode Fuzzy Hash: 5271c1adcee243a7b9b732084fda03c55e79054349ddb3af5863e249c78ed02b
Instruction Fuzzy Hash: 3321A1755093C08FCB12DF20D994715BF71EB46318F29C1EAD8498F6A3C33A984ACB62

Function 00C6D423 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4153626683.0000000000C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c6d000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: c132a0e69f3303ebe3402024d52b989d0b3eeda92a76eb8e11922479425105c9
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: 53112676A04280CFCB12CF00D5C4B26BF72FB94324F24C5A9D80A0B656C336D95ACBA2

Function 00C8D0F7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4153881574.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c8d000_DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 73b32457c51bfaf35444bca35ed06de0a21f6d89f447bf9928418cc56f8153e1
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 9111D075504240DFDB05DF10D9C8B19BB71FF44328F24C6ADD80A4B296C33AD94ACB51

Analysis Process: powershell.exePID: 2304, Parent PID: 7156COMMON

Execution Graph

Execution Coverage:	6.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 0443B490 Relevance: 2.8, Strings: 2, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ynn^, xrefs: 0443B557
{Ynn^, xrefs: 0443B6F0, 0443B6F5

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID: {Ynn^$Ynn^
API String ID: 0-2520045421
Opcode ID: fd86fec3dc359c925d255b67da7f495cae00ed4ce4b116e1032f1c10656bb37e
Instruction ID: fb4f5fcbc75ce9540815e63132612096f0e138474ae77aa98a68ef900c0c2d02
Opcode Fuzzy Hash: fd86fec3dc359c925d255b67da7f495cae00ed4ce4b116e1032f1c10656bb37e
Instruction Fuzzy Hash: 90915EB0F007155BDF15EBB895116AE77F3EF84B00B04892ED506AB758DF38A9058BC5

Function 07102308 Relevance: 13.1, Strings: 10, Instructions: 646COMMON

Download Yara Rule

Strings

JJl, xrefs: 071023D1
JJl, xrefs: 0710237F
JJl, xrefs: 071025F6
rIl, xrefs: 07102559
JJl, xrefs: 0710259E
4'dq, xrefs: 07102619
rIl, xrefs: 0710254F
4'dq, xrefs: 0710260D
JJl, xrefs: 071025EA
JJl, xrefs: 071023C5

Memory Dump Source

Source File: 00000004.00000002.1762414277.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7100000_powershell.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$JJl$JJl$JJl$JJl$JJl$JJl$rIl$rIl
API String ID: 0-426712688
Opcode ID: 7be7537658815c6bd06ae68a2732948468a2f8298062596fc7c482a6ea79d52e
Instruction ID: b9f05fe92e545c173a0add74f5f7c9da02290d1a6001fc7678aa2dafe84ea30d
Opcode Fuzzy Hash: 7be7537658815c6bd06ae68a2732948468a2f8298062596fc7c482a6ea79d52e
Instruction Fuzzy Hash: 402218B5B10215CFCB26DB688459AAABBE1BF8A311F14807AD905CF2D1DBB1CD41C7E1

Function 07103CE8 Relevance: 5.6, Strings: 4, Instructions: 584
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'dq, xrefs: 07104030
4'dq, xrefs: 0710418A
4'dq, xrefs: 07104180
4'dq, xrefs: 07104026

Memory Dump Source

Source File: 00000004.00000002.1762414277.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7100000_powershell.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$4'dq$4'dq
API String ID: 0-2296240322
Opcode ID: 667fdcfa88cf58f34c538944b04fa935a841896d3fc2dcdd754807184e91a7e7
Instruction ID: 5bd4631d47bf68368a5e0bd2d80d2f0ee0271033c1169f61db82ee65e900a45c
Opcode Fuzzy Hash: 667fdcfa88cf58f34c538944b04fa935a841896d3fc2dcdd754807184e91a7e7
Instruction Fuzzy Hash: B21259F17002558FCB169B789851BABBFA2AFC6351F24806ADA15CF2C1DB71D841C7E2

Function 08526A38 Relevance: 1.6, APIs: 1, Instructions: 53
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 08526AA2

Memory Dump Source

Source File: 00000004.00000002.1766198038.0000000008520000.00000040.00000800.00020000.00000000.sdmp, Offset: 08520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8520000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: e6735dc6dfe811a3941d5c45a26ce84b191223b21d6b9eea1576fb8203691cc1
Instruction ID: 0d3d889e41cb6eef26d98460b71d617bfccaccf66187d333ad7b5de46b119a0a
Opcode Fuzzy Hash: e6735dc6dfe811a3941d5c45a26ce84b191223b21d6b9eea1576fb8203691cc1
Instruction Fuzzy Hash: C71116B59003488FCB10DF9EC445BDEFBF9EB89320F14845AE559A7250C774A944CFA1

Function 08526A40 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 08526AA2

Memory Dump Source

Source File: 00000004.00000002.1766198038.0000000008520000.00000040.00000800.00020000.00000000.sdmp, Offset: 08520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8520000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: b9c8e0cd20ffa31b837deb5a54f8ab69779e939069eb168fb0ccc03787f9b79b
Instruction ID: 875107a047f0b567f3c08677563fca80c39a7346707c79653e9c5d1fe21d1d4a
Opcode Fuzzy Hash: b9c8e0cd20ffa31b837deb5a54f8ab69779e939069eb168fb0ccc03787f9b79b
Instruction Fuzzy Hash: 471125B59003088FCB10DF9AC848B9EFBF8EB88320F14845AD519A7250C774A944CFA0

Function 0443E5B9 Relevance: 1.4, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JJl, xrefs: 0443E6EA

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID: JJl
API String ID: 0-415269788
Opcode ID: 9d9c1b74da1308640618cf086d669650171309249f3989fb65628d2cc0d220c5
Instruction ID: 1d9f918ea7f164bc304916156992585baafe2420e30088bbaae85c05d0413250
Opcode Fuzzy Hash: 9d9c1b74da1308640618cf086d669650171309249f3989fb65628d2cc0d220c5
Instruction Fuzzy Hash: C1419D74A002189FCB20DF79D55069EBBF1FF48301F10856AE41AA7391DB30AE09CF90

Function 04436FE0 Relevance: 1.4, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(hq, xrefs: 04437105

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID: (hq
API String ID: 0-4060669308
Opcode ID: e4d1a31806f3c5abcb3680b182bd41facee1eb418091b8befcedc1130588602b
Instruction ID: 16ad818e6e5b43a0cb3761c68c76dd78bc0d694b8759f3a44ad7f45533c58833
Opcode Fuzzy Hash: e4d1a31806f3c5abcb3680b182bd41facee1eb418091b8befcedc1130588602b
Instruction Fuzzy Hash: ED415F74B042048FDB15DFA8C458AAEBBF2EF8D712F148499E446AB391DB35ED41CB60

Function 0443E640 Relevance: 1.3, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JJl, xrefs: 0443E6EA

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID: JJl
API String ID: 0-415269788
Opcode ID: 5a03efe4ebfa4f66e91a9982cdc4be3a2d8d0201a6bd779755bbfcabfb1af250
Instruction ID: c90aaa6afbd04d866411bcae3362f99280f86f22a0b7f485cceaca13caa28f91
Opcode Fuzzy Hash: 5a03efe4ebfa4f66e91a9982cdc4be3a2d8d0201a6bd779755bbfcabfb1af250
Instruction Fuzzy Hash: B0318D70A002199FCB24DF69D554A9EBBF2FF48301F148629D41AA7394DB30AD05CF90

Function 0443AF98 Relevance: 1.3, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(&dq, xrefs: 0443AFBA

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID: (&dq
API String ID: 0-1586597270
Opcode ID: 7771c01c51956b5fc3a50f9e8a50b2b9b8f051286d8f6ab993d8275abec8371e
Instruction ID: 5e5a5274b570e36b5f9341b719052a3a9f0dcc4206a6254798d69d29096e1f57
Opcode Fuzzy Hash: 7771c01c51956b5fc3a50f9e8a50b2b9b8f051286d8f6ab993d8275abec8371e
Instruction Fuzzy Hash: DE21DE75A042588FCB14DBAED4047AFBFF6EF88320F14846ED459E7341CB39A9058BA5

Function 0443DC88 Relevance: 1.3, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+/nn^, xrefs: 0443DCBE

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID: +/nn^
API String ID: 0-874490571
Opcode ID: 8d7bcb73f248e3f854b3f3714424d03de63ee1470fccf96abc920a7bb6f2b506
Instruction ID: 548c00ad27a59702a39b0f691f1855eeb5015e14266f8a0f9f6f2e891de93929
Opcode Fuzzy Hash: 8d7bcb73f248e3f854b3f3714424d03de63ee1470fccf96abc920a7bb6f2b506
Instruction Fuzzy Hash: A0F0E976B056145BCF16566DB8104EF7BAADECAA73700006BE44DCB640DE14BA0547F2

Function 0443DC98 Relevance: 1.3, Strings: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+/nn^, xrefs: 0443DCBE

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID: +/nn^
API String ID: 0-874490571
Opcode ID: 06b7a8cbe774f40b53c85d1a6e74829d210bd63acd50830c8e15d4d2bf5e56c9
Instruction ID: 5014bfeae5548e53ea74329ec3c79395a6bc944d1f41302ea8e060634187f9a1
Opcode Fuzzy Hash: 06b7a8cbe774f40b53c85d1a6e74829d210bd63acd50830c8e15d4d2bf5e56c9
Instruction Fuzzy Hash: 82E0C271B006140B8B12A66EA81086F77EBDFC9A72314446FE00AC7340DF68EC024BE5

Function 044329F0 Relevance: .2, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71ebc8c5202d5126adce39c9549cc111dcd38230645c2298a8fdf8b09ab468ca
Instruction ID: f7db58323a310ae018ac386d0649350c8030054936f585f784e0062d9af8085c
Opcode Fuzzy Hash: 71ebc8c5202d5126adce39c9549cc111dcd38230645c2298a8fdf8b09ab468ca
Instruction Fuzzy Hash: 0E918C74A002099FCB15CF99C4989AEFBB1FF88710B24859AD915AB3A5C735FC51CFA0

Function 04437740 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df5f46ad4c4a4a17680c55ef60c922ec083d8fe3d28e325dbe9a445881a8240
Instruction ID: 31b08c790d41bdd6157a340a346cdeb3c776b6704c0b7322cd32713d47bbb492
Opcode Fuzzy Hash: 7df5f46ad4c4a4a17680c55ef60c922ec083d8fe3d28e325dbe9a445881a8240
Instruction Fuzzy Hash: 5B51B0703042059FDB159B69D844A2B7BEAFFCD716B1484AAD549CB351EB31EC02CBA0

Function 0443BAC0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e1b4b5646f556436b5529c9ac930b4780fc548d185805123d5f3fe65f184555
Instruction ID: ffe25d3b1627bbef3e025068e558720c324c08ca036c9d9a008a9b3e6c7a05e7
Opcode Fuzzy Hash: 7e1b4b5646f556436b5529c9ac930b4780fc548d185805123d5f3fe65f184555
Instruction Fuzzy Hash: 906127B1E002489FCB14CFA9C584B9DBBF1FF88711F19816AE819AB355EB34AC41CB50

Function 0443BAB0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a79b4c477137896ea8f4b190f73a8a7b062cb95ac12a769718d1d30202a9f04
Instruction ID: 4a99494b91d8dd6c8a996e2a5ede72b9279dddd68c2261a2d9fab071df26fc8e
Opcode Fuzzy Hash: 7a79b4c477137896ea8f4b190f73a8a7b062cb95ac12a769718d1d30202a9f04
Instruction Fuzzy Hash: 385116B1E002489FCF14DFA9D584B9DBBF1FF88711F18806AE819AB355EB34A945CB50

Function 0443E419 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82320f0e5e0ff43a49ecc168b03057936a7c54c1bf5b5ab1f572063f8acfdcb0
Instruction ID: 129da85f78175c20483a51383d0f22aefc4943fd5818b22207cf22e0784a5ed4
Opcode Fuzzy Hash: 82320f0e5e0ff43a49ecc168b03057936a7c54c1bf5b5ab1f572063f8acfdcb0
Instruction Fuzzy Hash: C54180B47002058FDB10DF6DC594A6ABBE6EF9C311B19886AE549CF351EB30EC058B91

Function 0443E428 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c141b0158e2b87df9d093f92b5a401308e9dc671f21cae68f1a7fd210289a422
Instruction ID: 1a081cc6884926cd5952e725fff9e806bd77ffe9804c1de0585aaf8448b50c61
Opcode Fuzzy Hash: c141b0158e2b87df9d093f92b5a401308e9dc671f21cae68f1a7fd210289a422
Instruction Fuzzy Hash: B7416DB47002058FDB10DFADC594A6EBBE6EF9C315B288869E549CF351EB30EC018B91

Function 07103CCC Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1762414277.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac26be7ec3095e3ced40de28f812aff7c94811d1656916d2538dbb8f41c72252
Instruction ID: 852a391fd2e069096c814860f440d94814089561ead6f18afda9ef64622c18f9
Opcode Fuzzy Hash: ac26be7ec3095e3ced40de28f812aff7c94811d1656916d2538dbb8f41c72252
Instruction Fuzzy Hash: 454126F0A00202CFCB2A8F64C501AA7BBB29F81750F55819ED9249F2D1DB71ED44C7E2

Function 04432B00 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54c18d0256c23153b74c47bbc7fe3daa9d7e97029d6cd5c61f17bdcbfd71de18
Instruction ID: 7299e71d832acd0d7e2d3f74815790e73092a137c46c8c8e8d8392a4a15ed89b
Opcode Fuzzy Hash: 54c18d0256c23153b74c47bbc7fe3daa9d7e97029d6cd5c61f17bdcbfd71de18
Instruction Fuzzy Hash: AC4189B4A002099FCB06CF49C5989AEFBB1FF48710B25859AD815AB360C736FC51CFA0

Function 0443C388 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bcfafee87ad931e180547beef0f224de16fa4edd8946a1f01631523027a73bf
Instruction ID: 1be2761497099b93bcd4f757567236dfa413af4d73853a2f50402f4c225e808e
Opcode Fuzzy Hash: 1bcfafee87ad931e180547beef0f224de16fa4edd8946a1f01631523027a73bf
Instruction Fuzzy Hash: 6931A0713002119FD705EB78E884BAAB7D2EFC8712F04866AE50ACB355DF74A845CB91

Function 0443AE60 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53dcf5bb0106f745d6f64b3e8d0780526ba06ace6845bda6afe86b8a4c512637
Instruction ID: 75ad66cc60715aac902e2e51cb25c53d2be6cb8fb239a902cfa19665f48a03c3
Opcode Fuzzy Hash: 53dcf5bb0106f745d6f64b3e8d0780526ba06ace6845bda6afe86b8a4c512637
Instruction Fuzzy Hash: 94317EB0A402099FDF04DFB9D5957AEBBF6AF8C711F14806AE505E7350EB349C418BA1

Function 04436FD1 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 336b0b4ba3c5f21a9323299d2510d78168bd885826a0797f8b7761db0070084e
Instruction ID: 272a29085d60af0ebc4ebfb01283f54fd5e544d24a881af9f79723b7a978df45
Opcode Fuzzy Hash: 336b0b4ba3c5f21a9323299d2510d78168bd885826a0797f8b7761db0070084e
Instruction Fuzzy Hash: 4A311E74B002158FCB15CFA4C598AAABBF1AF8D712F1984A9E445AB351DB31ED41CB60

Function 0443AD28 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d621eb448b8481070e65fd5fd193f3e63bfc9329034dab3e1f12978dd2b56a6f
Instruction ID: d24fc191c26bc70959591b5cc68898df5fee8c7ecab33d740dd74ae6b1dd5e43
Opcode Fuzzy Hash: d621eb448b8481070e65fd5fd193f3e63bfc9329034dab3e1f12978dd2b56a6f
Instruction Fuzzy Hash: 933190B4A002099FDB05DFA4D855BFF7BB2EF84300F1584AAD511AB395DB389D418FA1

Function 0443DFC0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfeb837d67453f42b596483ff89837afb5c853f666af1978ef31a6c2cdc05656
Instruction ID: 4d45e815a4962a6f470cda5060b239140e79f58eeb4bf5b1609a151f85e30a4a
Opcode Fuzzy Hash: bfeb837d67453f42b596483ff89837afb5c853f666af1978ef31a6c2cdc05656
Instruction Fuzzy Hash: 45318A74A002148FCB24DF69D458BAEBBF2AF88310F25456AD406E7390DF75AC45CFA0

Function 0443AE70 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5442c5cd8eea17ea2522f729ea3ff2ffc9558e6508c299093b135f4c0d1d1c4
Instruction ID: 12aa49887c9aa5133b4b6f2f3b2eafbb61550bf62f2d0fcdd8c58715e130be0f
Opcode Fuzzy Hash: e5442c5cd8eea17ea2522f729ea3ff2ffc9558e6508c299093b135f4c0d1d1c4
Instruction Fuzzy Hash: AC316BB0A402099FDF08DFB9C5957AEBAF6AF8C701F14806AE405E7350EB349C018B50

Function 044393F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32460ffc942a34a0a0d0fe8ac6dbb95dbd2fdecfabf4df9ad7d8792b8911fac9
Instruction ID: ddb56dd74e00bd37ea75ca89b22931c34d63a99b7bc69fba71cfc2ae17ecda84
Opcode Fuzzy Hash: 32460ffc942a34a0a0d0fe8ac6dbb95dbd2fdecfabf4df9ad7d8792b8911fac9
Instruction Fuzzy Hash: 9F319AB59057449EEB60DF6AD0893DAFBF2EF88320F28C41AD44D97345DBB464818F51

Function 0443AD38 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afae3590c753fee12c35ba894212ebdaeed8dfed7a3ce8a39f9bede0dfba0d38
Instruction ID: ae0bd2aae107de160ca1d6ba76d7b63ea85c1649c973f24e17cfb233b3aab164
Opcode Fuzzy Hash: afae3590c753fee12c35ba894212ebdaeed8dfed7a3ce8a39f9bede0dfba0d38
Instruction Fuzzy Hash: 5D314FB4A002099FEB04DFA4D495BBE77B3EFC4300F1584A9D511AB394DB799D018F50

Function 0443DFD0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c16c748fc58ff4076497972925af794ad31614524125a81746357c098fc68cb
Instruction ID: d793f553349207ab7d997cacdf71610bd6c49fc253876be925f067e06ad47c88
Opcode Fuzzy Hash: 2c16c748fc58ff4076497972925af794ad31614524125a81746357c098fc68cb
Instruction Fuzzy Hash: 94315870A002148FCB24DF69D458AAEBBF2AF8C711F25456AD406EB390DF75AC45CF90

Function 07102700 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1762414277.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19a9a864acb1d3b3b41b58d284dc15d47bb1480e08969ac5611ae891d944ce18
Instruction ID: f6b7a3df9e1e1f80969ef462e2cf8ba903266589718ae5fb46cc73e5f709248a
Opcode Fuzzy Hash: 19a9a864acb1d3b3b41b58d284dc15d47bb1480e08969ac5611ae891d944ce18
Instruction Fuzzy Hash: DD21F1B9A1020ACFDB26CF58C58DB65B7E0BB55311F05C06AE8089B2D0C7B4D840CBE1

Function 02BEF3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1748735797.0000000002BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2bed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e7a09a6e5502b66ea44da47e92c7b7faf8d0263072d1e030a9eae60b4693003
Instruction ID: 7dc3e309090cfa63cc985442e316f513939b0289210102942c1dfc24bf6aec1c
Opcode Fuzzy Hash: 7e7a09a6e5502b66ea44da47e92c7b7faf8d0263072d1e030a9eae60b4693003
Instruction Fuzzy Hash: 0421E575604200EFDF05DF54D9C4B26BB75FF88314F28C5A9E90A0A656C336D456CBA1

Function 02BEF02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1748735797.0000000002BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2bed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91517b3a882cf68120fea1bcbf8ddd80a056d502faf53abe32ce9a81e18ec547
Instruction ID: 9777ae08905c8e8f8feeda8df54d8233fd198fe6863ea751e9e69c14e2d6383b
Opcode Fuzzy Hash: 91517b3a882cf68120fea1bcbf8ddd80a056d502faf53abe32ce9a81e18ec547
Instruction Fuzzy Hash: 4621F275604244DFDF14DF24D9C4B26BBA5EB94324F24CAADD90B4B682C33AD846CB61

Function 04439400 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef6788d8f84004589880a1660cfc8cad537163b1f19c4b24bc13d5b4c7befeae
Instruction ID: 594aff03598f8d9f0474a5d11abdd92fb712b02f52471535baa34617634faacd
Opcode Fuzzy Hash: ef6788d8f84004589880a1660cfc8cad537163b1f19c4b24bc13d5b4c7befeae
Instruction Fuzzy Hash: 432168B1A057449EEB64CF6AC48838AFBF6EB88720F28C45ED84D97345D7B464818F61

Function 0443767C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4cd7a9a789a54e35f2515de2202375d0c80f980db097a0742c73b98091df568
Instruction ID: ade8ef3bf12d57029c9b3e352cb1a7edd090e0718e2438a497df8b1e6c0ffcb1
Opcode Fuzzy Hash: a4cd7a9a789a54e35f2515de2202375d0c80f980db097a0742c73b98091df568
Instruction Fuzzy Hash: 1B112B767002188FCF04DBA8E954AEE77F6EBCC722B0440A9E509DB311DB34ED918B90

Function 02BEF3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1748735797.0000000002BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2bed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a89199e71a2f2f2a9adf406ea1041e5b746e28aab0e6237c120dfcb4fbddfc9c
Instruction ID: fb3ff3839bfb4043ba9f9d6bdcebfeb8515a1154a42ede573e4018ebecd899b8
Opcode Fuzzy Hash: a89199e71a2f2f2a9adf406ea1041e5b746e28aab0e6237c120dfcb4fbddfc9c
Instruction Fuzzy Hash: 73218C76504240DFCF06CF10D9C4B26BF72FF88314F28C5A9E94A4A656C33AD46ACB91

Function 02BEF027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1748735797.0000000002BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2bed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68800c76144ede0aa7da6335da1dd53af556f69f25deb7cd9fee3e0448842dc9
Instruction ID: 975a663d3ab77a52b775e4576cf644b8e475ff95cc4accded6f3292ec8887bc9
Opcode Fuzzy Hash: 68800c76144ede0aa7da6335da1dd53af556f69f25deb7cd9fee3e0448842dc9
Instruction Fuzzy Hash: 7E119075504284DFDB15CF14D5C4B25BF71FB44324F28C6AED84A4BA56C33AD44ACB51

Function 0443BCE0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c42d2a6cbe645404e371d038bc80d8eb0dcbbeec503458551d93c6073ded23a5
Instruction ID: fb43e9eb18e582cd87640762bc7fce3d68391234b34489e042fe4657e893db47
Opcode Fuzzy Hash: c42d2a6cbe645404e371d038bc80d8eb0dcbbeec503458551d93c6073ded23a5
Instruction Fuzzy Hash: BE01C0316083448FCB14CB35D594AAA7FE1EF45610B1488EEE04AC77A2CA34FC45C701

Function 0443DCD9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b1cc1e53c287e21555af42ea5440dfc4953cd3b55ab8994a0d73017a27f9ed2
Instruction ID: f9e936bd76435e27ae074742e85ad5d0a123f031a1666f7fe870d2ee9073db8b
Opcode Fuzzy Hash: 1b1cc1e53c287e21555af42ea5440dfc4953cd3b55ab8994a0d73017a27f9ed2
Instruction Fuzzy Hash: E40145B6F041449BCF14DB74E8014EDBFA2AF8C223F0444ABD44697301D921BC168BE0

Function 0443E100 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0839ac3d131d8e15745c17e365fc5b12d07fc903ac0d71372013d376a908fa7d
Instruction ID: 7badc444c8f14e504d0a29a4829c299b66d7ef2981057803d9f9413eec916aa5
Opcode Fuzzy Hash: 0839ac3d131d8e15745c17e365fc5b12d07fc903ac0d71372013d376a908fa7d
Instruction Fuzzy Hash: B21105352047508FC768DF79D48086ABBF6EF8931532489ADD48A8B7A0DB36F942CF50

Function 0443DE98 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03f70575df7c9dccdb889449fd355acc65dec099ed09073e0f17802d944f36a4
Instruction ID: 30cd78b86536adbfc12eae237b8d0de6d6afb82ce24eab6009f3af838148d8f2
Opcode Fuzzy Hash: 03f70575df7c9dccdb889449fd355acc65dec099ed09073e0f17802d944f36a4
Instruction Fuzzy Hash: D0019235B002188FCB119F74E9086AEBBF5FF88315F044069E51AD3341DB36A911CFA0

Function 0443BF10 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36982ecbeb4b5e380fa7487aba75037001b137407ff9d3bd3ddd4bf0a713fca9
Instruction ID: 989c66951e29e553457bb5de49c28a5a154992d886bdccf308eb568063e5696e
Opcode Fuzzy Hash: 36982ecbeb4b5e380fa7487aba75037001b137407ff9d3bd3ddd4bf0a713fca9
Instruction Fuzzy Hash: 77F096363093A05FD7018B799C54AB7BFE9EF9966270940ABF494C73A2CA74DE048770

Function 02BED01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1748735797.0000000002BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2bed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3779b265ba276103642b048abd0d3f455c069c083d097b95778a8ae7876dc5b2
Instruction ID: 6a15a58ccf9ae2247a0051e3c73510eb369237d4b17466a40411e7d711829566
Opcode Fuzzy Hash: 3779b265ba276103642b048abd0d3f455c069c083d097b95778a8ae7876dc5b2
Instruction Fuzzy Hash: C501F2715083419AEB209A29CC84B66BFDCDF51325F1CC59AED1A0B283C7B99841C6B1

Function 0443F3C1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a41fab19265e25f97a6ded1abac852618c9a2c924a2778b8c75e277e7c77cd
Instruction ID: a550d4639c78f19b87b9840c626df6b951a7fe3eb69014a516ad5ce451ce50d0
Opcode Fuzzy Hash: f8a41fab19265e25f97a6ded1abac852618c9a2c924a2778b8c75e277e7c77cd
Instruction Fuzzy Hash: D0010876D0075A9BCB04DFE4D9456EDFBB0FF99300F10471BE015A6A00EBB0668ACBA1

Function 02BED006 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1748735797.0000000002BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2bed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ce0a4dfadb1e172f503dae306ab7230f013ff1cd85cb184f2d77b164a9867ae
Instruction ID: d6652843ededd9cac10a8fb125e40c77bbbed9ca77250345a31ed3145f8e521e
Opcode Fuzzy Hash: 9ce0a4dfadb1e172f503dae306ab7230f013ff1cd85cb184f2d77b164a9867ae
Instruction Fuzzy Hash: FF015E7240E3C09FD7128B258D98B52BFA8DF52224F1D81DBE9898F197C3699845C772

Function 044390CF Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df1252dda49836374d431d8e8bb6affe257deaa15575a6c76eb364e71faacca6
Instruction ID: 5636704ad973ff3337b37311f0d4837cf389efe4e19e11d24329c42e6cd23eac
Opcode Fuzzy Hash: df1252dda49836374d431d8e8bb6affe257deaa15575a6c76eb364e71faacca6
Instruction Fuzzy Hash: B20144B5A082446FD701A73594197EB7BB6CFC2314F1841EBC90A87686CD392946CBE2

Function 04437958 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46578dd5cd9f71642e28ea48413ce6f29f875c0a1bd5f166b866eeb65401506a
Instruction ID: b8bfefa82770ba0f52014117032742f9e16c3fbf83bfec8b9bbe7de7775e489f
Opcode Fuzzy Hash: 46578dd5cd9f71642e28ea48413ce6f29f875c0a1bd5f166b866eeb65401506a
Instruction Fuzzy Hash: 83F022312093545FC70197699C44A6F7BEAEF8A626B0045AEE04AC7242CE64AC0183B1

Function 02BED9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1748735797.0000000002BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2bed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9346808d17b3f5c5469a2580ad33fc6675a63c215898ec9f88a84afc30c6af91
Instruction ID: 02a9add727d852bb65b7b828e36aaf4812a0d4d23c4bfee53bb7029977af40dd
Opcode Fuzzy Hash: 9346808d17b3f5c5469a2580ad33fc6675a63c215898ec9f88a84afc30c6af91
Instruction Fuzzy Hash: 28F0F976600600AF97248F0ADD85C27FBEDEBD4770719C59AED4A4B616C771EC42CAA0

Function 04439158 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8312c15b7ce0060a5b22f92fd4d3e78da5f614d7c9136170dbeffd3a30d20889
Instruction ID: a9f4c5d9fc0bb7b0b13ef69c18c53978b941b71b2b5fc14d0dc6524095dfc984
Opcode Fuzzy Hash: 8312c15b7ce0060a5b22f92fd4d3e78da5f614d7c9136170dbeffd3a30d20889
Instruction Fuzzy Hash: 9FF054765063044FD7619B78D8993D6BBE5FB45320F04449BE15AC7341CB396D858BA0

Function 0443DE38 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b805fe90e01793af8e0784baeb756af84be957903e922e4a9175ad1857f27994
Instruction ID: 3b8e399ff854a38509aa926d407add044281b8efe077a5b63369cc160b173074
Opcode Fuzzy Hash: b805fe90e01793af8e0784baeb756af84be957903e922e4a9175ad1857f27994
Instruction Fuzzy Hash: DEF05E797042404FC3109B2DD4548A6BBFAAFCE61571900AAE084CB732DA61DC11CBA1

Function 04438969 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7fe6c4a96a301919000ddf22e17f29aba910502d206ccd39222a96a84e6855
Instruction ID: 11e558336ea96673af9e414796aa7b658e3af84cfe6870172e099662d0c1cb58
Opcode Fuzzy Hash: be7fe6c4a96a301919000ddf22e17f29aba910502d206ccd39222a96a84e6855
Instruction Fuzzy Hash: 0EF082363093945BCB0A277568182E97F55EBC5635F040197D90587342CF685E4583E6

Function 02BED998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1748735797.0000000002BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2bed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ed4bfb7ec081783ff23e7870b4872d1f0103108b0ebf507f5ecfe517b0455a3
Instruction ID: 9d29fc790b5884c670e58ade7cae585136cab57eba9888a02eb45e991f4963be
Opcode Fuzzy Hash: 3ed4bfb7ec081783ff23e7870b4872d1f0103108b0ebf507f5ecfe517b0455a3
Instruction Fuzzy Hash: 86F03779100640AFD7258F16CD84D22BBA9EB95620B198489A84A4B312C771EC42CB60

Function 0443F3D0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa2e030b7130fc59e9cdb08ec8a949cbbc374cb95cb4ed65d5fc114b47eb3348
Instruction ID: 941affa7efbd2e8b8a67cde60770471bd005a52578dbbd884daed1a36e06151c
Opcode Fuzzy Hash: aa2e030b7130fc59e9cdb08ec8a949cbbc374cb95cb4ed65d5fc114b47eb3348
Instruction Fuzzy Hash: 5301E871D0075ADBCB04DFE4C9456EDBBB1FFA9300F10471AE005A6604EBB06696CB80

Function 04437968 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 635c9c20730cb4e7bb301e973b093bb5171ffe8d900b60b601be343eaabadce6
Instruction ID: 57830b33076f3ed1fe817f3eeea349b1864b169b2e1da812787b70b43b5fa314
Opcode Fuzzy Hash: 635c9c20730cb4e7bb301e973b093bb5171ffe8d900b60b601be343eaabadce6
Instruction Fuzzy Hash: 26F08C717006249FDB149A5AE844A6FB7EAEBC8666B00092EE14AC3740DF70BC4187A0

Function 04437697 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97e644393473d61976703225fd1addee885a312343de0813938cff877b0aff12
Instruction ID: 9442762756f00a77f08854b9baa52411ab9b676b3abc865532811744f0f88dde
Opcode Fuzzy Hash: 97e644393473d61976703225fd1addee885a312343de0813938cff877b0aff12
Instruction Fuzzy Hash: F4F0A7763001148FCF10DB6D99506AB7BE2EBCC7627054199E509CB311DF34DD428B91

Function 044390E8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c705ebe20c97d35507e201a7bd67868029f4183557bbc472a40ad17ac8fd2371
Instruction ID: beb1071a50105b8fb31845963e70b292295bc116e844c299e04aad72b5e37e65
Opcode Fuzzy Hash: c705ebe20c97d35507e201a7bd67868029f4183557bbc472a40ad17ac8fd2371
Instruction Fuzzy Hash: 62F027B16041089BE700AB65C0183AF77E7DFC4314F1481ABC50A47388CE352845CBD0

Function 0443AF88 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244e61042c5c5b8acdc732dc2d053f5ea4565b5ab1123e29d7aa23cd85de9f8c
Instruction ID: 0e899d5ba20916e528d57609bde6b99f89e0d9522f3a5795447c9c9389c8c58b
Opcode Fuzzy Hash: 244e61042c5c5b8acdc732dc2d053f5ea4565b5ab1123e29d7aa23cd85de9f8c
Instruction Fuzzy Hash: DEE0DF2B3483D107CF16812A38100E6EF6B8ACB97130881BBF080DB642DC11AE0A43F2

Function 0443DE48 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8094485c6008c95503098bd2de85d0d030e0354b851b05ec68610249df73294
Instruction ID: 25cfd53c22d647f966fbe69710adee2af68b9ad5ab38192af5902338839928bf
Opcode Fuzzy Hash: c8094485c6008c95503098bd2de85d0d030e0354b851b05ec68610249df73294
Instruction Fuzzy Hash: 2BE01A757006108F87109F1ED498C67BBFAEFDEB6671900AAE549CB731DA61EC01CB90

Function 04439549 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bc90ac79baa660f22174e07c429d0328089e0f68305dc3a2c57fb09a23c7189
Instruction ID: 2ae171dce6138ba1d0cd5be5ee495a5a2843197a8d65b3928b4fae90e7eabb3b
Opcode Fuzzy Hash: 6bc90ac79baa660f22174e07c429d0328089e0f68305dc3a2c57fb09a23c7189
Instruction Fuzzy Hash: FED05B97741115275D54B4BB18506FBE5CF8BCCCAA709003BE905C3742ED60ED0543F2

Function 04438739 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd2498659b2651be4ebd364f65654cf7814bfecd44ee8b41ea3755984a45202a
Instruction ID: 196692dea585d1bcb8c34bf8faa09752ac658ca7ff65b834f67d7644f70f5700
Opcode Fuzzy Hash: cd2498659b2651be4ebd364f65654cf7814bfecd44ee8b41ea3755984a45202a
Instruction Fuzzy Hash: 92E04F3A80420E9BCB08BB74E90A4FEFF74FA00711B00016AE94683680DE306A4ACAD1

Function 04439168 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e5f862216c7ae60d487dfba38660cf19a357d9fd21170771a19fca16de2940e
Instruction ID: d8bfe3333c7f570a7ca87e75257d8468e7ce3d89768dbd7349a118b7a4d393c3
Opcode Fuzzy Hash: 2e5f862216c7ae60d487dfba38660cf19a357d9fd21170771a19fca16de2940e
Instruction Fuzzy Hash: 9BF0ED709003049BD7649F79D89D79A7BE5FB44321F04446AE55ED7340DB7968808B90

Function 04438800 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e39232de2cda4436d5c65625bf97831858f1205b6c3ad55e77edb3766f17e4fa
Instruction ID: e40094acf0115eeeb4ac26ba1677dbb0298c6a14b16f1a86e8adb48cda500b74
Opcode Fuzzy Hash: e39232de2cda4436d5c65625bf97831858f1205b6c3ad55e77edb3766f17e4fa
Instruction Fuzzy Hash: 7BE04F7AA0820A8BCB14EBB4E8465E9BFB0FB05215F004056ED5597740EA30AD59DBD1

Function 04438978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc6964dcf231d499f99152303e207a948ff4619378f793ea666d7f81c9a36a2a
Instruction ID: 1d5de6c203620859b6d0bd374cad59674912a1141b585c7278b880e1b1846ac8
Opcode Fuzzy Hash: fc6964dcf231d499f99152303e207a948ff4619378f793ea666d7f81c9a36a2a
Instruction Fuzzy Hash: C4E0263130421897CF0D3775A80C2AE7A9AFBC4735F04006AD60A83340CF7C190283D5

Function 04439550 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e238969385584a6ca00c4ed8ff368a8bef136ce9161e4beef5245eec7368032e
Instruction ID: 882b6fb9010cfafda162c953ff93993b7806be5e09e89baded32f53f3dffaff2
Opcode Fuzzy Hash: e238969385584a6ca00c4ed8ff368a8bef136ce9161e4beef5245eec7368032e
Instruction Fuzzy Hash: 55D05E93702129276E54B4BB18006BBD5CF8BCCCAA709003BAA09C3342EDA0ED0143E1

Function 0443DCE8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: dc099509e328cd4881b5f646838b2473e3b27b9f8b77806be891489240432f96
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: 9CE08631B10014978B1C9959D4114EDFBAADBCC621F04807BD90AA7340DA32691686E1

Function 0443F460 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed8b81a41a671b69c346ff59514514722ba6acb4c026dee6ab7d5e2d1a854881
Instruction ID: 1cd6d2271cd2d754a5f26daf77452ce2a306897b17ac795bcaf6c2e6f39fc86a
Opcode Fuzzy Hash: ed8b81a41a671b69c346ff59514514722ba6acb4c026dee6ab7d5e2d1a854881
Instruction Fuzzy Hash: CAE01A74E042499F8B80DFB8D8426AAFFF4EB59200B5485AAC948D3201E6329A42CFD1

Function 0443F470 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 000fc774e24440c76d0c37633ffff7447960444a62f24b646fa0bca53b869bd5
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 25D06270D042099F8790DFADC94156DFBF4EB58200F5085AA8919D7301F7315612CBD1

Function 04438748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30dd58004d4af83352b9431f5619f703dc452f0eacc3bfe52feac69d4111d700
Instruction ID: e4991b2ca9c514cdb4fd7581a458836d7bced37e2eb92638f70f089d0399fd03
Opcode Fuzzy Hash: 30dd58004d4af83352b9431f5619f703dc452f0eacc3bfe52feac69d4111d700
Instruction Fuzzy Hash: 6ED0673190410D8BDB08ABB5E95B4FDBB74FA14702F404169E90793290EF352A5ACAC5

Function 04438810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b19d8ad8d9d8659cc03f0533a3b034450dfc2e4356c0823e99206837e77cfab
Instruction ID: dcb28089778e24c4ee8151d9926fe283bcc99be9ec4d1ec2b96b5d7092ab68a9
Opcode Fuzzy Hash: 7b19d8ad8d9d8659cc03f0533a3b034450dfc2e4356c0823e99206837e77cfab
Instruction Fuzzy Hash: 5BD01734A0820E8BCB18EFA4E94786EBFB4FB49205F00416AE90993340EA306901DBC1

Function 04437EA0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9beed0ba72cbb1ea71297a8a64b4e34df35e3a47e7a02822e2250d83dc5ec958
Instruction ID: ab32d7356725d781d5f577aecf3acc01452f88140bb9742d27941934e932bb1f
Opcode Fuzzy Hash: 9beed0ba72cbb1ea71297a8a64b4e34df35e3a47e7a02822e2250d83dc5ec958
Instruction Fuzzy Hash: 25C04C1555F3D10FEF0B973548695566F325E4310138A41DAC181DA856C864444AC716

Function 04437938 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41a679bbbbe6bb55483893cd310e95ed3fff36cf457515fa50a52f8f9a20683c
Instruction ID: 798fe86cdbd956de5860112b465a333bb90428a8e4bf6b1ed36f87867fedd09e
Opcode Fuzzy Hash: 41a679bbbbe6bb55483893cd310e95ed3fff36cf457515fa50a52f8f9a20683c
Instruction Fuzzy Hash: 34C012340483848ACB599BBA90A48983F20AB4122470204DCE80A1BAB38A62D045DF06

Function 04437940 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67fe435f8e6edab611c12970d6428ed405ac5f2a5603bdd4f2330e83fde65622
Instruction ID: 4d683a694648001c8e4cc1cb6d95760a70ff3976f2e0442cf9d6d88fd0dd3a54
Opcode Fuzzy Hash: 67fe435f8e6edab611c12970d6428ed405ac5f2a5603bdd4f2330e83fde65622
Instruction Fuzzy Hash: 67B09230044748CFC248AFB9A414814732DBB8031578104A9ED0E0A6A68E36E884CB88

Non-executed Functions

Function 07101BE0 Relevance: 20.4, Strings: 16, Instructions: 397COMMON

Download Yara Rule

Strings

tPdq, xrefs: 07101FEB
84Gl, xrefs: 07101F6C
84Gl, xrefs: 07101F76
4'dq, xrefs: 07101C92
JJl, xrefs: 0710200B
tPdq, xrefs: 07101FDF
JJl, xrefs: 07102017
rIl, xrefs: 07101C53
4'dq, xrefs: 07101F95
JJl, xrefs: 071020C2
4'dq, xrefs: 07101C86
4'dq, xrefs: 07101F89
rIl, xrefs: 07101C5D
$c<k, xrefs: 071020B4
JJl, xrefs: 07101FA1
JJl, xrefs: 071020CE

Memory Dump Source

Source File: 00000004.00000002.1762414277.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7100000_powershell.jbxd

Similarity

API ID:
String ID: $c<k$4'dq$4'dq$4'dq$4'dq$84Gl$84Gl$tPdq$tPdq$JJl$JJl$JJl$JJl$JJl$rIl$rIl
API String ID: 0-2568046780
Opcode ID: 30352275f1ddfd80853546bdca5412d9e3b52a5bcd9586b249385bec1ba49f3b
Instruction ID: c843e0db65ad1f2fb690ce29f73a9f864711cb3ffc77a8e3b88cc998e8987e48
Opcode Fuzzy Hash: 30352275f1ddfd80853546bdca5412d9e3b52a5bcd9586b249385bec1ba49f3b
Instruction Fuzzy Hash: A2D126B1B0431A9FCB269B68840466FFBB2BFC6311F1884ABC9058B2D5DB75C945C7E1

Function 07103928 Relevance: 12.8, Strings: 10, Instructions: 336COMMON

Download Yara Rule

Strings

$dq, xrefs: 0710396C
$dq, xrefs: 07103960
$dq, xrefs: 0710393A
?l, xrefs: 07103A0F
4'dq, xrefs: 07103B35
4'dq, xrefs: 07103B29
tPdq, xrefs: 071039B1
$dq, xrefs: 07103C0E
?l, xrefs: 07103A1D
tPdq, xrefs: 071039A5

Memory Dump Source

Source File: 00000004.00000002.1762414277.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7100000_powershell.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$tPdq$tPdq$$dq$$dq$$dq$$dq$?l$?l
API String ID: 0-748277098
Opcode ID: e80c6a9b30c6d3737e1180c064a3acb2e3c51f1db14690e9643d7b7b9c3fbb74
Instruction ID: 33391f9dac0ef30c1d3f2cba649b48f51e2091950e98af02dc5094d85edac53d
Opcode Fuzzy Hash: e80c6a9b30c6d3737e1180c064a3acb2e3c51f1db14690e9643d7b7b9c3fbb74
Instruction Fuzzy Hash: 66B189B13143558FCB269A69C811B66BFA6AFC6320F2480AFD855CB2D2CB71C941C3E1

Function 07103678 Relevance: 8.9, Strings: 7, Instructions: 187COMMON

Download Yara Rule

Strings

4'dq, xrefs: 0710372E
4'dq, xrefs: 07103722
$dq, xrefs: 0710382A
$dq, xrefs: 07103836
?l, xrefs: 0710387B
?l, xrefs: 0710386D
$dq, xrefs: 071037FF

Memory Dump Source

Source File: 00000004.00000002.1762414277.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7100000_powershell.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$$dq$$dq$$dq$?l$?l
API String ID: 0-1414792763
Opcode ID: 5649c23884146aa6ea9c5e71c63153122f1db0a74e8a8f7c30d3415176591a88
Instruction ID: 270182b1e8106d5eba3fb1d143b4e8b72b0a42f86f89b9e8fd403b084de7d35c
Opcode Fuzzy Hash: 5649c23884146aa6ea9c5e71c63153122f1db0a74e8a8f7c30d3415176591a88
Instruction Fuzzy Hash: EC5157F57043069FCB2A9A698815766BFB2AFC6321F2480AFD425CB2D1DB71C841C7E1

Function 04437A21 Relevance: 6.5, Strings: 5, Instructions: 240COMMON

Download Yara Rule

Strings

`eq, xrefs: 04437BA2
`eq, xrefs: 04437C44
tMIl, xrefs: 04437AD4
`eq, xrefs: 04437CC2
`eq, xrefs: 04437B23

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID: tMIl$`eq$`eq$`eq$`eq
API String ID: 0-2840973237
Opcode ID: 95f5c1fbfca68c4809afe3409bc6bc12346905a950f1a4a03fdc11fcff403649
Instruction ID: b9c29f0ba076e258262fd9154f36c68e009ddc684a118e8f226a4b80ebc94714
Opcode Fuzzy Hash: 95f5c1fbfca68c4809afe3409bc6bc12346905a950f1a4a03fdc11fcff403649
Instruction Fuzzy Hash: A9B1A6B4E002199FDB45DFA9D590A9EFBF2FF48301F10862AE419AB305DB34A945CF90

Function 04437A30 Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

`eq, xrefs: 04437BA2
`eq, xrefs: 04437C44
tMIl, xrefs: 04437AD4
`eq, xrefs: 04437CC2
`eq, xrefs: 04437B23

Memory Dump Source

Source File: 00000004.00000002.1751306658.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_powershell.jbxd

Similarity

API ID:
String ID: tMIl$`eq$`eq$`eq$`eq
API String ID: 0-2840973237
Opcode ID: 4b43cafec2216c744ed448f2aecaafa91ee954ec947d38a0534d5d52955fc1ac
Instruction ID: 0f3cb08b5ca73c902909997958439762695b04e2bdf0f1e1aac07455a822b9a1
Opcode Fuzzy Hash: 4b43cafec2216c744ed448f2aecaafa91ee954ec947d38a0534d5d52955fc1ac
Instruction Fuzzy Hash: 5CB187B4E002199FDB54DFA9D590A9EFBF2FF48301F10862AE419AB345DB34A945CF90

Function 07101EF8 Relevance: 6.3, Strings: 5, Instructions: 81COMMON

Download Yara Rule

Strings

4'dq, xrefs: 07101F89
84Gl, xrefs: 07101F6C
JJl, xrefs: 07101FA1
JJl, xrefs: 0710200B
tPdq, xrefs: 07101FDF

Memory Dump Source

Source File: 00000004.00000002.1762414277.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7100000_powershell.jbxd

Similarity

API ID:
String ID: 4'dq$84Gl$tPdq$JJl$JJl
API String ID: 0-3611598509
Opcode ID: a2570508429bb4f0ddd14a79691840bb25bd4dbd3004bfc3edb1fda8f54ca387
Instruction ID: b838089ef8aa2ebb455f7509779f68b19849b1ab3eaa3beadedca3b5ede6db2a
Opcode Fuzzy Hash: a2570508429bb4f0ddd14a79691840bb25bd4dbd3004bfc3edb1fda8f54ca387
Instruction Fuzzy Hash: 3A21E4B1A0020AEFCB268E44C445F6AF7A2BF81311F198066DA045F1D5C7B6D948D7E1

Function 07105798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$dq, xrefs: 07105800
$dq, xrefs: 071057F4
$dq, xrefs: 071057C6
$dq, xrefs: 071057AA

Memory Dump Source

Source File: 00000004.00000002.1762414277.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7100000_powershell.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq
API String ID: 0-185584874
Opcode ID: 5a2f19546c569ff547c6d7e410092afff74f8cc814044ca3c7ed4edaf5412930
Instruction ID: fc809f7051ada7716ae2ba568e8ef8a7c27b38d2d0571560632c5243a76a6e1f
Opcode Fuzzy Hash: 5a2f19546c569ff547c6d7e410092afff74f8cc814044ca3c7ed4edaf5412930
Instruction Fuzzy Hash: CC2179B13102069BDB34956A8802F37BB9B9BC0351F64802BAE09CB2C1DFB1C95187E1

Function 07100308 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

4'dq, xrefs: 07100373
4'dq, xrefs: 0710037F
$dq, xrefs: 07100352
$dq, xrefs: 0710035E

Memory Dump Source

Source File: 00000004.00000002.1762414277.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7100000_powershell.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$$dq$$dq
API String ID: 0-4229963660
Opcode ID: f15276c358869f14d0b3f04b94fbc1f2823c7d2544ef0f8d32ead1e83a90f985
Instruction ID: 9649a7793e1a064bf7281f0e9e16641e5e14d431c2e49deae8ee934033adce53
Opcode Fuzzy Hash: f15276c358869f14d0b3f04b94fbc1f2823c7d2544ef0f8d32ead1e83a90f985
Instruction Fuzzy Hash: DA0178A130E3964FC73B966828202266FB26F8765172A81DBC481DF2D7CA594D4983A7

Function 07102108 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

JJl, xrefs: 07102156
JJl, xrefs: 0710214A
$dq, xrefs: 07102166
$dq, xrefs: 07102172

Memory Dump Source

Source File: 00000004.00000002.1762414277.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7100000_powershell.jbxd

Similarity

API ID:
String ID: $dq$$dq$JJl$JJl
API String ID: 0-1139017277
Opcode ID: 46d815b61e321ec208bbd6b9d349ebbf2ce848cddce16b76481b5527f9e2aee7
Instruction ID: 5531fa816d2c10f8d9b8966bbb8cee80cdfa7cf98e62cd6333ecf222bab1364d
Opcode Fuzzy Hash: 46d815b61e321ec208bbd6b9d349ebbf2ce848cddce16b76481b5527f9e2aee7
Instruction Fuzzy Hash: 6E01B1B260A3A14FC33742684C155177FB26FD362072A42D7C994DF2EBCA784C45C3A2

Analysis Process: powershell.exePID: 1700, Parent PID: 7156COMMON

Executed Functions

Function 02F8B470 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c2b7f6f32e2927d4a3767b57cb28598f001e93160c415114ae4ea08f994d018
Instruction ID: 45e7f61dd8aed97bbff6401af6bd775276c9335a5b98a8ab585f5224c23cf6db
Opcode Fuzzy Hash: 1c2b7f6f32e2927d4a3767b57cb28598f001e93160c415114ae4ea08f994d018
Instruction Fuzzy Hash: 26916270F006159BDB15EFB49A115AFBBF3EF84700B00892EE516AB394DF34A9058BD5

Function 02F8B490 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8918cbd06d96f93b0ba15126cb1f569a7d858c1dedf76ae0f024269668c7ac2f
Instruction ID: 462bbeb615f9e845c4f191dd281b5909f71680a06988425929ae864d64e0796f
Opcode Fuzzy Hash: 8918cbd06d96f93b0ba15126cb1f569a7d858c1dedf76ae0f024269668c7ac2f
Instruction Fuzzy Hash: D7915070F006159BDB15EFB49A115AFBBE3EFC4700B00892DE506AB398DF38A9058BD5

Function 073F2308 Relevance: 13.1, Strings: 10, Instructions: 648COMMON

Download Yara Rule

Strings

4'dq, xrefs: 073F260D
JJl, xrefs: 073F259E
JJl, xrefs: 073F23D1
JJl, xrefs: 073F25EA
rIl, xrefs: 073F254F
4'dq, xrefs: 073F2619
JJl, xrefs: 073F23C5
JJl, xrefs: 073F25F6
JJl, xrefs: 073F237F
rIl, xrefs: 073F2559

Memory Dump Source

Source File: 00000007.00000002.1802979529.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_73f0000_powershell.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$JJl$JJl$JJl$JJl$JJl$JJl$rIl$rIl
API String ID: 0-426712688
Opcode ID: 739b70d77b7f3f43ed30aff98009fc9fee66b76d27d0d4031f2ee1103b397b9a
Instruction ID: 85a33bb9b7e58c6b5ffc204bf6c13e8d9ff18d75c5ef10928242dc3a889ab515
Opcode Fuzzy Hash: 739b70d77b7f3f43ed30aff98009fc9fee66b76d27d0d4031f2ee1103b397b9a
Instruction Fuzzy Hash: 9B2227F1700216DFEB11DB688441BAFBBE5BF85351F1480BADA09CB252DB31D945CBA1

Function 073F3CE8 Relevance: 5.6, Strings: 4, Instructions: 591COMMON

Download Yara Rule

Strings

4'dq, xrefs: 073F4180
4'dq, xrefs: 073F4030
4'dq, xrefs: 073F4026
4'dq, xrefs: 073F418A

Memory Dump Source

Source File: 00000007.00000002.1802979529.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_73f0000_powershell.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$4'dq$4'dq
API String ID: 0-2296240322
Opcode ID: c4f7a66dd7141927bea43e0af4714a0edb8364dcd753646511726d4594590e4c
Instruction ID: bc8748856194453a223d8ed6a27fdf0e476b47cc26aa9a04416dfe6f5e7fd64c
Opcode Fuzzy Hash: c4f7a66dd7141927bea43e0af4714a0edb8364dcd753646511726d4594590e4c
Instruction Fuzzy Hash: 0E126BF17042969FDB118B68C811B6BBFA29FD1391F1484BBDA09CB641DB31DD41C7A1

Function 02F8E5B9 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

JJl, xrefs: 02F8E6EA

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID: JJl
API String ID: 0-415269788
Opcode ID: 3cd5f9db303538228f19f811b3929a36da3785f7f554c198567d231941ffada2
Instruction ID: 119a29335ba943dda15ce1d99d05907dcc91c215d911e4f98d3885fee826667d
Opcode Fuzzy Hash: 3cd5f9db303538228f19f811b3929a36da3785f7f554c198567d231941ffada2
Instruction Fuzzy Hash: E3419B30A052099FCB15DF79E894A9DBBF2FF49305F0485A8E41AAB351DB30AD45CFA1

Function 02F86FC8 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

(hq, xrefs: 02F870ED

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID: (hq
API String ID: 0-4060669308
Opcode ID: 5b13a228267e914ce9200aa52a1a4b74a10904eb491c7f426ffde0ecfc30ce6b
Instruction ID: 94ae9a05e7fff3845d90d821d91576282b2977fdb1da691efc91b1e9dac4c468
Opcode Fuzzy Hash: 5b13a228267e914ce9200aa52a1a4b74a10904eb491c7f426ffde0ecfc30ce6b
Instruction Fuzzy Hash: 0D414B39B042048FDB04EB69C464BAEBBF2AF8D711F248499E506AB391DB35DC01CB60

Function 02F8E640 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

JJl, xrefs: 02F8E6EA

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID: JJl
API String ID: 0-415269788
Opcode ID: a2e9c5291a1a2dad80c3f8bbec537ddf3a60639d23ac1627615f9023adb06f95
Instruction ID: 4abce4935dc58c155a324caf0f4c6a9f47597338d875bdd28ecd7de795121d90
Opcode Fuzzy Hash: a2e9c5291a1a2dad80c3f8bbec537ddf3a60639d23ac1627615f9023adb06f95
Instruction Fuzzy Hash: 36318D30A00619DFCB14DF69E494A9EBBF2FF48345F148528E41AA7394DB30AC44CBA0

Function 02F8AF98 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

(&dq, xrefs: 02F8AFBA

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID: (&dq
API String ID: 0-1586597270
Opcode ID: 1a71cfb0fcab94305299cca153c97a9023ec117c92ba10a670826fb8bd6d46f7
Instruction ID: 61f0cf2d1233314a05960ca29402f2a07246ee750bd0b374be40be887ae52e83
Opcode Fuzzy Hash: 1a71cfb0fcab94305299cca153c97a9023ec117c92ba10a670826fb8bd6d46f7
Instruction Fuzzy Hash: 1221BC71E042588FCB14EBAED80469EBFF6EF88324F24806AD518E7340CA7499058BA5

Function 02F829F0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc7e26b6df744a6d6a41ab8bfb556d09a76cc54579263789fc547c39c0c1679b
Instruction ID: d51065f517a9d7eb65186b13ee0320ddebc9a206fe10fa4a2aa6f156dd2c6358
Opcode Fuzzy Hash: cc7e26b6df744a6d6a41ab8bfb556d09a76cc54579263789fc547c39c0c1679b
Instruction Fuzzy Hash: 65918B74A002498FCB15DF98C894ABEFBB1FF49324B248659DA15AB3A5C735FC41CB90

Function 02F87728 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df0a7974d4f3089aee38db443e29a10738242d17923bc96d19f660a9b417a784
Instruction ID: 36fab8e66bfc8a36c414d4262a9bec3e3e58ea066a8c3a2063a80e7c9b86269a
Opcode Fuzzy Hash: df0a7974d4f3089aee38db443e29a10738242d17923bc96d19f660a9b417a784
Instruction Fuzzy Hash: 6A5190397042159FD704AB69D854B3ABBE6FFC9354B2584A9E609CB352EB31DC01CBA0

Function 02F8BAC0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f4099b5234b975f39843ae3b079d9e9e7a5b348d59b8ae0f655d6ff9e2e3bae
Instruction ID: b5b1bafae74560eb4e6cfb0beb44c154d910d3df99d8dbbef5788a4c6404f7b1
Opcode Fuzzy Hash: 5f4099b5234b975f39843ae3b079d9e9e7a5b348d59b8ae0f655d6ff9e2e3bae
Instruction Fuzzy Hash: D1610671E01249DFCB14DFA9D984A9DFBF1EF89314F15816AE909AB354EB309841CB50

Function 02F8BAB0 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af164406773aeb7e121253da12587dd70de61e1041f87168c7f6a68cb0fa695b
Instruction ID: 51567c758b5da7ed23edab803a8251979161808ef70a4e24c240cf4efb8b4bfd
Opcode Fuzzy Hash: af164406773aeb7e121253da12587dd70de61e1041f87168c7f6a68cb0fa695b
Instruction Fuzzy Hash: 5E510471E01248DFCB54DFA9D988A8DFBF1EF89314F148069E909EB365EB309846CB50

Function 02F8E419 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f0a43dd9dc6b0064566a5b22b419d3bab6630bb5a3d2b436c43e0098ce3c41c
Instruction ID: 54b4da73bd6de1ff4d97ea0da088692bb4d9c5c26fe51125a43581c8dbb735ef
Opcode Fuzzy Hash: 4f0a43dd9dc6b0064566a5b22b419d3bab6630bb5a3d2b436c43e0098ce3c41c
Instruction Fuzzy Hash: 59516C74B00205CFCB10EF7DC694A2ABBE6EF89354B1585A8E549CF366EB34EC058B51

Function 02F86FA0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e86a1036dd2b04143d6320e3627d0285134e022e20946231542f7eb6126a287a
Instruction ID: dd5582c8875c2500e40002a785e7e51ea9a28c3178f7cfad05ddff96813bce6c
Opcode Fuzzy Hash: e86a1036dd2b04143d6320e3627d0285134e022e20946231542f7eb6126a287a
Instruction Fuzzy Hash: 7F417234A092849FCB06DB65C454AAAFFF1AF8A754F2880D9E545EF363DB21DC41CB21

Function 02F8E428 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b029a8cfe58e5048adaea7b53f5ce12e2775df5d1b8e6e93966b873e219f9cde
Instruction ID: 2bb71119acc48ba06f4787d789e9a14075a2193d043ac827798c7e1db3547b60
Opcode Fuzzy Hash: b029a8cfe58e5048adaea7b53f5ce12e2775df5d1b8e6e93966b873e219f9cde
Instruction Fuzzy Hash: EA4118B4B002058FCB10EF6DC694A2ABBE6EFCD355B548468E549CF365EB34EC058B91

Function 073F3CCD Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1802979529.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_73f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bceb8b17f1a176e7df8a06668a6a18f3124e220558e13ec2788b59120654343
Instruction ID: e055d4f5a10bccac331434c94c4f969a3da6477b456c944ff7daf0f90a55b53b
Opcode Fuzzy Hash: 6bceb8b17f1a176e7df8a06668a6a18f3124e220558e13ec2788b59120654343
Instruction Fuzzy Hash: AE4106F2A10202DFEB218B64C541F6ABBB69F953D4F4480A6EA088F352D735ED45C7A1

Function 02F82B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e69a5b8c73636daf9981b771fccf2dbb0050c79edf555154ecc80b29c9ce3998
Instruction ID: f7bd4574ed8af3c8ae1d362dedb943642a8e6e6e7ce6ae5f0099a9bf63e606d2
Opcode Fuzzy Hash: e69a5b8c73636daf9981b771fccf2dbb0050c79edf555154ecc80b29c9ce3998
Instruction Fuzzy Hash: D84189B4A002459FCB06CF58C998ABEFBB1FF48364B158159CA15AB364C732FC51CBA0

Function 02F8C388 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f054cb9893a1df73423a49f17aa92da97d78db7aa969a6dd3e0f179e28b2319
Instruction ID: b1b53995a49eec9688104fa207cfe63aae0856f34d19bf860c9ea0537b2fce1f
Opcode Fuzzy Hash: 1f054cb9893a1df73423a49f17aa92da97d78db7aa969a6dd3e0f179e28b2319
Instruction Fuzzy Hash: 57319E313012119FC705EB78E854B9ABB92EFD4352F108529E60ACB355DF70A885CBA1

Function 02F8AE60 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d0b72dc3de5fff676adc29e5f140351795fd08e1814ae302d0306fcc7c618c
Instruction ID: 9d306db373c49e4d95ab5517911db77b3ea59f8d54cbc8dc6cda81e6a0635f9c
Opcode Fuzzy Hash: 34d0b72dc3de5fff676adc29e5f140351795fd08e1814ae302d0306fcc7c618c
Instruction Fuzzy Hash: 3D314D71E012099FDB05EF79D4947AEBBF6EF89350F14806AE505EB350EB349C418B61

Function 02F8E049 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc61e902876c3fd5f5726e58da8ae02458c989d76f3804a6f414212faa55de11
Instruction ID: 9ee396689220b8fad8b07dcad92a3469068e7f237d95b6936dbac4d7e40fc4bf
Opcode Fuzzy Hash: bc61e902876c3fd5f5726e58da8ae02458c989d76f3804a6f414212faa55de11
Instruction Fuzzy Hash: 39314E71A402048FDB18DF69D468AAEBBF2EF49355F144469E406EB350DB70AC81CB91

Function 02F8AE70 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39bca91e9f65ce369e1d492d7722883111085de91ad99086ec416080a44b808a
Instruction ID: 7ac69817ed73246ee2faff1617a5ba83ee226b10c327ae5b45d753b074b4cd2d
Opcode Fuzzy Hash: 39bca91e9f65ce369e1d492d7722883111085de91ad99086ec416080a44b808a
Instruction Fuzzy Hash: 71314F71E012099FDB05EF69D4947AEBBF6EF88350F14806AE505EB350EB749C418B61

Function 02F8AD28 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c45063dc35962061d07cb68321f0e2cf6ba16c7493e2a18c706238052f2b0ab5
Instruction ID: 6839c4489c98f1b86e4f797061cdd48c7845167dcbac074cc0b7bb9ff8cdf0bf
Opcode Fuzzy Hash: c45063dc35962061d07cb68321f0e2cf6ba16c7493e2a18c706238052f2b0ab5
Instruction Fuzzy Hash: BA31BEB4A042459FDB01EFB4D864ABEBBB2EFC5300F1084A9D515AF3A5CA78AD01CF51

Function 02F8E058 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad26097aa9f5f64c008d1fd7543b26861aa26116c5b66a189d5e53a1f7de71be
Instruction ID: e210d6c0129445b38d37fed2400d7e1cef1a83acd3fc32f02ed14ee1c908ac66
Opcode Fuzzy Hash: ad26097aa9f5f64c008d1fd7543b26861aa26116c5b66a189d5e53a1f7de71be
Instruction Fuzzy Hash: F3311A71F402048FDB18DF69D468AAEBBF2EF88315F148569E406EB350DB74AC81CB90

Function 02F8AD38 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccb00e527c23bb6600ffc3d884c03be9fd533cb6ce13faa0a4ca064091dca02d
Instruction ID: 94737dd1443c58af7730122adea98ee4dd9ba71b39dfe4472a1a3beccd8ca756
Opcode Fuzzy Hash: ccb00e527c23bb6600ffc3d884c03be9fd533cb6ce13faa0a4ca064091dca02d
Instruction Fuzzy Hash: 1F312FB4A002099FDB04EFA4D855AAEB7B3EFC4300F1194A9E615AB394DA75AD418F90

Function 02EAF3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1786396233.0000000002EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2ead000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 269d32dce1aaa98debcabd71be03bcdd19aa584dc1175e764640aea17ad71e51
Instruction ID: 284890d2ab63020f4c6a8b4ddd32aa347bd387a28ce9aa50068aaa0a0505a1f0
Opcode Fuzzy Hash: 269d32dce1aaa98debcabd71be03bcdd19aa584dc1175e764640aea17ad71e51
Instruction Fuzzy Hash: 43210271640200EFCB05DF14D9D0B26BBA5FB88318F24C5A9E9094E656C33BE856CBA1

Function 02F893F0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 820dc02e74ec7d193dcee17f51d95cbc6a6ecb77bbadb74d0b374ea62d0e7bc6
Instruction ID: b6b68884264d22b50d698e8d63f178a1c3c614c637dec37f9d0fde0dabacc59c
Opcode Fuzzy Hash: 820dc02e74ec7d193dcee17f51d95cbc6a6ecb77bbadb74d0b374ea62d0e7bc6
Instruction Fuzzy Hash: D231A970A013448EDB60DF6AC18839AFFE2EF88324F28C05ED90D9B306C7B45481CB61

Function 02EAF02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1786396233.0000000002EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2ead000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4eaae85bc30d7aac6ba35459968703044247c0a4e64d18c8fba549e702e4b02
Instruction ID: eb15aaa203df2b92a1e2f5a0e456042f9ff89c1785224483b07be2718bc68b00
Opcode Fuzzy Hash: d4eaae85bc30d7aac6ba35459968703044247c0a4e64d18c8fba549e702e4b02
Instruction Fuzzy Hash: 5A212575644200DFDB10DF24C9D5B16BBA5EB94328F24C66DD80A4F642C337E806CB61

Function 02EAF4CC Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1786396233.0000000002EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2ead000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a6ce297fc0312eed7320cf80b792026e2ef72d71f8ea288ac14e558d2a40e30
Instruction ID: 8b8e0e0479eacc2c245d96fcc3f9ef3a34be8b3e6b8013cb1318653ed6390f6c
Opcode Fuzzy Hash: 7a6ce297fc0312eed7320cf80b792026e2ef72d71f8ea288ac14e558d2a40e30
Instruction Fuzzy Hash: 1E2127B16842409FDB24DF28D5D4B26BBA5FB84318F24C66DD90A4F741C73BEC46CAA1

Function 02F89400 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbf1c4d3c9aa8e8ff2bb72776f3564c2be45f687655baa418a4d4ddc1e7af8f1
Instruction ID: 7f63b847ced93d849dc5657ce26c4a08fd82fab2d0fa31ba65f655bfbe0ab256
Opcode Fuzzy Hash: dbf1c4d3c9aa8e8ff2bb72776f3564c2be45f687655baa418a4d4ddc1e7af8f1
Instruction Fuzzy Hash: 7E216B71E017448EDB60DF6AC58839AFBF6EB88324F28C45ED90DAB345C7B46481CB61

Function 02F87664 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a82823842a53040b7bfa50acc0ea7d78474755eee941d77a80bbd0f56578e69
Instruction ID: ff759422b2c7f9ff01e263820fe07a76eeadfd54eb3240a08e196700d52429b4
Opcode Fuzzy Hash: 2a82823842a53040b7bfa50acc0ea7d78474755eee941d77a80bbd0f56578e69
Instruction Fuzzy Hash: 19111C79B001188FCB04EBA8E840ADDB7F6FBCC255B1440A4E609DB355DB35ED059BA0

Function 02EAF3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1786396233.0000000002EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2ead000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a89199e71a2f2f2a9adf406ea1041e5b746e28aab0e6237c120dfcb4fbddfc9c
Instruction ID: fa08c24082fd206b009b9564424025962c8685a25b04da1f3bcda9f15731d629
Opcode Fuzzy Hash: a89199e71a2f2f2a9adf406ea1041e5b746e28aab0e6237c120dfcb4fbddfc9c
Instruction Fuzzy Hash: EB21AC76544240DFCB06CF10D9D4B16BF72FB88318F24C5A9D9094E656C33BD46ACB91

Function 02F8DCD9 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1193f45b4b83c398d24d5d57b6c299d62ad5ecccdca45c7b3320da23c58f8722
Instruction ID: dfbfa1f98539b05e6d99dc2c5a04d63c190cfb5a2a57c0cc528a323322281322
Opcode Fuzzy Hash: 1193f45b4b83c398d24d5d57b6c299d62ad5ecccdca45c7b3320da23c58f8722
Instruction Fuzzy Hash: 5211C832A0A244DFCB0AEB74D4588ACFFB1EF95211B1840EED5069B392DA314C45CB61

Function 02EAF027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1786396233.0000000002EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2ead000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68800c76144ede0aa7da6335da1dd53af556f69f25deb7cd9fee3e0448842dc9
Instruction ID: 13a6e27a47cd6789027abc0c19f2c98717c16c26b88c01fa6a24f09ff857b90f
Opcode Fuzzy Hash: 68800c76144ede0aa7da6335da1dd53af556f69f25deb7cd9fee3e0448842dc9
Instruction Fuzzy Hash: B611A9795442808FCB11CF14D5D4B15BFA1EB84228F28C6AAD80A4BA56C33BE44ACB61

Function 02F8BCE0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b6150f970ca2c3c530fca1d9f5415872b818765688a53c39cd816a30db0f9ca
Instruction ID: f421903256a95aa80208672f224b3aaeda62e973b8e557dedbf5184baa785f92
Opcode Fuzzy Hash: 8b6150f970ca2c3c530fca1d9f5415872b818765688a53c39cd816a30db0f9ca
Instruction Fuzzy Hash: FC11D2316093449FDB15DB3AD498A5ABFE1EF46310F1488EEE08ACB6A2DB30EC45C700

Function 02EAF4C7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1786396233.0000000002EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2ead000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2ec3ae829bd457e321ce07a30b71d88b96ae03ff716a8730e1246230d6791a
Instruction ID: d6a8901b13c16d77503ccc9dff3b4df4cc6e532953f11d4dcc1ae81136549aa0
Opcode Fuzzy Hash: 2b2ec3ae829bd457e321ce07a30b71d88b96ae03ff716a8730e1246230d6791a
Instruction Fuzzy Hash: 24119E755442808FDB25DF24D5D4B25BBB1FB44318F28C6ADC8494BA52C33AE84ACB92

Function 02F8DE98 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c20f16c8947355b3c59bd7d4afda97673b296f6f3461f5d4d53efa54beec4a1f
Instruction ID: 4336d1af34a4c0adc866ce71a989ea3bf66307acd68db0925e71b356efc85e2f
Opcode Fuzzy Hash: c20f16c8947355b3c59bd7d4afda97673b296f6f3461f5d4d53efa54beec4a1f
Instruction Fuzzy Hash: 41014C36B01214DFCF119BB4E848AAEBBF6FB88315F14406DE51E93342DB32A951CB91

Function 02F8DFD0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c784556c768b68e6aeaf5f62cec105b3bd13d1773f5e5987507520cfe86860ce
Instruction ID: ae25eb76eb689e78b636ddf5285a0e5c7af632e01d16bebf55a980b45dbe8598
Opcode Fuzzy Hash: c784556c768b68e6aeaf5f62cec105b3bd13d1773f5e5987507520cfe86860ce
Instruction Fuzzy Hash: 771109352047508FC728DF75D08085ABBF6EF8921532489ADD44A8B7A0DB36F942CB50

Function 02EAD005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1786396233.0000000002EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2ead000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd784c452b9ca395ac453aaaf4abe42a1ff954d256ad25a34533fd24e1af9985
Instruction ID: 094dc9f004de8dcb2365b91fd11cf10c765c5a5495b316df1fd997f7dc66fd0a
Opcode Fuzzy Hash: dd784c452b9ca395ac453aaaf4abe42a1ff954d256ad25a34533fd24e1af9985
Instruction Fuzzy Hash: 25015E6254E3C09ED7128B258CA4B56BFB4DF53228F1DC1DBD8888F1A3C2699849C772

Function 02EAD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1786396233.0000000002EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2ead000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63c65e6b06eeb3cbc8da40db74dff1c966317d834ad1e76676e0bc5313728727
Instruction ID: 5d484a557899521c80f7508abd99dfcab97164ad1cb60081b3dd560f082fb455
Opcode Fuzzy Hash: 63c65e6b06eeb3cbc8da40db74dff1c966317d834ad1e76676e0bc5313728727
Instruction Fuzzy Hash: 7501F271548340AAE7208A29CCC5B66BFD8DF51329F18C45AEC484F682C7B8A841C6B1

Function 02F8BF10 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683bb0a4f573377a18caae66b22c37a47d86516235752c2980930aeece792b53
Instruction ID: f0e232f7a61165773bca3bf7c1dc2739bfa26df8a8b5d33220e1ed5a6e8003b0
Opcode Fuzzy Hash: 683bb0a4f573377a18caae66b22c37a47d86516235752c2980930aeece792b53
Instruction Fuzzy Hash: 05F0C8317093905FD7054B7A9C5496B7FF9EF8665470940BBF944C73A2DA70CD0487A0

Function 02F87940 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bab29dfe73a4ee8afe402a292c1ccdaf3746dcf77883198a104923ab029a8ab
Instruction ID: 7c2e8f9b8daa533294e39fef5354df51a3826b9db2e803d80eaa23c1dc33746a
Opcode Fuzzy Hash: 4bab29dfe73a4ee8afe402a292c1ccdaf3746dcf77883198a104923ab029a8ab
Instruction Fuzzy Hash: CBF02230605344AFC711A769DC84E6FBBF9EB8A262700446EE209C7282CF20AC04CB61

Function 02F8DC88 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3e217258802609a863f54e0d30460927c0c82d8eec12f684819df2cabe56b63
Instruction ID: 778edc6c20d68af91e488601af3a4554d18c5cbcac2784a846dfcf8eb238e2b8
Opcode Fuzzy Hash: e3e217258802609a863f54e0d30460927c0c82d8eec12f684819df2cabe56b63
Instruction Fuzzy Hash: C4F0B4326462549F8706667AA81489FBB6ADEC72B130544ABE24D8B280DA245D45C7F2

Function 02F890D8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd129dad0fbed611fa839ca32be0d4a65b46313437d4336783f4ecaa2e689a5f
Instruction ID: 6cb20bb2818bf15dc4437f992a5ec37851a2115a5f8bd3ac69a1098d8814c60a
Opcode Fuzzy Hash: fd129dad0fbed611fa839ca32be0d4a65b46313437d4336783f4ecaa2e689a5f
Instruction Fuzzy Hash: 8D0128356442009FD3025B75D41839B7FB2EFC2314F1581EAC8064B396CF392C05CBA1

Function 02EAD9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1786396233.0000000002EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2ead000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d3bc72b8ee8849176ae1dbff1d94eecf123d1f747f37771fc25c1efd2289068
Instruction ID: 7b2301346f9ff23e8f3d46fd6b94675aa176d300027363f18ac3eb7b6e492915
Opcode Fuzzy Hash: 2d3bc72b8ee8849176ae1dbff1d94eecf123d1f747f37771fc25c1efd2289068
Instruction Fuzzy Hash: FEF0F9B6600600AF97248F0ADD85C63FBADEFD4774719C55AEC4A8B612C771FC41CAA0

Function 02F8DE38 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9511883ca74d70a395d84a3fa6d77785a4b2ed759a424c7605da5ad090bb5a82
Instruction ID: b0920c175824c45ef95a93089eec024bbe1dfe68f6bbcd5c939a16fd13fb6de6
Opcode Fuzzy Hash: 9511883ca74d70a395d84a3fa6d77785a4b2ed759a424c7605da5ad090bb5a82
Instruction Fuzzy Hash: 96F058357052808FC3029B2DD898866BFFAEFCA65531904DAE184CB372DAA1DC02CB94

Function 02EAD998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1786396233.0000000002EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2ead000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb4fe52f98b79234c85c5261ee0e5b7ef51d688f1b689fa9e64ed7088fb4036
Instruction ID: e36ea1786180bce26b0b6398e02c5a99d1a32c8bfba1d2b8afa6868bf324881d
Opcode Fuzzy Hash: 6eb4fe52f98b79234c85c5261ee0e5b7ef51d688f1b689fa9e64ed7088fb4036
Instruction Fuzzy Hash: 74F04F75100640AFD315CF05CD84D23BBB9EBC5624B19C489AC494B712C770FC41CB60

Function 02F89158 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b3187e3b9f4c59beb78e9d32bf1af8e2515a86a07a1db7974aa15c7f0627f2
Instruction ID: bf34c45857d39e6956cbc5db055ecc3d4233fce5675b03c65f3a700505ba8722
Opcode Fuzzy Hash: 55b3187e3b9f4c59beb78e9d32bf1af8e2515a86a07a1db7974aa15c7f0627f2
Instruction Fuzzy Hash: 6FF06D3150A3408FD7218B78D4AC3AABFA1EF42310F0445ADD14ECB292C7392881CB50

Function 02F87950 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49c9603a842ca34e028281757580d005401c89ca090b2f1fc930b74420f7c325
Instruction ID: fd518673833e35a2cadfce0d6929a4e8d9b44f552d2f3a3d191d21e0bc392c3c
Opcode Fuzzy Hash: 49c9603a842ca34e028281757580d005401c89ca090b2f1fc930b74420f7c325
Instruction Fuzzy Hash: 2AF0A7717006149FD710A759D884B6FB7EAEB8C272B10492DE10DD3340DF70AC418B60

Function 02F890E8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d05f85f66d9b2951e81b2c885a841fc4c6ccaa6e3b6c8075605f38413356816e
Instruction ID: b5f19f78145b872c385bbf6a4f449a175e08edbe7d8e6177d99b3305959e03ae
Opcode Fuzzy Hash: d05f85f66d9b2951e81b2c885a841fc4c6ccaa6e3b6c8075605f38413356816e
Instruction Fuzzy Hash: 20F027356041149BD300AB64D05839BBBE6DFC0364F10816ED90A4B388CE393805CBE0

Function 02F8767F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aa592af16e2dfdb95e748ef994fe41b3b04213cd6899d1416cd63e46947ce0f
Instruction ID: 757bfb08250ba8bf50104e0e0122f81f3cad2fb7edf42e8c1cdf49295b3a0611
Opcode Fuzzy Hash: 2aa592af16e2dfdb95e748ef994fe41b3b04213cd6899d1416cd63e46947ce0f
Instruction Fuzzy Hash: 85F030797001198FDB00ABAD9840B9AFBE2FBCC696B294154E60DCB315DF35DC024F90

Function 02F8DE48 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a4187ad4eaf33e6cd37edae7060803b202a703427c8e0d9ec453a8874f41e0
Instruction ID: 991eadc5d292e3003a52d58c4d6f8be386806561205c423d49bc72765ae26674
Opcode Fuzzy Hash: 80a4187ad4eaf33e6cd37edae7060803b202a703427c8e0d9ec453a8874f41e0
Instruction Fuzzy Hash: 09E0E5367102108F8610AB2ED498C26B7FAEFCE66571900A9E689CB361DB61EC01CB90

Function 02F8AF88 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1fb90e65e918091f538172d61d677ca1f11bdcce60f1b186705b865f31894aa
Instruction ID: 396af2898e622e658969f0c3c40352669e099132e76212624fa9d0d4a8d047bc
Opcode Fuzzy Hash: f1fb90e65e918091f538172d61d677ca1f11bdcce60f1b186705b865f31894aa
Instruction Fuzzy Hash: 33E092323093D10BC717923A6814055BF67CFC326430D80FBE144CF752E9554D4687A1

Function 02F88973 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f416a9bb85f93d4553d6de3e8450dc95ce976996b3cbb21fcb86a500205c100
Instruction ID: dcb5d35bd6e75994eaddf4d25083fedfc64efee2de12e25530b0bbd84fed42e0
Opcode Fuzzy Hash: 9f416a9bb85f93d4553d6de3e8450dc95ce976996b3cbb21fcb86a500205c100
Instruction Fuzzy Hash: 6DE09236705254DBCF096B74B41C2AE7BA2EFC4725F14016ED60A87242CF7518468B95

Function 02F87E90 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e53eee607a1077f419e3ca6938a9ddb1b2bc5bbe2c55201010abd39a0ddeaed5
Instruction ID: c5ff1867d305f5b18d3f954cde21602a9dcce11fae01faadf3dcdb5866c256f0
Opcode Fuzzy Hash: e53eee607a1077f419e3ca6938a9ddb1b2bc5bbe2c55201010abd39a0ddeaed5
Instruction Fuzzy Hash: 57E0E21950E3D05FDB0743394CA9512BF714A9704538A84DFD1C6DF4A7C4184809CB22

Function 02F89168 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a21bdf5c413baf244c9d7578785e1d41d57f04277f55daa530a2689869c0d5
Instruction ID: 76425f51ec425c47ad4d21caa206e18567191370c1e31820a4d8c7a22f9ed977
Opcode Fuzzy Hash: 58a21bdf5c413baf244c9d7578785e1d41d57f04277f55daa530a2689869c0d5
Instruction Fuzzy Hash: 2FF06D709013048BD7609B78E49C3AABBE6EB44310F10446DE20EC7340DB3568808B90

Function 02F8F460 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ace700ee8fbd5bc5fb4f930f48f14c12942155e4d316739caf355186625616
Instruction ID: af173de6e152938efe5c0e011d7c642ed2bbfb881bcae0671ff6913c3edece50
Opcode Fuzzy Hash: 82ace700ee8fbd5bc5fb4f930f48f14c12942155e4d316739caf355186625616
Instruction Fuzzy Hash: AAF0A7709042495FCB50DFBC8440569FFF09F09124B2482AED989D6246F6329503CB80

Function 02F89549 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5993f4ea3701a3219f34726ae5c93c6ba47ff6b9de0731d7a6e128203516123b
Instruction ID: e7f4c9203f021dc39cf0bee4f162d98b2cf0b3e418e2ef9ae835a2dadc6585e2
Opcode Fuzzy Hash: 5993f4ea3701a3219f34726ae5c93c6ba47ff6b9de0731d7a6e128203516123b
Instruction Fuzzy Hash: 3DE05B12B9215657455471BA1D406B7F5CF8FC57E5B450076DB06D7341FD90CC1187F2

Function 02F88978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 840529ca9ec0051bdc667d11ecd9896ac79323ee19c15951ba9ed01d46166f5e
Instruction ID: 3467450df4d8a51dc5afef3d10c2efed8cdeb7049c9f648de5991c4c3ed80463
Opcode Fuzzy Hash: 840529ca9ec0051bdc667d11ecd9896ac79323ee19c15951ba9ed01d46166f5e
Instruction Fuzzy Hash: 44E0DF36304214D7CF083774A41C2AEBAAAEBC4724F00002EE60A83342CF79284287D5

Function 02F89550 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d88986448df77a1c21c2bf260b3635699c54d2c6357578dbec7bc8012d99714
Instruction ID: dce853c75f2bce2b5bbb15295be9ca9322791d11a0c5f545b7caeec58e6332cf
Opcode Fuzzy Hash: 7d88986448df77a1c21c2bf260b3635699c54d2c6357578dbec7bc8012d99714
Instruction Fuzzy Hash: 19D09E12B9212A57455471BA1D506BBF1CF8FC57E5B4501369B0AD7341ED84CC1187F2

Function 02F8DCE8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: 563aae5dcc4ca3bd73e01be2b6387c0145872c8e0c374941b9409cef85f198a3
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: 79E08632B10014978B0C99A9D4104EDF7AADFCD260F04807ADA0AA7380DA325915C6E1

Function 02F8DC98 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f6039cd44b4cd204add01e3b29488582bee21615c890006832ea3e65e765d4e
Instruction ID: b5c68e748e4894760b9312b62cae7509dd6a17da53b6d21a5b9e80279c9f52c2
Opcode Fuzzy Hash: 0f6039cd44b4cd204add01e3b29488582bee21615c890006832ea3e65e765d4e
Instruction Fuzzy Hash: 7FE0CD317416144B4711762DA41085FB7DFDFC56B1310442DE11DC7340DF64DC0147D5

Function 02F88739 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 599f9c13753eb16c96fce76bd6b4a09f2d0fef667efdc0f054795d7b1835aa15
Instruction ID: 2f21a71417742a0b7d99ee785369edd60a7199dcd1f5c6fe1b64b251737323b2
Opcode Fuzzy Hash: 599f9c13753eb16c96fce76bd6b4a09f2d0fef667efdc0f054795d7b1835aa15
Instruction Fuzzy Hash: C9E01231805249CFCB09AF75E40D4ADBF74FF11301F4041AED95687552EA301A96CFC5

Function 02F88800 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ec928767ab4b690ba0b241d00b4a523656292f668e43fc714df82f4418c6b0
Instruction ID: b961fcb75833830e74fe409402d2439aa0ee39789706b9198b9b1cb32c24053d
Opcode Fuzzy Hash: e5ec928767ab4b690ba0b241d00b4a523656292f668e43fc714df82f4418c6b0
Instruction Fuzzy Hash: 11E0E535A1924ACFCB09DF78E0595AABFB0EF4A214B1441ADD94A9BB66D6304980CB81

Function 02F8F470 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 8eac3d10f8708d65366c49a0ebd6512fedcdb230c43583904383b29ea72c31ba
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 46D067B1D042099F8780EFADC94156EFBF4EB48210F6085AA8919E7301E7329A12CBD1

Function 02F88748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f7f4c04b6a93e5ee79e65b34fd9c05244b9fe810600ba78f38ec259f306720
Instruction ID: acc3f9f30bf5e088a38ccd7eb6232715bdd90304bcc5c6b06c3859e4a8a5a288
Opcode Fuzzy Hash: 35f7f4c04b6a93e5ee79e65b34fd9c05244b9fe810600ba78f38ec259f306720
Instruction Fuzzy Hash: 2CD0673190510DCBCF08BBA4F85E4BDBB74FB14311F40416EDA1B52195EA311A9ACAC5

Function 02F88810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31de7d865961a2b8ba208affc359ff7f58720e4577b98b8db28fd1b5fe9743a3
Instruction ID: f38764a491a62981f9274bc964db0771a40035d6e6abdc0fc06e85417c35e20e
Opcode Fuzzy Hash: 31de7d865961a2b8ba208affc359ff7f58720e4577b98b8db28fd1b5fe9743a3
Instruction Fuzzy Hash: 90D01734A0820ADB8B08EFA4E44A86EBFB4EB44200F00416DDE0A93355EA306C41CBC1

Function 02F8791A Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aa2f9ed9e5851d01fe7c50ddae274c0a175f80cb0045f9fd81837a1be5520ee
Instruction ID: f3e6ab9f0eddd51dda2f373633812b5972f2d9313b000f80973fca957f3bf52d
Opcode Fuzzy Hash: 3aa2f9ed9e5851d01fe7c50ddae274c0a175f80cb0045f9fd81837a1be5520ee
Instruction Fuzzy Hash: DDD0A93000D3C0AFC7138F789898C063F306E4322030940CED88A8F1B7CE228408CB12

Function 02F87928 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74f2b1b35c565ca6f3845254e150b0d9b00885e760716630bf095d45b1318f46
Instruction ID: 8e79b0fbadfa689cd0f469ad68d352a0efd0fceebf4505154592d1e9b0f6ead8
Opcode Fuzzy Hash: 74f2b1b35c565ca6f3845254e150b0d9b00885e760716630bf095d45b1318f46
Instruction Fuzzy Hash: 32B09230044708CFC2486FB9A4049157329AB4022639044A9ED1E0A2AA8E36E884CE44

Non-executed Functions

Function 073F1BE0 Relevance: 20.4, Strings: 16, Instructions: 402COMMON

Download Yara Rule

Strings

84Gl, xrefs: 073F1F6C
tPdq, xrefs: 073F1FDF
84Gl, xrefs: 073F1F76
JJl, xrefs: 073F1FA1
4'dq, xrefs: 073F1F95
JJl, xrefs: 073F20C2
rIl, xrefs: 073F1C5D
JJl, xrefs: 073F20CE
4'dq, xrefs: 073F1C92
rIl, xrefs: 073F1C53
4'dq, xrefs: 073F1F89
$c<k, xrefs: 073F20B4
JJl, xrefs: 073F2017
4'dq, xrefs: 073F1C86
tPdq, xrefs: 073F1FEB
JJl, xrefs: 073F200B

Memory Dump Source

Source File: 00000007.00000002.1802979529.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_73f0000_powershell.jbxd

Similarity

API ID:
String ID: $c<k$4'dq$4'dq$4'dq$4'dq$84Gl$84Gl$tPdq$tPdq$JJl$JJl$JJl$JJl$JJl$rIl$rIl
API String ID: 0-2568046780
Opcode ID: 27703672e879066c67245e9c23bd33624b2a238267875465038f7540e8dd1e0d
Instruction ID: 3c7e79ae8323526a6d021b0471e228a80f575ac017e84390de983a7fff77b04f
Opcode Fuzzy Hash: 27703672e879066c67245e9c23bd33624b2a238267875465038f7540e8dd1e0d
Instruction Fuzzy Hash: CCD13BB2B0435ACFDB218B68941066BFFF6AF85351F1480BBDA4D8B255DB31C841C7A2

Function 073F3928 Relevance: 14.1, Strings: 11, Instructions: 330COMMON

Download Yara Rule

Strings

$dq, xrefs: 073F393A
$dq, xrefs: 073F3960
4'dq, xrefs: 073F3B29
$dq, xrefs: 073F3C0E
], xrefs: 073F3B90
?l, xrefs: 073F3A0F
$dq, xrefs: 073F396C
4'dq, xrefs: 073F3B35
?l, xrefs: 073F3A1D
tPdq, xrefs: 073F39A5
tPdq, xrefs: 073F39B1

Memory Dump Source

Source File: 00000007.00000002.1802979529.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_73f0000_powershell.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$]$tPdq$tPdq$$dq$$dq$$dq$$dq$?l$?l
API String ID: 0-2687738401
Opcode ID: 3c7020f9cf4cd0ddb8297d5bd5b1de77294a23985c2eda920832907750a9623b
Instruction ID: 25d1a5f6affe710d0eacc426b47e49538fe09879be2a2388f86b52c0f3c06f24
Opcode Fuzzy Hash: 3c7020f9cf4cd0ddb8297d5bd5b1de77294a23985c2eda920832907750a9623b
Instruction Fuzzy Hash: A2B147B13043559FEB119B79C811B67BFA6AFC6391F2480ABDA4DCB292CA31CD41C761

Function 073F0FB2 Relevance: 12.7, Strings: 10, Instructions: 186COMMON

Download Yara Rule

Strings

tPdq, xrefs: 073F1127
$dq, xrefs: 073F1253
$dq, xrefs: 073F1065
`Qdq, xrefs: 073F1153
$dq, xrefs: 073F1081
84Gl, xrefs: 073F10D4
$dq, xrefs: 073F1229
fiq, xrefs: 073F10A2
$dq, xrefs: 073F1044
`Qdq, xrefs: 073F10ED

Memory Dump Source

Source File: 00000007.00000002.1802979529.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_73f0000_powershell.jbxd

Similarity

API ID:
String ID: fiq$84Gl$`Qdq$`Qdq$tPdq$$dq$$dq$$dq$$dq$$dq
API String ID: 0-886720277
Opcode ID: 8cda6f24ff356e596868083c2800cfcb7aa40b8cfe26a436431d8c2519935384
Instruction ID: b7a799a51a32e83b0c22a4d7fee9e347cac8262e850ae9483f1f5b6e1da6ae86
Opcode Fuzzy Hash: 8cda6f24ff356e596868083c2800cfcb7aa40b8cfe26a436431d8c2519935384
Instruction Fuzzy Hash: C761B5F0A1420EDFFB24CE44E944BAA77F6BF45391F148065EA099B695C731DD80CBA2

Function 02F8EBB8 Relevance: 10.2, Strings: 8, Instructions: 180COMMON

Download Yara Rule

Strings

$dq, xrefs: 02F8ED6F
$dq, xrefs: 02F8ED3B
$dq, xrefs: 02F8ECB0
0oGp, xrefs: 02F8ED47
$dq, xrefs: 02F8ED07
$dq, xrefs: 02F8ED21
,hq, xrefs: 02F8EC0D
$dq, xrefs: 02F8ED55

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID: ,hq$0oGp$$dq$$dq$$dq$$dq$$dq$$dq
API String ID: 0-1797346928
Opcode ID: f54c733a55475cefaf50352b6dfec556e60f0717188590e5a75f28d4d9700046
Instruction ID: 3b7cf1f3ba984b84c4e472e7ebebea88c939658f678638f876fc4962fbed92e1
Opcode Fuzzy Hash: f54c733a55475cefaf50352b6dfec556e60f0717188590e5a75f28d4d9700046
Instruction Fuzzy Hash: 165180727445108FCB29BB79985492DBBDAAF8979531104AAF61BCB3B2EF10CC44C7D2

Function 02F8EDE8 Relevance: 9.2, Strings: 7, Instructions: 453COMMON

Download Yara Rule

Strings

0oGp, xrefs: 02F8F237
$dq, xrefs: 02F8F110
0oGp, xrefs: 02F8F205
$dq, xrefs: 02F8F326
$dq, xrefs: 02F8F16C
`Qdq, xrefs: 02F8F2FC
0oGp, xrefs: 02F8F243

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID: 0oGp$0oGp$0oGp$`Qdq$$dq$$dq$$dq
API String ID: 0-266769715
Opcode ID: ea5481e371b65647b40a6af3414e93361bdfb2c45694063150123c643da6c64c
Instruction ID: 551ad064e01a888aed8bf47b4c9524f015c1a0d3cdcde33c39922ecbcdd1ad7b
Opcode Fuzzy Hash: ea5481e371b65647b40a6af3414e93361bdfb2c45694063150123c643da6c64c
Instruction Fuzzy Hash: 7DE1FA31B102208FDB14AB7D881462EB7D6AFC9B95B2544AADA06DF7A1EF70CC0187D1

Function 073F3678 Relevance: 8.9, Strings: 7, Instructions: 190COMMON

Download Yara Rule

Strings

?l, xrefs: 073F386D
?l, xrefs: 073F387B
4'dq, xrefs: 073F372E
$dq, xrefs: 073F3836
$dq, xrefs: 073F37FF
4'dq, xrefs: 073F3722
$dq, xrefs: 073F382A

Memory Dump Source

Source File: 00000007.00000002.1802979529.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_73f0000_powershell.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$$dq$$dq$$dq$?l$?l
API String ID: 0-1414792763
Opcode ID: 0d08580899c12f9b3b2afdd2174000027f332ca98c33345e4ad6f8d7367c61b1
Instruction ID: 2ba91b524dab3118697a60de0a956e0acc97d74eac3f073c7516f8534b15bec3
Opcode Fuzzy Hash: 0d08580899c12f9b3b2afdd2174000027f332ca98c33345e4ad6f8d7367c61b1
Instruction Fuzzy Hash: 915188F17043169FEB249A69C800767BFA6AFC23A1F24807BC60DCB651DB35C849C7A1

Function 02F87207 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

`eq, xrefs: 02F87B8A
`eq, xrefs: 02F87B0B
`eq, xrefs: 02F87C2C
tMIl, xrefs: 02F87ABC
`eq, xrefs: 02F87CAA

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID: tMIl$`eq$`eq$`eq$`eq
API String ID: 0-2840973237
Opcode ID: fb8e555f13cb311a84223fee9de67566dd3927ffe6b6915bcd91d4de7c160404
Instruction ID: 18232ef02bc5af261ccc49704265eef11f7969329ee7f8fac73b4a2bf87e48a1
Opcode Fuzzy Hash: fb8e555f13cb311a84223fee9de67566dd3927ffe6b6915bcd91d4de7c160404
Instruction Fuzzy Hash: 59B1D574E012198FDB45DFA9D890A9DFBF2FF98340F208629E519AB354DB30A901CF90

Function 02F87A09 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

`eq, xrefs: 02F87B8A
`eq, xrefs: 02F87B0B
`eq, xrefs: 02F87C2C
tMIl, xrefs: 02F87ABC
`eq, xrefs: 02F87CAA

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID: tMIl$`eq$`eq$`eq$`eq
API String ID: 0-2840973237
Opcode ID: 00b835f948d8367628bdbda9e9437b8ed132a2b3692c1f1026358481d21ac8f9
Instruction ID: 007da4fd09d3cd24347e6bb18e00a4425f2cbebbb66a24670053f1e94aa996bb
Opcode Fuzzy Hash: 00b835f948d8367628bdbda9e9437b8ed132a2b3692c1f1026358481d21ac8f9
Instruction Fuzzy Hash: 46B19374E002199FCB55DFA9D990A9EFBF2BF48300F108629E519AB355DB30A9458F90

Function 02F87A18 Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

`eq, xrefs: 02F87B8A
`eq, xrefs: 02F87B0B
`eq, xrefs: 02F87C2C
tMIl, xrefs: 02F87ABC
`eq, xrefs: 02F87CAA

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID: tMIl$`eq$`eq$`eq$`eq
API String ID: 0-2840973237
Opcode ID: b883a1ab621de928deed31d20b6c52e056fbdda80a74eb5ddb2d5fa85373aac8
Instruction ID: 70ed1279066ab61c6aaf63c2f952801904b0bb0b3a03a9738324dda6c6c64c8c
Opcode Fuzzy Hash: b883a1ab621de928deed31d20b6c52e056fbdda80a74eb5ddb2d5fa85373aac8
Instruction Fuzzy Hash: 02B16374E002199FCB54DFA9D591A9EFBF2FF88300F108629E919AB355DB30A945CF90

Function 02F871F8 Relevance: 6.5, Strings: 5, Instructions: 210COMMON

Download Yara Rule

Strings

`eq, xrefs: 02F87B8A
`eq, xrefs: 02F87B0B
`eq, xrefs: 02F87C2C
tMIl, xrefs: 02F87ABC
`eq, xrefs: 02F87CAA

Memory Dump Source

Source File: 00000007.00000002.1787059974.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2f80000_powershell.jbxd

Similarity

API ID:
String ID: tMIl$`eq$`eq$`eq$`eq
API String ID: 0-2840973237
Opcode ID: 83a51af69892c6096168cd8d217d94cb6687072c58056cbec8a6d1df1b5c05f8
Instruction ID: a036bfcb50d4b6ac00f5169250e2b8d08ee795bd9aedd0fb3cfd55c7ea93afac
Opcode Fuzzy Hash: 83a51af69892c6096168cd8d217d94cb6687072c58056cbec8a6d1df1b5c05f8
Instruction Fuzzy Hash: 4BA18174E012199FDB55DFA9D590A9EFBF2BF88300F208629E419AB354E730A945CF90

Function 073F2191 Relevance: 6.3, Strings: 5, Instructions: 61COMMON

Download Yara Rule

Strings

Tc<k, xrefs: 073F21F2
JJl, xrefs: 073F21C4
JJl, xrefs: 073F21BA
JJl, xrefs: 073F214A
$dq, xrefs: 073F2166

Memory Dump Source

Source File: 00000007.00000002.1802979529.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_73f0000_powershell.jbxd

Similarity

API ID:
String ID: Tc<k$$dq$JJl$JJl$JJl
API String ID: 0-1017254200
Opcode ID: 17cba6ca20acffe7a53d6893612dae47a51d4634112fcee6b780571020f329bb
Instruction ID: b3801904d873a2f5981c5193802a5f601839d19144fb06f7769d392c025b9335
Opcode Fuzzy Hash: 17cba6ca20acffe7a53d6893612dae47a51d4634112fcee6b780571020f329bb
Instruction Fuzzy Hash: 06113DF6208B91CFE72247684C1196FBF71BFE23907184597C7888F55AC6345945C36B

Function 073F46CE Relevance: 6.3, Strings: 5, Instructions: 38COMMON

Download Yara Rule

Strings

4'dq, xrefs: 073F4725
4'dq, xrefs: 073F4719
XYIl, xrefs: 073F46F3
T9k, xrefs: 073F46E5
XYIl, xrefs: 073F46FF

Memory Dump Source

Source File: 00000007.00000002.1802979529.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_73f0000_powershell.jbxd

Similarity

API ID:
String ID: T9k$4'dq$4'dq$XYIl$XYIl
API String ID: 0-2481805928
Opcode ID: 9a08c5d22a43ee90814b6357bc502553476f1417680105d3a9eab1b25c57a147
Instruction ID: f69418b1b5c49c0051150b1c0c68a3c4d6cdfa19f02eded0c3500fffac9e5077
Opcode Fuzzy Hash: 9a08c5d22a43ee90814b6357bc502553476f1417680105d3a9eab1b25c57a147
Instruction Fuzzy Hash: 3DF028F57002D64BEB0486685400B26BBD36FC32A3F310055CB0ACB660EB308D05C752

Function 073F5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$dq, xrefs: 073F5800
$dq, xrefs: 073F57F4
$dq, xrefs: 073F57C6
$dq, xrefs: 073F57AA

Memory Dump Source

Source File: 00000007.00000002.1802979529.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_73f0000_powershell.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq
API String ID: 0-185584874
Opcode ID: 68307b8cc6adaeab348ca9660fbf121d8be06a51e4f65573348592ea2ae66b77
Instruction ID: ec45e0fca99290f051ca0268b0b21408b00ee810cb6ba12bb103ba7664a0dc19
Opcode Fuzzy Hash: 68307b8cc6adaeab348ca9660fbf121d8be06a51e4f65573348592ea2ae66b77
Instruction Fuzzy Hash: 172135B1310316ABEB34996AD800B37BBDB9BC17A1F24803ADB0DCB2C1DD35C9518361

Function 073F0309 Relevance: 5.1, Strings: 4, Instructions: 62COMMON

Download Yara Rule

Strings

4'dq, xrefs: 073F037F
$dq, xrefs: 073F035E
$dq, xrefs: 073F0352
4'dq, xrefs: 073F0373

Memory Dump Source

Source File: 00000007.00000002.1802979529.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_73f0000_powershell.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$$dq$$dq
API String ID: 0-4229963660
Opcode ID: 9d0320cf741d83136d9fff1698920fd98211d1a655939b5ecaea576b1c522792
Instruction ID: 8d3c139dbd5996aa4cc2341ddaaa708d318d729b6847478d6d642ceb4e64b925
Opcode Fuzzy Hash: 9d0320cf741d83136d9fff1698920fd98211d1a655939b5ecaea576b1c522792
Instruction Fuzzy Hash: CE11089171D3D24FD72B527C28305B66FB25F8329072E40EBD588CF293C9164D4583A2

Function 073F2109 Relevance: 5.0, Strings: 4, Instructions: 47COMMON

Download Yara Rule

Strings

JJl, xrefs: 073F214A
$dq, xrefs: 073F2172
JJl, xrefs: 073F2156
$dq, xrefs: 073F2166

Memory Dump Source

Source File: 00000007.00000002.1802979529.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_73f0000_powershell.jbxd

Similarity

API ID:
String ID: $dq$$dq$JJl$JJl
API String ID: 0-1139017277
Opcode ID: be5e15ed1d6707c57258ff03ba3f785b69e81fb5b78ebb650b37d73737231e1c
Instruction ID: 6015743fa8a7a52a92762a9b8d8aa145a975c9939c3db2b566eb9a2fcae16afc
Opcode Fuzzy Hash: be5e15ed1d6707c57258ff03ba3f785b69e81fb5b78ebb650b37d73737231e1c
Instruction Fuzzy Hash: 6F0128B120D7D18FD32342684C1161B7FB26FD3650B2951D7C688DF667C9244C45C366

Analysis Process: powershell.exePID: 7140, Parent PID: 7156COMMON

Executed Functions

Function 0307B470 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff3829ee9c1d35ccc7dccf19d6f685a3f52acdbb31a4a3229b8710bbc1afb67
Instruction ID: 0940e9d0ac03ab35e07113270d581916941d60bf330592cfd44b0f205a20a6f7
Opcode Fuzzy Hash: 4ff3829ee9c1d35ccc7dccf19d6f685a3f52acdbb31a4a3229b8710bbc1afb67
Instruction Fuzzy Hash: 83918E71F006195BDB15EBB899106AEBBF3EFC4700B00892ED506AB358DF34A9058BD6

Function 0307B490 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5455ee9e9b0d748da379db13e7aeaada45f1f48c2189a706a944a53b6e2fc035
Instruction ID: 6e76b59c6735d65557dbeb5d4e5edd7fba98ef3e5a8a39e193604f8395af6258
Opcode Fuzzy Hash: 5455ee9e9b0d748da379db13e7aeaada45f1f48c2189a706a944a53b6e2fc035
Instruction Fuzzy Hash: 03918E71F006195BDB19EFB899116AEB7E3EFC4700B00C92DD506AB358DF34A9058BDA

Function 07812308 Relevance: 44.1, Strings: 34, Instructions: 1556COMMON

Download Yara Rule

Strings

4'dq, xrefs: 078131C0
rIl, xrefs: 0781254F
4'dq, xrefs: 07812619
tPdq, xrefs: 07813068
$dq, xrefs: 07812CBA
JJl, xrefs: 078123D1
#9k, xrefs: 07812BA7
,SIl, xrefs: 07813469
JJl, xrefs: 0781237F
tPdq, xrefs: 07812D25
rIl, xrefs: 07812559
JJl, xrefs: 0781259E
$dq, xrefs: 07812CEC
RIl, xrefs: 07813294
$9k, xrefs: 07812EBF
4'dq, xrefs: 0781260D
,SIl, xrefs: 0781345D
p59k, xrefs: 0781344F
tPdq, xrefs: 07812D31
4'dq, xrefs: 07812EF8
JJl, xrefs: 078125EA
4'dq, xrefs: 07812BE7
$dq, xrefs: 07812CE0
JJl, xrefs: 078125F6
tPdq, xrefs: 07813330
tPdq, xrefs: 07813324
?l, xrefs: 07812D8F
?l, xrefs: 07812D9D
4'dq, xrefs: 078131B6
JJl, xrefs: 078123C5
4'dq, xrefs: 07812BDB
4'dq, xrefs: 07812EEE
RIl, xrefs: 0781342B
tPdq, xrefs: 0781305C

Memory Dump Source

Source File: 00000009.00000002.1856968433.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: ,SIl$,SIl$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$p59k$tPdq$tPdq$tPdq$tPdq$tPdq$tPdq$#9k$$9k$$dq$$dq$$dq$JJl$JJl$JJl$JJl$JJl$JJl$RIl$RIl$rIl$rIl$?l$?l
API String ID: 0-1764908402
Opcode ID: 340428cb1efcc53d26ed3cae93d98cd651960b2e1fdc0d75d8f1d58f7785af42
Instruction ID: ec5f9ad5c336514df485c79755a30f6b1bbe1b4ded74f36ce7c8012bb1d187f9
Opcode Fuzzy Hash: 340428cb1efcc53d26ed3cae93d98cd651960b2e1fdc0d75d8f1d58f7785af42
Instruction Fuzzy Hash: B3B24CB1B04356DFCB25DF688811BAABBE9BF95321F1480BAD905CB691DB31CC41C7A1

Function 07813CE8 Relevance: 5.6, Strings: 4, Instructions: 572COMMON

Download Yara Rule

Strings

4'dq, xrefs: 07814180
4'dq, xrefs: 0781418A
4'dq, xrefs: 07814030
4'dq, xrefs: 07814026

Memory Dump Source

Source File: 00000009.00000002.1856968433.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$4'dq$4'dq
API String ID: 0-2296240322
Opcode ID: b6735c1eea3c6876cf3a46ddab530470b4a2bf76b8f726b9fde582e55ef2ebfe
Instruction ID: cfe14abdb2310a681e9ba68b9277e7671c0a25ee1f311ac100260d293e9d11ad
Opcode Fuzzy Hash: b6735c1eea3c6876cf3a46ddab530470b4a2bf76b8f726b9fde582e55ef2ebfe
Instruction Fuzzy Hash: AD1238F1B003568FCB159E69C411B6ABFEAAFE1351F2480AAD909CB681DB31DD41C7A1

Function 03076FE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

(hq, xrefs: 03077105

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID: (hq
API String ID: 0-4060669308
Opcode ID: 9070aaba6dd76588725084de1970fdb5062542596f9c1bf6a95492b34917b26f
Instruction ID: 7866ed77c35e9ce17e98eb74598defd11ddb12d7073f770fa60bdc9d103cbdc9
Opcode Fuzzy Hash: 9070aaba6dd76588725084de1970fdb5062542596f9c1bf6a95492b34917b26f
Instruction Fuzzy Hash: A6412634B04204CFDB54DB68C4A8AAEBBF6EF8D751F188499E506AB391DB35DC01CB64

Function 0307E610 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

JJl, xrefs: 0307E6EA

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID: JJl
API String ID: 0-415269788
Opcode ID: 06c692de0d85765ab6d6b4b175a49a8855b46c1299d1e00b8888387ef900e96b
Instruction ID: 0834f3369092ac7ab7a5be9bc8f56b9aa5894fa371e6b4535f7e08165e8e3f64
Opcode Fuzzy Hash: 06c692de0d85765ab6d6b4b175a49a8855b46c1299d1e00b8888387ef900e96b
Instruction Fuzzy Hash: 4A419D30A062499FCB15DF78D554A9EBFF2EF49244F2485ADD006EB396DB30AC05CB91

Function 0307E640 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

JJl, xrefs: 0307E6EA

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID: JJl
API String ID: 0-415269788
Opcode ID: 860567253ddecc8bc7923ac71d5c884c52a0f8f7342d6560b6efa712cd4bfa65
Instruction ID: ecf62a26b7f87f882d3f8e06ba33b042c08b81f2ab2c5a12fb30a29c5fcb0245
Opcode Fuzzy Hash: 860567253ddecc8bc7923ac71d5c884c52a0f8f7342d6560b6efa712cd4bfa65
Instruction Fuzzy Hash: E1317A70A012199FCB14DF69D594A9EBBF2FF48345F108968E419E7395DB30AD01CB90

Function 0307AF98 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

(&dq, xrefs: 0307AFBA

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID: (&dq
API String ID: 0-1586597270
Opcode ID: 6b064705ef209fc20a672a626fb61920e3a94b66207848ceaac50c254d0a87e2
Instruction ID: d770e916acb5576e684ab6eb43ceae85d87772ab128140f9b82fb66755419146
Opcode Fuzzy Hash: 6b064705ef209fc20a672a626fb61920e3a94b66207848ceaac50c254d0a87e2
Instruction Fuzzy Hash: F621A171E042588FCB14DFAED404A9EBFF5EF89320F14846ED519A7340CA7599058BE5

Function 0307E7B8 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a9aa4d51146afafccd0b66219b4cb15a9af95f46f216203f01d817d776add1d
Instruction ID: cded980bf72a8ed91cb1fdf085896bd603f615075f7980e51c85e98774f10835
Opcode Fuzzy Hash: 2a9aa4d51146afafccd0b66219b4cb15a9af95f46f216203f01d817d776add1d
Instruction Fuzzy Hash: A1916E74F122248FCB54DF78C594A6EBBE6AF88610B2844A9D905EB355EF30DC02CB94

Function 030729F0 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ec63656496fd0e8124a0697e8a82e2eea844a619444ec6012b0f14214f7a31
Instruction ID: 8a330ff7c15e9e7c703c58f09dd4e952f5a300f92da59b2562c468562564c857
Opcode Fuzzy Hash: 16ec63656496fd0e8124a0697e8a82e2eea844a619444ec6012b0f14214f7a31
Instruction Fuzzy Hash: 80919B74A012059FCB15CF9DC4949AEFBB5FF48310B288999D815AB3A1C735FC91CBA4

Function 03077740 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 858f068eb5ad512c3a015c902660b43d6acfcacc7a10e943176ec78e1e4f0756
Instruction ID: f2711a38f49fc779add2630fde331752f49773a24b0080fdb9f143020085b3e6
Opcode Fuzzy Hash: 858f068eb5ad512c3a015c902660b43d6acfcacc7a10e943176ec78e1e4f0756
Instruction Fuzzy Hash: 0951D0307012059FD744DB79D844A7ABBEAFFC9695B1888AAD509CB352EB31DC01CBA0

Function 0307BAC0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2566a3e23d249447b2c4cd4bc96bb20f61c8de0e89a8dce6f561b1b5e58b87c
Instruction ID: df121a4a5baa05478725ecc0847050b7c6a6d4ce8d4dd34f9770772402da78e0
Opcode Fuzzy Hash: d2566a3e23d249447b2c4cd4bc96bb20f61c8de0e89a8dce6f561b1b5e58b87c
Instruction Fuzzy Hash: 4C611971E012489FCB54DFA9D584A9DFBF1FF88310F29816AE809AB354DB709D41CB54

Function 0307BAB0 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931712acc4aa79854f58fac71b78c31521af6433a4219c753fa99cea2dee4607
Instruction ID: cc8a6f8400ce758d0da6cba01d91da47bedb307db7cd3a9f0619c5755c53635a
Opcode Fuzzy Hash: 931712acc4aa79854f58fac71b78c31521af6433a4219c753fa99cea2dee4607
Instruction Fuzzy Hash: 49513871E012489FCB54DFA9D584A8DFBF2FF88310F29806AE809AB355EB309841CB54

Function 0307E419 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 239d471b5a49953eebbe96b24313585128a9874616cd9deedef78044e6c8f747
Instruction ID: 17a4973cdc0eaa0306914ac45b3efa5b5561365de1852819c105871cfe188692
Opcode Fuzzy Hash: 239d471b5a49953eebbe96b24313585128a9874616cd9deedef78044e6c8f747
Instruction Fuzzy Hash: 07518674B012158FCB10DF6DC48496ABBF6EF8932575985A9E449CF362EB34EC02CB91

Function 0307E428 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8d678e76748e496d2898cd453b17af99e347ccb773d8a36ce46dae146385ba8
Instruction ID: 9d67989a9fa9f3d86a0d4b84969451ceb64541e9ca1136aa2b4fa56172b28a47
Opcode Fuzzy Hash: b8d678e76748e496d2898cd453b17af99e347ccb773d8a36ce46dae146385ba8
Instruction Fuzzy Hash: 17417B74B012158FCB50EF6DC58492ABBEAEFC935575984A8E449CF351EB34EC01CB91

Function 07813CCC Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1856968433.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ee370aa1da8f5a48e63cba2c29032f902a3b79a4cbf1961e4a341291c38794
Instruction ID: 3eea08919dd7689f62cabcd126ffc03a13579e8894918fa736876e044d95502f
Opcode Fuzzy Hash: a3ee370aa1da8f5a48e63cba2c29032f902a3b79a4cbf1961e4a341291c38794
Instruction Fuzzy Hash: B14116F5A00302DFCB258E24C501A7ABFBA9F91254F1480A5D904DFE56D731ED45C7A1

Function 03072B00 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a64e0a83f2284acb9752ae6b524d73716734210920515cc9793dcbc7961816b
Instruction ID: a7965d13c305216e96650822babb7231a4f3670a3a233c25b2f54445313edad7
Opcode Fuzzy Hash: 7a64e0a83f2284acb9752ae6b524d73716734210920515cc9793dcbc7961816b
Instruction Fuzzy Hash: 214158B4A015058FCB05CF49C4989AEFBB5FF48310B2585A9C815AB364C736FC91CBA4

Function 0307C388 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3673c8a2abc7d68fd5b8faa740ec91ca11a0d144c1f897a7636e92aceb0639be
Instruction ID: dd63faa2c6b27a4b3cdf9ea9cbd821183149505cb924e5d27dc5c19359f6898b
Opcode Fuzzy Hash: 3673c8a2abc7d68fd5b8faa740ec91ca11a0d144c1f897a7636e92aceb0639be
Instruction Fuzzy Hash: 0931BC313012119FD704DB78E880BAEBBE6EFD4256F148679E20ACB355DF70A845CBA1

Function 03076FD1 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87f5177e281ced2b44ff73d0ab98a11c73fde0c16bbad5b11501519009bbef22
Instruction ID: 88089bbdd3adcedf9e7360dce30bd5425ef37a38f03bc89a19180fdce7d9f62e
Opcode Fuzzy Hash: 87f5177e281ced2b44ff73d0ab98a11c73fde0c16bbad5b11501519009bbef22
Instruction Fuzzy Hash: EF311734B01209CFCB58CF68C498ABEBBF1AF8D655F1845A9E502AB352DB31DC41CB64

Function 0307AE60 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c89d09efc69d73e37f89fde469e9fc15893e068c24004f4e4781d5a00b6d423
Instruction ID: 5e690c3891f18c1f9534a0be7a0713f456667f27247d006f92b125b171285c15
Opcode Fuzzy Hash: 9c89d09efc69d73e37f89fde469e9fc15893e068c24004f4e4781d5a00b6d423
Instruction Fuzzy Hash: 99314974F012099FCB05DBB9D494BAEBBF6EF88311F248069E505EB350EB748C428B65

Function 0307AE70 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f911ecf516e2f88749d5e9021e4d1b99a27fac710712664376d10ebf68d17cf0
Instruction ID: bc3e6bd69b5e38fd38023c443aaad20af5f7adb2f2d91ecb3d105e5e3a20544d
Opcode Fuzzy Hash: f911ecf516e2f88749d5e9021e4d1b99a27fac710712664376d10ebf68d17cf0
Instruction Fuzzy Hash: 96314A74F012099FDB04DFA9C494BAEBAF6EF88350F148069E505EB350EB349C018B65

Function 0307AD28 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac9a8d368143ef0158a49851f02b95b00e2682958d430d56c47c628c1205dadc
Instruction ID: 2706ed2023269424271d3f0eb97b294127658e23b824eec7d4a44fcb9b0bf165
Opcode Fuzzy Hash: ac9a8d368143ef0158a49851f02b95b00e2682958d430d56c47c628c1205dadc
Instruction Fuzzy Hash: C4318FB4E0424A9FDB05DBA4D954AAEBBB3EF84300F2184ADD601AB3A5CA359D01CF51

Function 0307E049 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53703f1830fe6c4cedaff041994e199028b1e6098995e5216a6b44a4bf7a1968
Instruction ID: d682ed51449ac34f8f2537502fcdf7a46134069c3b5068a3285d89f2f430fd2d
Opcode Fuzzy Hash: 53703f1830fe6c4cedaff041994e199028b1e6098995e5216a6b44a4bf7a1968
Instruction Fuzzy Hash: D4312970E012048FCB54DB68D458A9EBBF6BF88354F1444ADD506EB365DF309C41CB91

Function 0307E058 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75b332d9e46ca6107a180129b177f3998fda1d1a2b7768edebc26507f888011f
Instruction ID: 6d9600f8853487e5601a8903aac7f69809e5bb78d1b7ed735438aa34f75b5b32
Opcode Fuzzy Hash: 75b332d9e46ca6107a180129b177f3998fda1d1a2b7768edebc26507f888011f
Instruction Fuzzy Hash: C0312870E012058FCB54DB68D458A9EBBF6BF88354F1444ADD506EB3A1DF30AC41CB95

Function 0307AD38 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 738e975c2d8d48486c0acaab4666f827f9638f4c998a14d8685d0c4892e5f763
Instruction ID: 0bff3178626198ad12d7c2bce700340861c62a04c58bebd775d78b463fe689eb
Opcode Fuzzy Hash: 738e975c2d8d48486c0acaab4666f827f9638f4c998a14d8685d0c4892e5f763
Instruction Fuzzy Hash: 833150B4E0020A9FDB04DFA4D955BAEB7B3EFC4340F2084A8D611AB395DB35AD018F90

Function 02FCF3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1827598181.0000000002FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2fcd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1de33055a39e4a3819b598706f4f1b8ea33f4d86fac65d46546e298c4af35d53
Instruction ID: bb88a90fefb3660a8984eae035565d28dad8ea4e571824d36aebc0c3526e908b
Opcode Fuzzy Hash: 1de33055a39e4a3819b598706f4f1b8ea33f4d86fac65d46546e298c4af35d53
Instruction Fuzzy Hash: D4210572600201EFCB05CF14DAC0B16FB66FB88314F24C6AEEA094A656C336D456CBA1

Function 030793F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe5b807451e90634467b30724c7ed2aa99aabd4199fa4b6cf103c0ab5f67e85
Instruction ID: 4a3e2dec87a271d08ae5310a9f2d278df1569b681c822068869f196c8d459be9
Opcode Fuzzy Hash: cbe5b807451e90634467b30724c7ed2aa99aabd4199fa4b6cf103c0ab5f67e85
Instruction Fuzzy Hash: AC3189B1D067848EDBA0CF6AC08878AFFF2EB89320F28C45DD44D9B246C7745485CB65

Function 02FCF02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1827598181.0000000002FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2fcd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efe5927bc5831bebb39a40b072b8648df33484a4efc89679603c91700c93a2f9
Instruction ID: 835847ce4d5ea1907283065f7fd5ab3b38983c104f95171756a7b639c789fb50
Opcode Fuzzy Hash: efe5927bc5831bebb39a40b072b8648df33484a4efc89679603c91700c93a2f9
Instruction Fuzzy Hash: BF212576A44201DFDB14DF14CAC4B16FBA6FB94B24F34C66EDA0A4B742C336D406CA61

Function 03079400 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31b6f97d5af901fc703d3288670df416da582c15af6589724fe3e698198f585
Instruction ID: 6b4008d50824ee6118e0dedc10c8d43449177308b2ed0223b4ea14b2b4c68ae0
Opcode Fuzzy Hash: a31b6f97d5af901fc703d3288670df416da582c15af6589724fe3e698198f585
Instruction Fuzzy Hash: CC2177B1D027448EDBA0CF6AC48878AFBF6EF89320F28C45ED84DA7245C7746481CB65

Function 0307767C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab75eed5e4981022406dfe8b90853e5fb558fa40aaeda796a6c75ddce79f79d2
Instruction ID: 690951a4dc291d142c71f96999cad3deff39a238d71637ff278f7fb4c215856d
Opcode Fuzzy Hash: ab75eed5e4981022406dfe8b90853e5fb558fa40aaeda796a6c75ddce79f79d2
Instruction Fuzzy Hash: 83112E75B001188FCB14DBA9D8449ED7BF6EBCC666B1440A9E609DB354DB34DC018BA0

Function 078128E8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1856968433.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7994c65587047dc275446f2bcc1635b1693343bfae4f44a1f0677daf6d8a7ad
Instruction ID: 2e00b383a6e640b35cec92b8390d817e901a41216d09b15f76d570f1ed0b055d
Opcode Fuzzy Hash: d7994c65587047dc275446f2bcc1635b1693343bfae4f44a1f0677daf6d8a7ad
Instruction Fuzzy Hash: 23118CB1B1020ADFDB20CF6DC581FAABBF9BB65221F448066D909CB251D731D885CBA1

Function 02FCF3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1827598181.0000000002FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2fcd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a89199e71a2f2f2a9adf406ea1041e5b746e28aab0e6237c120dfcb4fbddfc9c
Instruction ID: 83d09e3322a46a479d4b28d8ff7f85eae30d77f485dd7d28cd1cebbe3c30e8ac
Opcode Fuzzy Hash: a89199e71a2f2f2a9adf406ea1041e5b746e28aab0e6237c120dfcb4fbddfc9c
Instruction Fuzzy Hash: 79218C76904241DFCB06CF10DAC4B16FF72FB88314F24C6AED9494A656C33AD46ACB91

Function 02FCF027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1827598181.0000000002FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2fcd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68800c76144ede0aa7da6335da1dd53af556f69f25deb7cd9fee3e0448842dc9
Instruction ID: d660fc9ed3fd10256f5460dddae27d6a87ec12d5f7d1b3a601ac9eace3a03f01
Opcode Fuzzy Hash: 68800c76144ede0aa7da6335da1dd53af556f69f25deb7cd9fee3e0448842dc9
Instruction Fuzzy Hash: D911DC759442808FCB05CF14C684B15FB62EB44724F24C6AED90A4BA52C33AD40ACB51

Function 0307BCE0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c217df914c92424bf74dee0fbbbfc9d222663297e3df533f1820ecdeea5e4d88
Instruction ID: 1a93ccad0a41193373f3d66092168aa6b7b78252cc24fdeecbf68fbc0cbac548
Opcode Fuzzy Hash: c217df914c92424bf74dee0fbbbfc9d222663297e3df533f1820ecdeea5e4d88
Instruction Fuzzy Hash: 5A01F9316093449FC755CB79D954A567FF4EF45210F1884EED08ACB6A3D720EC45C701

Function 0307DF20 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42479c5c3d7a6c0925c13d6e39fd9314564bc0ca2b83f786524463ded3ee86e7
Instruction ID: 28b29e0cf4ce320ca4036fc7ff49245a752edc5454fe0891e90850c24b58ec7c
Opcode Fuzzy Hash: 42479c5c3d7a6c0925c13d6e39fd9314564bc0ca2b83f786524463ded3ee86e7
Instruction Fuzzy Hash: 1B015235B012189FCF119B74E818AAEBBF5FB89315F1440ADE51AD3242DB329911CB91

Function 0307DC98 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 910ba9236cc076e42c9d8f591f1500113ae0e43011e099c09b997a8d6c692fed
Instruction ID: b290e7fb2053c923663f4e30943b12d65cf8e5b343115029efeb844e0215e1a3
Opcode Fuzzy Hash: 910ba9236cc076e42c9d8f591f1500113ae0e43011e099c09b997a8d6c692fed
Instruction Fuzzy Hash: 4F111735204750CFC768DF79D08186ABBF6EF8921532489ADD48A8B7A0DB36F942CF50

Function 0307BF10 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f218d0ab4d0e7f9c1a120f1abf8a9810f99a63f017e3418edeab8856aaaffbc7
Instruction ID: 9da72fbbacbe83dbea59f5d940366e9d020200770615402e10cff5d113f7d5e9
Opcode Fuzzy Hash: f218d0ab4d0e7f9c1a120f1abf8a9810f99a63f017e3418edeab8856aaaffbc7
Instruction Fuzzy Hash: 2D0181317093902FD7118A7A98509BBBFE9DFC652070945ABF985CB263C560CC05C760

Function 02FCD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1827598181.0000000002FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2fcd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89aadbe636aea6e1b805a73d80cf4f4e26c5578c195bc2de711e09759fb08010
Instruction ID: ca3ddf4c8eb94f589e9e531e758fc757f4a0f083fb622bdfbc6d5d26bb55937f
Opcode Fuzzy Hash: 89aadbe636aea6e1b805a73d80cf4f4e26c5578c195bc2de711e09759fb08010
Instruction Fuzzy Hash: C501F7725443419AE7104E1DCE84B6BBFD8DF51BB5F28C42EEE080B28AC7799846C6B1

Function 02FCD005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1827598181.0000000002FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2fcd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a3b3c351aaf40d8cd63f5074c354c8f2d71eb40c7f60954a9d7d7429ff255d
Instruction ID: e1ac06af1f63b179e5370808d5e9276b55facde76f98d510facba2ff6147b581
Opcode Fuzzy Hash: 06a3b3c351aaf40d8cd63f5074c354c8f2d71eb40c7f60954a9d7d7429ff255d
Instruction Fuzzy Hash: A601922140E3C05ED7128B258D94B56BFB4DF43634F1DC0DBD9888F2A7C2695849C772

Function 03077958 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe0a3fa7f4c28d45bc3c0d7d52f7d3544f4db9fc0a93584d04f327b447f91296
Instruction ID: 3f10d5a2dbf3e4f5d8f4dec1b8b5d1aaeb7b8cd282a832cebdfc578a0d82176b
Opcode Fuzzy Hash: fe0a3fa7f4c28d45bc3c0d7d52f7d3544f4db9fc0a93584d04f327b447f91296
Instruction Fuzzy Hash: 38F0463170A3945FD3128779D8849AF7FF9EF8A26170406AEE149CB292DF205C05C7A1

Function 02FCD9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1827598181.0000000002FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2fcd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a79531c6761c00f067387f00b2606c18209b6cd35d1c27df3e33b2dfd09dd92f
Instruction ID: 47e0e7d25b60d95f0cdffa4b774e4e2c01d30513aae8c7c326912aa4aee47d95
Opcode Fuzzy Hash: a79531c6761c00f067387f00b2606c18209b6cd35d1c27df3e33b2dfd09dd92f
Instruction Fuzzy Hash: 2CF0F9B6600600AF97248F0AD985C27FBADEBD4770719C56AE94A4BB12C671FC41CAA0

Function 030790D8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33c394a2c2effaf0d3cb39c8fed8e647736c223d273be89b49f387075da58040
Instruction ID: acba44d8d646eb3ae71ac5d552aaaa9e6af32a38511c5b780d5a6eae26057afa
Opcode Fuzzy Hash: 33c394a2c2effaf0d3cb39c8fed8e647736c223d273be89b49f387075da58040
Instruction Fuzzy Hash: F0F04C716042545FD3019B34C4093AB7B71DFC5355F20C09FC6058B356DE362C02CBA0

Function 0307DEC1 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 070e7dbddc00e71d873d15e48a2e4e78e47a35ab414ea4bafa4d5cf55291c859
Instruction ID: e3aa4583c52db64342db83b9bfe0693965127b1784b720ccf7586e266c602268
Opcode Fuzzy Hash: 070e7dbddc00e71d873d15e48a2e4e78e47a35ab414ea4bafa4d5cf55291c859
Instruction Fuzzy Hash: 4EF058357152819FC3519B2DD49486ABBF6EFCB61132940EAE186CF332CA21DC02C790

Function 02FCD998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1827598181.0000000002FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2fcd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b72273f15e516f878543b4054fa35e06eaf5593b51ece81c4710ccd795f6342d
Instruction ID: 68af62538c09e73cb5819562e79ca4414d3592cbc80c21076fda19123eb531ab
Opcode Fuzzy Hash: b72273f15e516f878543b4054fa35e06eaf5593b51ece81c4710ccd795f6342d
Instruction Fuzzy Hash: 20F04F75100640AFD315CF05CD85D23BBB9EBC5660B19849DA8494B712C630FC41CB60

Function 03079158 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef2f913c6c30aad446cb45d999bc11a43f729fdecc17b3ec4edf8bdea41db302
Instruction ID: a3fec0908683ab04896c0e8f6f64910e264b624db19ef389d6854431fc8ea457
Opcode Fuzzy Hash: ef2f913c6c30aad446cb45d999bc11a43f729fdecc17b3ec4edf8bdea41db302
Instruction Fuzzy Hash: FCF0BE70A093585FC761CB78D89839ABFF5EB42310F2484EED68EC7282DB356881CB50

Function 03077968 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83fafe310b65e132565da53951c594581a333154ff13dbba27ac3515e0b72e89
Instruction ID: f0ffe9e4bb2d03de20cade62bc458c22e0ae506e957c6b39bd151b80d7b23149
Opcode Fuzzy Hash: 83fafe310b65e132565da53951c594581a333154ff13dbba27ac3515e0b72e89
Instruction Fuzzy Hash: 2CF0A7717007149FD7109659E88497F77E9EBC8675B00052DE20DC3340DF30AC4187A4

Function 0307E7A8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d2e4e278ac2bd4c8338e09c464744577532809ddabe0fdd3d981e122a52830b
Instruction ID: 1457133c104765050bf1e85b8be1e4dbeaf4f723c2063e63937596bc5bb7492c
Opcode Fuzzy Hash: 9d2e4e278ac2bd4c8338e09c464744577532809ddabe0fdd3d981e122a52830b
Instruction Fuzzy Hash: A5E02231F0628469DB61867CD8858DFBF64EBCA220F2804FDD6C3AB203C6A10806C351

Function 0307DD0F Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37af86d726e44da37b7c091ee8e1af4ac98e06ec031c203a676e81bab626a117
Instruction ID: 71a9e5453021f99f07b25c42d5303db1c706d8be24ab49809302bfd5f17069c8
Opcode Fuzzy Hash: 37af86d726e44da37b7c091ee8e1af4ac98e06ec031c203a676e81bab626a117
Instruction Fuzzy Hash: 2BF0553164A3505BC312823CA8008AF3FEADEC7171314409EE146CB202CA108C0787A6

Function 030790E8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4e86f74f4ffc8ded0d30f9d05edc72bb85f89558ed8140140eb4f60ae5e99ec
Instruction ID: c274e3dcc8da37459bd9c0228e50856adb6ea30b398558af537186a0ec6dbef0
Opcode Fuzzy Hash: d4e86f74f4ffc8ded0d30f9d05edc72bb85f89558ed8140140eb4f60ae5e99ec
Instruction Fuzzy Hash: D8F02775A042245BE304AB64C0083DBB7B6DBC4355F20C16ED6094B388DE3A2801CBE0

Function 03077697 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2752bdf8ac020e814943d6a728b3a98397adde1709081953941a18e2afe199a
Instruction ID: 9a364242f3bd5f5c1c24744d6a7a937c1872998386e8c29f0949a2102df5d8f2
Opcode Fuzzy Hash: b2752bdf8ac020e814943d6a728b3a98397adde1709081953941a18e2afe199a
Instruction Fuzzy Hash: 40F0A079B001188FCB10CB6D9840AAA7BE6EBCC696719419AE609CF314DF34DC028BA5

Function 0307DED0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1ef9da7c336a4db75dfba4757f6bcfff1c8092feed4e2a230488ad778de6eca
Instruction ID: 36fd23bd1161e55045d2fcdd8447e9b7d2c92c29f73e77fb9a64b3df6be4dbec
Opcode Fuzzy Hash: d1ef9da7c336a4db75dfba4757f6bcfff1c8092feed4e2a230488ad778de6eca
Instruction Fuzzy Hash: 90E065357102108F8200EB1ED498C26BBEAEFCE62132900AAE549CB321CA61EC018B94

Function 03079542 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b87a6e5caeed6792503c6b50d4976c5591a6d0c63eb8af4aa4041d17efb7467
Instruction ID: b2a0f006b95928b4002e13da5450f47fca33e0fcdbec784c5519225473991237
Opcode Fuzzy Hash: 4b87a6e5caeed6792503c6b50d4976c5591a6d0c63eb8af4aa4041d17efb7467
Instruction Fuzzy Hash: C3E0DF21B0B3A11AC7A692B814155FBAFE94DC60A471D41EFD985CF253D9508C02C7E6

Function 0307E92E Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da509aa3fe4bacbdd7272b34f071d51729ec03e202ffd125dd98d9ea85916bb
Instruction ID: 49f4e39537d358922ca49ca4e8d1c227c500c79f5061ae70513ad64133a40f92
Opcode Fuzzy Hash: 1da509aa3fe4bacbdd7272b34f071d51729ec03e202ffd125dd98d9ea85916bb
Instruction Fuzzy Hash: E3F07F39A52118DFCB04CF98E589D9DFBB2FB88311B258599F905A7352DB31ED01CB40

Function 0307896A Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff7f4528f8e0cd01dd943aa6bd28f52a2b722d447934e457682b6d0f9287194c
Instruction ID: bee807f5f0dde4f582f992af1e10d15e57b788ccb713569d93c1645f3e2c3f1a
Opcode Fuzzy Hash: ff7f4528f8e0cd01dd943aa6bd28f52a2b722d447934e457682b6d0f9287194c
Instruction Fuzzy Hash: A0F0A0347093A45BCB0AA774941C5AEBF72DBC1324F0401EED64ACB243CF68080A87A6

Function 0307DD60 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2229d4d1137e807ac7b9191f4c5b15da243851cb8f95a680e3041c796568c67
Instruction ID: d4975cfa5471995f95bcb6d738dd301c7e8f65f6836b4244f57a8f02aa2a03b8
Opcode Fuzzy Hash: b2229d4d1137e807ac7b9191f4c5b15da243851cb8f95a680e3041c796568c67
Instruction Fuzzy Hash: 40E0ED32B05180EA8709D7ACD4908EDBF61EFC9220B1488BED5879B322CA315816C791

Function 0307AF88 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94a8a4350d86224493486f0ced3315ff2bdb9871c68d37eb95924f43fa227ddb
Instruction ID: 96eb73370263709351a11148983266c1eb9512695f92da3f0977f715adcc3d8e
Opcode Fuzzy Hash: 94a8a4350d86224493486f0ced3315ff2bdb9871c68d37eb95924f43fa227ddb
Instruction Fuzzy Hash: 23E09A26B0E2D11A8B1A823DA4604AAEF728AC322031D82FAE085CF343C8518C0783A1

Function 03079168 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f39f4cd05a15fac77584c249557d7dc3b5eaacdb8132ed3933653dea23e3e27
Instruction ID: bf72911044426b98cc470660a819bcd912e14ff790c8e7928e4d9c14ca137d57
Opcode Fuzzy Hash: 6f39f4cd05a15fac77584c249557d7dc3b5eaacdb8132ed3933653dea23e3e27
Instruction Fuzzy Hash: 75F06D709003184BD760DF78D89C39ABBE9EB44350F1044ADE60EC3340DB356880CB90

Function 03078978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d1ecb16edfcd780c6dea8f7e1c48ffe41e2d5fa859b4fb73bba62b552e2447
Instruction ID: 0114612b4695936e24074b4080fad9edb24cae5ba79eb9ea9f2b0890ff45b4c7
Opcode Fuzzy Hash: 63d1ecb16edfcd780c6dea8f7e1c48ffe41e2d5fa859b4fb73bba62b552e2447
Instruction Fuzzy Hash: 2DE0263570432857CF09B774A80C2EEBA5BEBC4729F0000AED60AC3341CFB9190283E9

Function 03079550 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d88fb22b508c43493608ee22fd76dcb6309afa6956c2fff91dae76abe95d8d
Instruction ID: 1fa18877d463044a41689592236ef69e64e170ab44af4d00b86e16e8663a42c5
Opcode Fuzzy Hash: e2d88fb22b508c43493608ee22fd76dcb6309afa6956c2fff91dae76abe95d8d
Instruction Fuzzy Hash: 83D09E16F43235175594A1FA18156FBA1CE8EC94E57094176EA09CB241EE64CC1147F9

Function 0307DD20 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77526a6a8918e45461c2dbf217bc7da3f37c5ef9bad56ca6702bc0701476be56
Instruction ID: 0aa99c0b1ad94685551059a42159aa026e44bc8a1b115af70452780d3f1f8330
Opcode Fuzzy Hash: 77526a6a8918e45461c2dbf217bc7da3f37c5ef9bad56ca6702bc0701476be56
Instruction Fuzzy Hash: 68E0CD31741618478611A61DE81045F77DFDFC96B6324446DE109C7340DF64DC0647EA

Function 0307DD70 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: 3799644940298489211c89996088eedc357b1e0afc0d183ca74567c90bb70315
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: 8FE08631B10014978B08E699D4505DDF7A5DFCC220F04847FD90AA7340DA3269168695

Function 03078739 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5138f69d37f4ad612d774c3ea0d7c6360b9ad46965d0d28fb38f33ca368a2a67
Instruction ID: 9a05b4b244e587a66b209d759f6900b906716120a695d5cb2e7235de5453e27b
Opcode Fuzzy Hash: 5138f69d37f4ad612d774c3ea0d7c6360b9ad46965d0d28fb38f33ca368a2a67
Instruction Fuzzy Hash: E8E04F31C0815D9BCF49EBB4D85A4EE7F34EB15301B5044DCDA9782192DA615947CBC5

Function 03078800 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd29992105946c365fd4dffb0d8a2922d91b3b752153f32b0cf1c3ecba7b136
Instruction ID: 4030869f70627f42d5fb83a6c53f45916f31c4a90094b669eb0912ce91200521
Opcode Fuzzy Hash: 7dd29992105946c365fd4dffb0d8a2922d91b3b752153f32b0cf1c3ecba7b136
Instruction Fuzzy Hash: ABE04830D0924A5BCB59DB78D44646FFFB0EB45214B1442ADD946D7213D6311846CF81

Function 0307F460 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96a43f94557b20c05af7a65e06c32e9107e286be800674c9b0b84ae9a74d901e
Instruction ID: eec2132961f2bf509eee8c0da7a3cfa2d973433c9b85e89d7b6ebebeaf7d30e9
Opcode Fuzzy Hash: 96a43f94557b20c05af7a65e06c32e9107e286be800674c9b0b84ae9a74d901e
Instruction Fuzzy Hash: 32E04F70E441468F8B80DFBC84415ADFFF0EB49240B2085AEC508E7201E3324611CF91

Function 0307F470 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 3aea60573e1a55ce1ded693c91ed2f16ddafa558867f8e6af224388f79139f38
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 89D067B0D0520A9F8780EFADC94156EFBF4EB48200F6085AA8919E7301E7329A12CBD5

Function 03078748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1688cd930c972c35a99895f101dcc18a1223c8fcf7275313035d0e36112d0938
Instruction ID: 7bfc534feaf031df776864dafb42a2ad4aba48f7c4282beca64138ac0f2b6511
Opcode Fuzzy Hash: 1688cd930c972c35a99895f101dcc18a1223c8fcf7275313035d0e36112d0938
Instruction Fuzzy Hash: A7D01730C0411D8BCF48EBA4E81A4BEBB34FA10301F5041ADD91792191EA701A4ACBC4

Function 03078810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277ea43e7687783d37223f6d52857276e6aa5ad2685c16c3d74bec33f90587cf
Instruction ID: 579f9dfb38d6be86c279f1d4785be56ddb445110e488d037deaaaf0743a69d20
Opcode Fuzzy Hash: 277ea43e7687783d37223f6d52857276e6aa5ad2685c16c3d74bec33f90587cf
Instruction Fuzzy Hash: 8AD01734E0920E8F8B48EFA4E44A86EFBB5EB44200F1081A9DE09D3350EA306D01CBC1

Function 0307EA57 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cb8e5b2133f5f5b5016c7663087f249cb58547b7d55e10df098c899dc88ccc1
Instruction ID: 866eae9211b5b7d72294177abf2075b172dcda485ba0f3d2053f337bc3df96fc
Opcode Fuzzy Hash: 8cb8e5b2133f5f5b5016c7663087f249cb58547b7d55e10df098c899dc88ccc1
Instruction Fuzzy Hash: 61D09239E42218CFDB04CB98E895A9DF771FB84325F2084A9E51997251CB32A912CB40

Function 03077932 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17bafa10d5200fccb7f5c852a50008f11b43d6e3bd37f472508a03fd728a5057
Instruction ID: ea081920e598e96c6306b1338acc27553cf2ec505009ee7bac828e2cd215a205
Opcode Fuzzy Hash: 17bafa10d5200fccb7f5c852a50008f11b43d6e3bd37f472508a03fd728a5057
Instruction Fuzzy Hash: 51D0C93404E7C8AFC75B9F7894D48593FB0AE1322470906DED88A9F1B7C9668458CB16

Function 03077EA0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c32886b70947ee4d467006eb20db55832963cc04c0f6e244144ca318c17225
Instruction ID: 8f768a7fa6b75bcf066b4f69a995c363d1a21cd889827bfeb2a62b9482e55a31
Opcode Fuzzy Hash: 01c32886b70947ee4d467006eb20db55832963cc04c0f6e244144ca318c17225
Instruction Fuzzy Hash: 72C04C1551E7D11FDF0B9B3548755577FB24E4720431A92DAC0C1CB4A3C915480AD752

Function 03077940 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaada66bd75ca3410976dbf31bc3816946abdb7507bdfd26db019a4c2bf0b43a
Instruction ID: d0d2a25676e158fabfa93711d86ffc151b70ac88778aae65f50d88ea83038de0
Opcode Fuzzy Hash: eaada66bd75ca3410976dbf31bc3816946abdb7507bdfd26db019a4c2bf0b43a
Instruction Fuzzy Hash: F2B09230044708CFC2486FB9A4448157329AB4021978014A9ED0E0A2A68E36E884CA44

Non-executed Functions

Function 07811BE0 Relevance: 20.4, Strings: 16, Instructions: 398COMMON

Download Yara Rule

Strings

4'dq, xrefs: 07811F89
rIl, xrefs: 07811C5D
84Gl, xrefs: 07811F6C
JJl, xrefs: 078120CE
4'dq, xrefs: 07811C86
$c<k, xrefs: 078120B4
tPdq, xrefs: 07811FDF
tPdq, xrefs: 07811FEB
JJl, xrefs: 078120C2
JJl, xrefs: 0781200B
JJl, xrefs: 07812017
4'dq, xrefs: 07811F95
4'dq, xrefs: 07811C92
JJl, xrefs: 07811FA1
84Gl, xrefs: 07811F76
rIl, xrefs: 07811C53

Memory Dump Source

Source File: 00000009.00000002.1856968433.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: $c<k$4'dq$4'dq$4'dq$4'dq$84Gl$84Gl$tPdq$tPdq$JJl$JJl$JJl$JJl$JJl$rIl$rIl
API String ID: 0-2568046780
Opcode ID: cf1f9bc12d6879e13b0beec98f7184d6ca9de2943eb064c9034bdc8a9703e984
Instruction ID: 541098939ad725498257235bcaff47978a11c51166dede1d43f7efb386d7f0b2
Opcode Fuzzy Hash: cf1f9bc12d6879e13b0beec98f7184d6ca9de2943eb064c9034bdc8a9703e984
Instruction Fuzzy Hash: AED138B1F0421E8FCB249F689408A6BFBEAAFA5311F14C57BCA09CB255DB31C945C791

Function 07813928 Relevance: 12.8, Strings: 10, Instructions: 326COMMON

Download Yara Rule

Strings

4'dq, xrefs: 07813B35
?l, xrefs: 07813A0F
$dq, xrefs: 07813960
$dq, xrefs: 0781396C
?l, xrefs: 07813A1D
4'dq, xrefs: 07813B29
tPdq, xrefs: 078139A5
$dq, xrefs: 07813C0E
tPdq, xrefs: 078139B1
$dq, xrefs: 0781393A

Memory Dump Source

Source File: 00000009.00000002.1856968433.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$tPdq$tPdq$$dq$$dq$$dq$$dq$?l$?l
API String ID: 0-748277098
Opcode ID: 5050f297a8cced2ffcae72528175fd28ef273de549d5b54fbd508e0127408c0d
Instruction ID: 9f75f18be969cf78cb98c087ca6f7f00c5e1bb4e775c72f0aeb37b39b11f7563
Opcode Fuzzy Hash: 5050f297a8cced2ffcae72528175fd28ef273de549d5b54fbd508e0127408c0d
Instruction Fuzzy Hash: 68A16BB17043159FC7249E69D801B66BFEAAFE6321F2480ABD909CB791DA31CC41C7A1

Function 07810488 Relevance: 9.2, Strings: 7, Instructions: 496COMMON

Download Yara Rule

Strings

fiq, xrefs: 0781094B
rIl, xrefs: 0781092B
4'dq, xrefs: 078105EC
rIl, xrefs: 07810935
4'dq, xrefs: 07810962
4'dq, xrefs: 078105F6
4'dq, xrefs: 0781096E

Memory Dump Source

Source File: 00000009.00000002.1856968433.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: fiq$4'dq$4'dq$4'dq$4'dq$rIl$rIl
API String ID: 0-3387378350
Opcode ID: c17100bf14671091162d05333c4f13fe9a225bfc82c1046687d070a29d66debf
Instruction ID: 4498fbbc2e1eea95916eda9306f51c50ed2af45a8e11ac61b97a69b220ad20af
Opcode Fuzzy Hash: c17100bf14671091162d05333c4f13fe9a225bfc82c1046687d070a29d66debf
Instruction Fuzzy Hash: 78F127B5B042158FC7149B68D810BAABBA6AFE5325F14C47BD509CB691DB31CCC2C7A2

Function 07813678 Relevance: 8.9, Strings: 7, Instructions: 183COMMON

Download Yara Rule

Strings

$dq, xrefs: 07813836
$dq, xrefs: 078137FF
?l, xrefs: 0781387B
?l, xrefs: 0781386D
4'dq, xrefs: 0781372E
4'dq, xrefs: 07813722
$dq, xrefs: 0781382A

Memory Dump Source

Source File: 00000009.00000002.1856968433.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$$dq$$dq$$dq$?l$?l
API String ID: 0-1414792763
Opcode ID: a82248fa7d475643019a1d95876c0a27f909dc1173fbf073ba9601c394c86528
Instruction ID: 4918af5552e58b5f8c33edb06309e7112ae6c2f4534ad52ac9f410f4be49cc07
Opcode Fuzzy Hash: a82248fa7d475643019a1d95876c0a27f909dc1173fbf073ba9601c394c86528
Instruction Fuzzy Hash: 095137F570431A9BCB249F698411766BFAAAFE6321F24847BD409CBE41DB31C881C7A1

Function 03077A21 Relevance: 6.5, Strings: 5, Instructions: 241COMMON

Download Yara Rule

Strings

`eq, xrefs: 03077B23
`eq, xrefs: 03077CC2
tMIl, xrefs: 03077AD4
`eq, xrefs: 03077BA2
`eq, xrefs: 03077C44

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID: tMIl$`eq$`eq$`eq$`eq
API String ID: 0-2840973237
Opcode ID: 5089b96039f5d7cb269533a97d96784e58654014e1300f236f01ce980301573a
Instruction ID: 0e64391b6b66e96771a208c125ee698ab0eda906efea3ebc86032b228b2feb54
Opcode Fuzzy Hash: 5089b96039f5d7cb269533a97d96784e58654014e1300f236f01ce980301573a
Instruction Fuzzy Hash: 9EB1B474E012199FCB45DFA9D980A9EFBF2FF48340F108629E419AB345EB30A945CF90

Function 03077A30 Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

`eq, xrefs: 03077B23
`eq, xrefs: 03077CC2
tMIl, xrefs: 03077AD4
`eq, xrefs: 03077BA2
`eq, xrefs: 03077C44

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID: tMIl$`eq$`eq$`eq$`eq
API String ID: 0-2840973237
Opcode ID: 2a4593ca46d4b40d43a05e37a6ab8b89f790658cb914228150e17a9af1c21dcc
Instruction ID: 2d994dafbff8be7a96a721338cfbd2214b44a7f38fa8aa76b1e4b92ff2e91e64
Opcode Fuzzy Hash: 2a4593ca46d4b40d43a05e37a6ab8b89f790658cb914228150e17a9af1c21dcc
Instruction Fuzzy Hash: 27B19574E012199FCB54DFA9D980A9EFBF2FF48350F108629E419AB354EB30A945CF90

Function 03077200 Relevance: 6.5, Strings: 5, Instructions: 207COMMON

Download Yara Rule

Strings

`eq, xrefs: 03077B23
`eq, xrefs: 03077CC2
tMIl, xrefs: 03077AD4
`eq, xrefs: 03077BA2
`eq, xrefs: 03077C44

Memory Dump Source

Source File: 00000009.00000002.1828246446.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3070000_powershell.jbxd

Similarity

API ID:
String ID: tMIl$`eq$`eq$`eq$`eq
API String ID: 0-2840973237
Opcode ID: 53eb5fe824e9989b5f7292580e89d026a54677433c9cc4ae0f442adac135b506
Instruction ID: 29344839d28285f7adb68df1dd1d41289d3064be13083d2313b9473e7fe32bd5
Opcode Fuzzy Hash: 53eb5fe824e9989b5f7292580e89d026a54677433c9cc4ae0f442adac135b506
Instruction Fuzzy Hash: 30A19374E012199FDB54DFA9D990A9DFBF2FF48340F208629E419AB344EB30A945CF90

Function 07815798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$dq, xrefs: 078157F4
$dq, xrefs: 078157C6
$dq, xrefs: 07815800
$dq, xrefs: 078157AA

Memory Dump Source

Source File: 00000009.00000002.1856968433.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq
API String ID: 0-185584874
Opcode ID: 6e85922140562227bc84e1bd9cf6cbec4f7d8763873638f52bc7e342bd16172c
Instruction ID: 7835fec321d369287dddaf73d74d8ff824a013a0bfa4277615dfbf23dd24378b
Opcode Fuzzy Hash: 6e85922140562227bc84e1bd9cf6cbec4f7d8763873638f52bc7e342bd16172c
Instruction Fuzzy Hash: 2A2147B13103169BDB349A2AC801B37BBDF9BE1716F24842AD909CBAC2DD75C9518361

Function 07813907 Relevance: 5.1, Strings: 4, Instructions: 82COMMON

Download Yara Rule

Strings

$dq, xrefs: 07813960
$dq, xrefs: 0781396C
tPdq, xrefs: 078139A5
$dq, xrefs: 0781393A

Memory Dump Source

Source File: 00000009.00000002.1856968433.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: tPdq$$dq$$dq$$dq
API String ID: 0-3285816324
Opcode ID: 1154b3a36c817b96b4d22eefc3f96d9febcba34e8ee79460f0ea513e1f4a3978
Instruction ID: 2a75d77b96e506b5a156328c964957123803cc7421dcb680e6c05936d55a642d
Opcode Fuzzy Hash: 1154b3a36c817b96b4d22eefc3f96d9febcba34e8ee79460f0ea513e1f4a3978
Instruction Fuzzy Hash: F52128B26053559FD7158E28D800B66BFB9AF66B20F29419BE808CF7A2C731DC44C7A1

Function 07812107 Relevance: 5.0, Strings: 4, Instructions: 44COMMON

Download Yara Rule

Strings

$dq, xrefs: 07812172
JJl, xrefs: 0781214A
JJl, xrefs: 07812156
$dq, xrefs: 07812166

Memory Dump Source

Source File: 00000009.00000002.1856968433.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: $dq$$dq$JJl$JJl
API String ID: 0-1139017277
Opcode ID: 5d5211c0db1e85944a6294895a8b85b96b245ba31767db526596c9b9331ca291
Instruction ID: 0d475fde0516f777c5e715a073211741c2b3af3d52d1c57013da460e3fa1b233
Opcode Fuzzy Hash: 5d5211c0db1e85944a6294895a8b85b96b245ba31767db526596c9b9331ca291
Instruction Fuzzy Hash: 5B012BF27093514FC72386685C116577FAAAFF3610B2B41ABCA44DF25BCA345C05C352

Function 07810308 Relevance: 5.0, Strings: 4, Instructions: 44COMMON

Download Yara Rule

Strings

$dq, xrefs: 07810352
$dq, xrefs: 0781035E
4'dq, xrefs: 0781037F
4'dq, xrefs: 07810373

Memory Dump Source

Source File: 00000009.00000002.1856968433.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$$dq$$dq
API String ID: 0-4229963660
Opcode ID: 6a163e704cc90028bf798cc76b83a15689a7ef443e6a6c5a1547e486fd4f4522
Instruction ID: aad0650ab72f4f2f606d10b69f8750dddc9862bda0afc8d012a0ad70269d4b66
Opcode Fuzzy Hash: 6a163e704cc90028bf798cc76b83a15689a7ef443e6a6c5a1547e486fd4f4522
Instruction Fuzzy Hash: 1D0173A17083564FC72B56686C102256FB36FD2710B3941D7C445CF2D7CE254D468353

Analysis Process: powershell.exePID: 916, Parent PID: 7156COMMON

Execution Graph

Execution Coverage:	6.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 032BB470 Relevance: .3, Instructions: 265
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e77260ef0a7a02904ee00b39a6fe05a68ac235b819fbaaf7a7b1cb8e4cab3e0e
Instruction ID: 9207753a90fec4f0a39a0c47e90299580cf935272456074d70677d6c474282fe
Opcode Fuzzy Hash: e77260ef0a7a02904ee00b39a6fe05a68ac235b819fbaaf7a7b1cb8e4cab3e0e
Instruction Fuzzy Hash: B2919C74B007285BDB29EFB899106AEBBF2EF84700B008A2DD506AF358DF345D058BD5

Function 032BB490 Relevance: .3, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e270afb25b128838121c7fac2e746af880d430936f5f26e5f8391b30cab5b55b
Instruction ID: 5fe7d2db0c57eccea71e088198b022575cfce6fc0ee95712650f60089b063466
Opcode Fuzzy Hash: e270afb25b128838121c7fac2e746af880d430936f5f26e5f8391b30cab5b55b
Instruction Fuzzy Hash: 32918D74B007299BDB29EFB899116AFB7F2EF84700B008A2DD506AB358DF745D058BD4

Function 07A32308 Relevance: 13.1, Strings: 10, Instructions: 636COMMON

Download Yara Rule

Strings

JJl, xrefs: 07A323D1
JJl, xrefs: 07A3259E
JJl, xrefs: 07A325F6
JJl, xrefs: 07A3237F
4'dq, xrefs: 07A32619
JJl, xrefs: 07A323C5
4'dq, xrefs: 07A3260D
rIl, xrefs: 07A32559
rIl, xrefs: 07A3254F
JJl, xrefs: 07A325EA

Memory Dump Source

Source File: 0000000C.00000002.1928316456.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$JJl$JJl$JJl$JJl$JJl$JJl$rIl$rIl
API String ID: 0-426712688
Opcode ID: 518f66dcb4c535594e9d7afae57a751ca8615fb03430ec55bd54f653c6dcefbb
Instruction ID: 6de5e02fd356c374d21af69bf724ef71bd292450c0836933d8e0db22ef73db1a
Opcode Fuzzy Hash: 518f66dcb4c535594e9d7afae57a751ca8615fb03430ec55bd54f653c6dcefbb
Instruction Fuzzy Hash: 982206B1B00216DFDB24DF688441BAABBF1BFC9311F14807AE925CB291DB35D941CBA1

Function 07A33CE8 Relevance: 5.6, Strings: 4, Instructions: 573COMMON

Download Yara Rule

Strings

4'dq, xrefs: 07A34180
4'dq, xrefs: 07A34030
4'dq, xrefs: 07A34026
4'dq, xrefs: 07A3418A

Memory Dump Source

Source File: 0000000C.00000002.1928316456.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$4'dq$4'dq
API String ID: 0-2296240322
Opcode ID: 66e6238434e13d71c56848ec02ad2a38a9912614b62be0f875d769c5b8e33982
Instruction ID: a56bc6ef32bbaa8fee559a9f95668ffafca8773562d5fb885bcf7a4f1b463ff0
Opcode Fuzzy Hash: 66e6238434e13d71c56848ec02ad2a38a9912614b62be0f875d769c5b8e33982
Instruction Fuzzy Hash: 591257B1B042528FCB159F68C411B7ABFE2AFCA361F24846AE925CF281DB35D841C791

Function 07A317B8 Relevance: 2.8, Strings: 2, Instructions: 328
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

?l, xrefs: 07A3193A
?l, xrefs: 07A3192C

Memory Dump Source

Source File: 0000000C.00000002.1928316456.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: ?l$?l
API String ID: 0-322553749
Opcode ID: 7c7aea93f6f94756be7a5020d33d474d4a0759479dda12231d0d687707d71f76
Instruction ID: c36a2e4b236061980b71c9e5533dd4726ede0c6c03536942ba7326e0a53051d0
Opcode Fuzzy Hash: 7c7aea93f6f94756be7a5020d33d474d4a0759479dda12231d0d687707d71f76
Instruction Fuzzy Hash: 16B103B1B00619DFCB14DF69C4017AABBE6AFC9312F18C07AE929CB251DB31D945C7A1

Function 08BA6821 Relevance: 1.6, APIs: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE(EFD80864), ref: 08BA688A

Memory Dump Source

Source File: 0000000C.00000002.1932899453.0000000008BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8ba0000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: 4309d13d48c001775bdb2d20b9195874c9e6ba6757aad2ccb4ed26af31da1717
Instruction ID: c0873fcd3773af5922493967d58535250b10cf58139c220070b5c0be1f764381
Opcode Fuzzy Hash: 4309d13d48c001775bdb2d20b9195874c9e6ba6757aad2ccb4ed26af31da1717
Instruction Fuzzy Hash: A31125B19003088FCB10DF9AC889B9EFFF8EB89324F24845AD559A7350D774A944CFA4

Function 08BA6828 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE(EFD80864), ref: 08BA688A

Memory Dump Source

Source File: 0000000C.00000002.1932899453.0000000008BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8ba0000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: 45acae5bd4c13a9857028a15d8b70ac7f21a1d4e080089d128fbe73ac0338820
Instruction ID: 57a47736910777818eaccf32e34fb74f9cc8b3eeffcc6580a5d53e62de01a86e
Opcode Fuzzy Hash: 45acae5bd4c13a9857028a15d8b70ac7f21a1d4e080089d128fbe73ac0338820
Instruction Fuzzy Hash: 821133B19003088FCB10DF9AC884B9EFFF8EB88324F24845AD459A7310D774A944CFA4

Function 032B6FC8 Relevance: 1.4, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(hq, xrefs: 032B70ED

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID: (hq
API String ID: 0-4060669308
Opcode ID: cee81644cb611d26bc5aec88ab6466d43fc9c6d72dc3ecc327c36a85637252e2
Instruction ID: 08acaa65801898a2faf86a0c1405ea843f6a0b9e0796c5aab7194cd14b79e13e
Opcode Fuzzy Hash: cee81644cb611d26bc5aec88ab6466d43fc9c6d72dc3ecc327c36a85637252e2
Instruction Fuzzy Hash: 6B413834B142058FDB04DF68C468AAEBBF2EFCD311F189499E506AB391DA35DD41CB60

Function 032BAF98 Relevance: 1.3, Strings: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(&dq, xrefs: 032BAFBA

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID: (&dq
API String ID: 0-1586597270
Opcode ID: 3df5bd5eafc1fd53d33169bab526395e5734be72a1b7dbd589c1943ce4ad8bf6
Instruction ID: 19afef1932d80a301058eddf3e4113e4116af8d821be5b2d5730ae3af3b7d23c
Opcode Fuzzy Hash: 3df5bd5eafc1fd53d33169bab526395e5734be72a1b7dbd589c1943ce4ad8bf6
Instruction Fuzzy Hash: 1821DE71A042588FCB14DBAED404AAEBFF6EF88320F14846AD409A7340CA7999448BA5

Function 032B29F0 Relevance: .2, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 489978d7e5f4e647ce4c634a2b59b9108a5d1fb7595ff4626e75389978831d02
Instruction ID: 6033940fd78bb7fa0e9ae73ca117b559b23e1e7872efc67dca1da787b93d0674
Opcode Fuzzy Hash: 489978d7e5f4e647ce4c634a2b59b9108a5d1fb7595ff4626e75389978831d02
Instruction Fuzzy Hash: B5916C74A00609CFCB15CF9CC494AAEFBB5FF48310B298599D915AB3A5C735EC91CBA0

Function 032B7728 Relevance: .2, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6139725eae3b989b74587ab61026ab648742931818d508ff6d949eca7c01e174
Instruction ID: 470f4f5ac991b2f76e9705903b71b152df219b891d6175ba05c663f95ea880bb
Opcode Fuzzy Hash: 6139725eae3b989b74587ab61026ab648742931818d508ff6d949eca7c01e174
Instruction Fuzzy Hash: 3451DD343242059FD704CB78D844AAABBFAFFC9354B1988A9D509CB352EB71DC41CBA0

Function 032BBAC0 Relevance: .2, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16203fdde6f3d3cd262ebf5d55b8fae4fd8aed11370bb1667f0b09a03813f855
Instruction ID: f2bd626897553beb4a03f90676fbf86d33ee583b8b5f043bea408559d2b3c180
Opcode Fuzzy Hash: 16203fdde6f3d3cd262ebf5d55b8fae4fd8aed11370bb1667f0b09a03813f855
Instruction Fuzzy Hash: 58610571E102499FDB14DFA9D584ADDFBF1FF88310F19812AE809AB254EB749C85CB60

Function 032BBAB0 Relevance: .2, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2dd101661aeb3fb9c7c6e35512547c33ae1127f7e2e1ff79a325a952fb9b23a
Instruction ID: 5b334df4029d6cca199f9fc6f4d5c9d3f759b1445330a5aadfa8cd72de6fd2d7
Opcode Fuzzy Hash: b2dd101661aeb3fb9c7c6e35512547c33ae1127f7e2e1ff79a325a952fb9b23a
Instruction Fuzzy Hash: A5511771E102499FDB14DFA9D484ACDFBF1FF88310F15806AE809AB365EB749885CB60

Function 07A33CCC Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1928316456.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10a409bf1fab90b7373dd0f3573b61d4480a40d5d08fb08efc9879316229e13
Instruction ID: df00cd0b597631ef865c3ad5ac43ec3fbc8714785a951feb2cb80ba2e3598d05
Opcode Fuzzy Hash: b10a409bf1fab90b7373dd0f3573b61d4480a40d5d08fb08efc9879316229e13
Instruction Fuzzy Hash: 494104F1A09202DFCF218F28C501A6ABFB2AFC1690F548995F921DF291D735ED85C7A1

Function 032B2B00 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f78010e3fa1089a914e5500633635178ffa5e5869d169f3753ee10db5d26372
Instruction ID: 726ce813d3a6e1f3f11c400685b225a6931756fcab730a289eeaf43711fc3026
Opcode Fuzzy Hash: 8f78010e3fa1089a914e5500633635178ffa5e5869d169f3753ee10db5d26372
Instruction Fuzzy Hash: 7B4147B4A10609CFCB05CF48C498AEEFBB5FF48310B158599C815AB365C736EC91CBA0

Function 032B6FA0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68ce27678c6787cfdabb89635e09a5fac5e6d67f59a057f4a12706b55c559bdf
Instruction ID: e56ea8aacc78203baaee6aeea5b7bbea4ecb5c3be8822c39c5b9154abc53d633
Opcode Fuzzy Hash: 68ce27678c6787cfdabb89635e09a5fac5e6d67f59a057f4a12706b55c559bdf
Instruction Fuzzy Hash: D5414F34A142458FCB05CF68C568AEABBF1EF8E314F1894AAD845EB361DB75DC41CB50

Function 032BC388 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e295eae8cc86a41d7dafd9a0e8c8a26697941acefe1ee644d6f5fe3745142e7a
Instruction ID: 74a7a928d70305bfa0abd46a1b575892dffb79ab50d8d83b5598a497df3fb8b9
Opcode Fuzzy Hash: e295eae8cc86a41d7dafd9a0e8c8a26697941acefe1ee644d6f5fe3745142e7a
Instruction Fuzzy Hash: BD31B0353107219FD714DB78E840B9AB7E6EFD4352F048639E60ACB351DFB0A8858BA0

Function 032BAE60 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce5220d4e27a4709e873f3826e5bc1840d8d55bf19f3b2a8e026ed2415c6a077
Instruction ID: 6a5d37c372795e402bac3c0038a3cd886eea890ed80ae3f679fe041a96feca8e
Opcode Fuzzy Hash: ce5220d4e27a4709e873f3826e5bc1840d8d55bf19f3b2a8e026ed2415c6a077
Instruction Fuzzy Hash: BA316A70E102099FDB19DF69D494AEEBAF6EF88340F158069E505EB350EB749C818BA1

Function 032BAE70 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a5a543ee14e23e5ccc71fab4fe46a3aee533cbd28fc998d0d899ae37ef81321
Instruction ID: df429dfb1938834b906c0ada4b0f562a59302fb64f24d5596e02a260102d7c8e
Opcode Fuzzy Hash: 3a5a543ee14e23e5ccc71fab4fe46a3aee533cbd28fc998d0d899ae37ef81321
Instruction Fuzzy Hash: C6317C74E102099FCB15DF6DC4947EEBAF6EF88340F158069E505EB350EB748C818BA0

Function 032BAD28 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c00f414f27a6f4e1c36c849c7fe45ea5bb7a670077b9a4f918e3f13ec17124c5
Instruction ID: e538f85e0e07951cd1a16c70d75ba29a7248b3717ea41ef896faf2c940b7af45
Opcode Fuzzy Hash: c00f414f27a6f4e1c36c849c7fe45ea5bb7a670077b9a4f918e3f13ec17124c5
Instruction Fuzzy Hash: 423172B8A103099FDB04EFA4D854AEE7BB2EFC4300F118469D611AF395DA789D418B50

Function 032BAD38 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a114d5f3a7d5a752c97e8d7f44f40e4b2d176008757feb0ccaf4278ef98cd64
Instruction ID: 84bd8dd211ba727c5328ad51589f04d9f106944c3c4dd1bce2fd1f59ed3e5090
Opcode Fuzzy Hash: 8a114d5f3a7d5a752c97e8d7f44f40e4b2d176008757feb0ccaf4278ef98cd64
Instruction Fuzzy Hash: 483110B8A102099FDB04DFA4D455BEEB7B2EFC4300F118469D615AF394DA759D418F90

Function 0324F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888416223.000000000324D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0324D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_324d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d908c1e047c5ac8c2587af0b3a2ecc78021594970fbe2f0adcca35fbc0eaf2a
Instruction ID: 5c4af9cd934755ecc6d3e0a472ebf45d03453d79b5087afc375804454cd28963
Opcode Fuzzy Hash: 0d908c1e047c5ac8c2587af0b3a2ecc78021594970fbe2f0adcca35fbc0eaf2a
Instruction Fuzzy Hash: 5421F775618301EFCB09DF14EAC4B16BFA5FBC8314F24C5ADEA090A256C736D496CBA1

Function 032B93F0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a685fa67c6b825827c41603d88383274ac9903ba95a5e23e39282cbb3c06217
Instruction ID: e5b16c3dc322bd20c7d78d4c6d5728238d227122a309958af85430ba569da917
Opcode Fuzzy Hash: 3a685fa67c6b825827c41603d88383274ac9903ba95a5e23e39282cbb3c06217
Instruction Fuzzy Hash: 4E31ACB09117848EDB60DF6AD0883CAFFF6EB89320F28C46DC94D9B205D774A485CB61

Function 0324F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888416223.000000000324D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0324D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_324d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7cbc1ecb00c77531a5832574deb9b46e41948e7c220b4dce0abb8f1f5680180
Instruction ID: 24b540ea115d16aa2eb24b1efbb9089d58b60fc0024362818cab224dcb01ee2b
Opcode Fuzzy Hash: a7cbc1ecb00c77531a5832574deb9b46e41948e7c220b4dce0abb8f1f5680180
Instruction Fuzzy Hash: E3210775614240EFCB18DF14DAC4B16BBA5FBC4324F24C9ADD90A4B34AC376D486CB61

Function 032B9400 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a647120f463ec4cd98356eb3a5cd766afa400a598e4521b1bb2ead6306c5cce0
Instruction ID: d9322dc53677b8090a8b6edd29d2bacd130f9a71b515fd19ffcb997fe3c45345
Opcode Fuzzy Hash: a647120f463ec4cd98356eb3a5cd766afa400a598e4521b1bb2ead6306c5cce0
Instruction Fuzzy Hash: 0F2177B0A117448EDB60CF6AC4883CAFBF6EB88320F28C45EDA4D97245C7B464C5CB61

Function 032B7664 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 536e938c1b4c73beb0fb727957ef2170de3418fd1222566ba2dbedd16ed8ea5f
Instruction ID: f9c938ba516f0b5bdb740b5af112abf98e47fc6d4c3f1b645f08c316716e32a1
Opcode Fuzzy Hash: 536e938c1b4c73beb0fb727957ef2170de3418fd1222566ba2dbedd16ed8ea5f
Instruction Fuzzy Hash: 6A1107797102298FCB04DBACD8409ED77F6EBCC256B0540A5E609DB350DB24DD558B90

Function 0324F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888416223.000000000324D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0324D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_324d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a89199e71a2f2f2a9adf406ea1041e5b746e28aab0e6237c120dfcb4fbddfc9c
Instruction ID: ff07b8c9292e4baf95af2b24254793c25e2f608b0d64c26e96ee8e8231dcc5ec
Opcode Fuzzy Hash: a89199e71a2f2f2a9adf406ea1041e5b746e28aab0e6237c120dfcb4fbddfc9c
Instruction Fuzzy Hash: 23219D76504241EFCF0ACF10DAC4B16BF72FB88314F28C5A9DD494A656C73AD4AACB91

Function 0324F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888416223.000000000324D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0324D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_324d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68800c76144ede0aa7da6335da1dd53af556f69f25deb7cd9fee3e0448842dc9
Instruction ID: bc106f0960d816c064e387d76d7a8a8b6bc2d5bdbaf9d30864339d66e7d64dad
Opcode Fuzzy Hash: 68800c76144ede0aa7da6335da1dd53af556f69f25deb7cd9fee3e0448842dc9
Instruction Fuzzy Hash: AE118E75504280DFDB15CF14D6C4B15BF61FB84224F28C6A9D84A4B656C33AD44ACB61

Function 032B79AA Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0ec3835e8823d52437f989830ae51b4d2134d68b684f4c156aeccc96f3a0faa
Instruction ID: b63a575ae221a752cec80330b5c58b61a340a71403b5e031ee77fd122f845284
Opcode Fuzzy Hash: a0ec3835e8823d52437f989830ae51b4d2134d68b684f4c156aeccc96f3a0faa
Instruction Fuzzy Hash: 2A0124353047008FDB54CB78A840AAF7BF5EFCA32171019AEE44ADB602DA7298428750

Function 032BBCE0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63291dd9356559a33cccc05f653bc83721e725bcead0e4953bce7429c68828a5
Instruction ID: 172674c0f28fe3b9f9514ce7a18a94c8dff8e6874ab049d9c695eb306e42bf83
Opcode Fuzzy Hash: 63291dd9356559a33cccc05f653bc83721e725bcead0e4953bce7429c68828a5
Instruction Fuzzy Hash: 7701D6316083449FD719DB39D494A997FF5EF45350F1488EED08ACB6A2DA34EC84C701

Function 032BDC98 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3797eaebf778df466e5f0b8824b4b759df745cf9cb3e8a115fa46bde99383cb
Instruction ID: a850ac3ba628be0ba34a4c142a1d44b559403e2ef3a60f4134bc2d7e6ac94947
Opcode Fuzzy Hash: a3797eaebf778df466e5f0b8824b4b759df745cf9cb3e8a115fa46bde99383cb
Instruction Fuzzy Hash: 80110535204750CFC728DF79D08186ABBF6EF8921532489ADD48A8B7A0DB36F942CB50

Function 0324D006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888416223.000000000324D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0324D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_324d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: facb8a273e3458aab5181532562d7a9accd6c2ab7ac72fe658d3352231a0dff2
Instruction ID: c8d604a3c19f8130b3b2d08ceadcb36427b4765441199f91a313aaedd2db7939
Opcode Fuzzy Hash: facb8a273e3458aab5181532562d7a9accd6c2ab7ac72fe658d3352231a0dff2
Instruction Fuzzy Hash: BA014C6244D3C09FD7168B258C94752BFA8DF53224F1985DBE8888F1A7C2695C85C772

Function 0324D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888416223.000000000324D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0324D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_324d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2118ac1f734be51479807bae00607da6d659fbe4ca41cb1e4135ca513960ef77
Instruction ID: 9bb32db0db8d0b25be7fb55e222f2e2e439388575b6f31e91cc8829f284e6013
Opcode Fuzzy Hash: 2118ac1f734be51479807bae00607da6d659fbe4ca41cb1e4135ca513960ef77
Instruction Fuzzy Hash: 7E01FD71019340AAE724CA29CC84B66FFD8DF51325F0CC95AEC490B283C6B99882CBB1

Function 032BBF10 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 609fdfd100779da078cc8ed8216aaa86379dbc1286ad4b11745ef6d209305da5
Instruction ID: 9d245306c229b107cb07c59465963277f7f1af4a257e84b0e96f10017830d2e6
Opcode Fuzzy Hash: 609fdfd100779da078cc8ed8216aaa86379dbc1286ad4b11745ef6d209305da5
Instruction Fuzzy Hash: 8A01D1313093D51FD712CABA98949BBBFE9DB8A62070945BFF884C7252C5A0C804CB60

Function 032B7940 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee28e3db4ed16f9fb012d12453ca4dc13939084d1a4bcde60661ecf26a7888c0
Instruction ID: 111aeddac632231426de105aece696790ab0801761e6c10f8ff0e171b653e49b
Opcode Fuzzy Hash: ee28e3db4ed16f9fb012d12453ca4dc13939084d1a4bcde60661ecf26a7888c0
Instruction Fuzzy Hash: B1F046342057008FC715DBA8E8409AF7BF8EFCA22170009AFE189CB752EE755C828360

Function 0324D8D3 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888416223.000000000324D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0324D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_324d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1968d4511d4a5d881136fb8f69f2c2abb5489c78d15baa11c1baa5d43e16525f
Instruction ID: 185d4962e398c29482873608ffe87eda91a6dd4fb1eb4b5b2fe0214938dd6772
Opcode Fuzzy Hash: 1968d4511d4a5d881136fb8f69f2c2abb5489c78d15baa11c1baa5d43e16525f
Instruction Fuzzy Hash: 07F0FF76210600AF9714CF0AD984C27FBEDEFD4770319C55AEC4A4B722C671EC42CAA0

Function 032B90D8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4e2a3bc4bd77d822ad20d1591f3622c5c84e05612e9e0b411da1043b20d41ee
Instruction ID: 041eaa65092e9c5de104d0e145f0320804714af8d0d986b43537785a806658fd
Opcode Fuzzy Hash: d4e2a3bc4bd77d822ad20d1591f3622c5c84e05612e9e0b411da1043b20d41ee
Instruction Fuzzy Hash: 04F046396083405FD301EF28D0193DBBFB5DBC6314F01809AC9098B386CE396846CBE1

Function 032BDEC1 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ec2f856e5793a135dd7417cb7f003dc1b1b4fd0765e1a86db6c9bfe98b05f86
Instruction ID: 3d646c4fea161f8abf8ab50c67c7395b558a937acad25a447a41104abe8d9261
Opcode Fuzzy Hash: 1ec2f856e5793a135dd7417cb7f003dc1b1b4fd0765e1a86db6c9bfe98b05f86
Instruction Fuzzy Hash: 64F03A353156919FC3118F2DD4A48A5BFB6AFCA61131904AAE485CF762CA25DC01C790

Function 0324D8C4 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888416223.000000000324D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0324D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_324d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ec5f32ff56a1e1549b3880c6b0934ca619f12f0ee982fe184c361cd3d03c498
Instruction ID: a77a3d75d33bd4a551217cedea2ba25881ab9035ee93cc098c5421bf44e71bab
Opcode Fuzzy Hash: 3ec5f32ff56a1e1549b3880c6b0934ca619f12f0ee982fe184c361cd3d03c498
Instruction Fuzzy Hash: 7DF0F975110640AFD725CF06CD84D23BBB9EBD5720B198599A88A4B322C671FC42CBA0

Function 032B7950 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a2742c8dae570470a41da259a3b3fc97a303786f6588f2f4085123a10c5bc68
Instruction ID: 28ae1da0bfdaa79fdb9e4e8b712ac055ba393862b7c85dce3cd5eb734dbcd072
Opcode Fuzzy Hash: 6a2742c8dae570470a41da259a3b3fc97a303786f6588f2f4085123a10c5bc68
Instruction Fuzzy Hash: E0F027353007149FCB14D659E840A6FB7E9EBC9261B00192CE20ED7700DF71AC4287A0

Function 032B9158 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbc2469d5629666c0976d022d4e8c2400eea7a9aab77f3bd54001c01038218a2
Instruction ID: a339c690be081714533049632ebb783e6a73b3911ccc2da082723f91f497748e
Opcode Fuzzy Hash: dbc2469d5629666c0976d022d4e8c2400eea7a9aab77f3bd54001c01038218a2
Instruction Fuzzy Hash: 4AF05E705093544BD762DBB8E4AC39ABFF5EB46310F4544AED64ECB282CB396884C7A0

Function 032B90E8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a5f8c4da98a9f64038aca6817af4e339bf77be9bcf6694a5b0e5b025a88567a
Instruction ID: cbcee9475cc383abfba1167a9f277868e8c1b6036bc76870a7de33076a887456
Opcode Fuzzy Hash: 2a5f8c4da98a9f64038aca6817af4e339bf77be9bcf6694a5b0e5b025a88567a
Instruction Fuzzy Hash: 1FF027396142045BD304EF64D0183DBB7A6DBC5714F10812AC9094B389CE796845C7E0

Function 032B767F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dce72020a9a8fc266f239045c9282f41dca3c131ecb2493e057c52749807ffa
Instruction ID: 55e055eb5c9d004a73d735b13b0b6fe7fa5e120147ba2dc5f4bf8fde0a03656e
Opcode Fuzzy Hash: 2dce72020a9a8fc266f239045c9282f41dca3c131ecb2493e057c52749807ffa
Instruction Fuzzy Hash: B9F0A0393102198FCB00DBAD98406A977F6EFCD79670A4199E609CB350DF24DC828B90

Function 032BDED0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 858699701efee35a9f10010d893362702f265f48e71d44a835732b21da5d923a
Instruction ID: 0831e57b4851480e732e5fe60f23710823b97594388de52fd88ffad3ac2f5ed5
Opcode Fuzzy Hash: 858699701efee35a9f10010d893362702f265f48e71d44a835732b21da5d923a
Instruction Fuzzy Hash: 65E065353102118FC300DF1ED498CAABBFAEFCE76132900AAE549CF320CA61EC018B90

Function 032BDD0F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5de66744dc453de19b1072fb2797c62fc87b93ee1810df38af4c7afb96f6a21e
Instruction ID: 0d7d361b745dd3604704a14f599ba8f2ffe6e50c6ee1fd63fe5e89f9adf38953
Opcode Fuzzy Hash: 5de66744dc453de19b1072fb2797c62fc87b93ee1810df38af4c7afb96f6a21e
Instruction Fuzzy Hash: AAE0E5352057905BC323962CA8258DE7FBADFC667130545AEE449CBA42CA54884687A2

Function 032B8972 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c826f29ffecced174dd23252b76ea8d70a45145f6c256eedc75f4fb014b45ba
Instruction ID: bc0690e982def9ffb62930f19e9015f40f51221c33f11821c539cfced61d4bdf
Opcode Fuzzy Hash: 3c826f29ffecced174dd23252b76ea8d70a45145f6c256eedc75f4fb014b45ba
Instruction Fuzzy Hash: 33E0D83571431467CB0A6B75E41C2EE7A66EFC4766F05402EE70A87341CF795C4283D5

Function 032BDD60 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4c78378c5618600be3c380ee9cedc7ad6db556f8133082a7c2f3ceb1a102dec
Instruction ID: 724f614fe6915ed67a5ad836d614057d40d10e6539aa8b0b0ce03fdd92bc22b6
Opcode Fuzzy Hash: a4c78378c5618600be3c380ee9cedc7ad6db556f8133082a7c2f3ceb1a102dec
Instruction Fuzzy Hash: A2E02B31A155C097C71AC76CD4E04E8FF75DBCC320F0488BED84A97B51CA325416C691

Function 032B9168 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 740b87ac1c9514d98f28055dfc3be8c3b25088b09c46bd17b8a82acf3220fac4
Instruction ID: 49244bd3509a3f91d7d2d5647329b6b88ee10d6c7a62fd9097925e34ff0bdde3
Opcode Fuzzy Hash: 740b87ac1c9514d98f28055dfc3be8c3b25088b09c46bd17b8a82acf3220fac4
Instruction Fuzzy Hash: 6FF06D749003044BD364DB78E49C39A7BE9EB44311F00446DE20EC7340DB3968808B90

Function 032B9549 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd2ec8ad822bdcf48dc8af4cc22a66708cf63e089e752847075a822c1f05b795
Instruction ID: e25701019d3925695cea4c46a0bd316e477a81ee0a20099a8ca91502879cad5a
Opcode Fuzzy Hash: fd2ec8ad822bdcf48dc8af4cc22a66708cf63e089e752847075a822c1f05b795
Instruction Fuzzy Hash: D6E0C21676129227C954B5BA58402FAA1EE8AC22D1B0A0036DA08CB200ED90DC8143F0

Function 032BAF88 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bf57ba2549f1f1226d605d93bafd0c09a43c9fb0470e64fbcab01eec5ec072e
Instruction ID: f7ae68cfe527245131086cc685370cc784b0058135cfe7292e6135bd5f83b3a8
Opcode Fuzzy Hash: 8bf57ba2549f1f1226d605d93bafd0c09a43c9fb0470e64fbcab01eec5ec072e
Instruction Fuzzy Hash: 1BE0862531D3D11B8B16953E9420595BFBA8BCB56034EC0FAE448CB202CC56CC4683E2

Function 032B8978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5316a27ce5b7796698a73cce544bc3e969e700284bd15d6911e4de0ed939f3b5
Instruction ID: 5346ad7bbff529de8e7b3a76502bacdd22876c56da2caddef9b20713fa063fe0
Opcode Fuzzy Hash: 5316a27ce5b7796698a73cce544bc3e969e700284bd15d6911e4de0ed939f3b5
Instruction Fuzzy Hash: A1E0263930431467CB0E7775A42C2EE7A9AEBC476AF05002ED70A87341CFB85C4283D9

Function 032B9550 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae3f42bf6ea6aacca0544d953725795f7022dd7c9cc2dda5ea441bc22d8a6ed
Instruction ID: 533670aa4237b9979ebed1149a22cc3bad03c1edc53dc67b4889e57a956b7a7b
Opcode Fuzzy Hash: 9ae3f42bf6ea6aacca0544d953725795f7022dd7c9cc2dda5ea441bc22d8a6ed
Instruction Fuzzy Hash: B1D05E267612A217C968E5BA58407FBA1EE8AC66E1B0A0036DE0DCB241ED84DC8143F1

Function 032BDD20 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5421cb2b713cbc5afd2dc6ff7b28460bf3b4fd614f8575239776865a08a50b45
Instruction ID: d0779c0b69ab1bc82a267f4b71969e3e4ae84973f55b935a3fe80111afb71336
Opcode Fuzzy Hash: 5421cb2b713cbc5afd2dc6ff7b28460bf3b4fd614f8575239776865a08a50b45
Instruction Fuzzy Hash: 43E08C363006194B8226AA2EA8108DF76EADFC96B2314892EE04987340DE64988647A5

Function 032BDD70 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: 49ecd9d82d19b7fcd314ca725e1c3e856e92da6d753d8e4a3b7e65ca3508b928
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: C4E08631B1001497CB08DA99D4504D9F7B5DBCC360F04847ED90AA7340DA72695686D1

Function 032B8739 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7f0b83e9f65483a7df1e15ff345fc15d4adc392ca8f6ad01b1abafb955d4cd1
Instruction ID: d484801cfd2d3f46277547bdbf5f4373e19384ec904262bb202d5b70471d9f75
Opcode Fuzzy Hash: d7f0b83e9f65483a7df1e15ff345fc15d4adc392ca8f6ad01b1abafb955d4cd1
Instruction Fuzzy Hash: A8E08635D151498BCB19EFA4EC6A4EDBF34EB15302B41009CD96752682DA71594BCBC0

Function 032BF460 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 842beb22ba23e4cd41b8394174e1cc848d5f71e2eb7e3fe0f6a4c841d48cc023
Instruction ID: d0b4801d8deef644eb27fe83ea838ff4f1a40b3cca2944d679d721a5108f646e
Opcode Fuzzy Hash: 842beb22ba23e4cd41b8394174e1cc848d5f71e2eb7e3fe0f6a4c841d48cc023
Instruction Fuzzy Hash: 1FE01A70D0414A9FDB80DFB889421AEFFF0AF1A300B6085AEC958DB201E7724652CB91

Function 032B8800 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4200e4a9c23d315dd327ee700b58d4c5aa281d26149821cf0c96cd63bee9e87
Instruction ID: 1f90792c9af3989f8718a0f2b176a7b436530c3bc44c32e0577215b87024d145
Opcode Fuzzy Hash: c4200e4a9c23d315dd327ee700b58d4c5aa281d26149821cf0c96cd63bee9e87
Instruction Fuzzy Hash: E7E04F30908389AFC716EFA8D55A46ABFB5E789301F0145AEE94997752EA302851CBC1

Function 032BF470 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 784b229c33c9fa748873520c256ccee394f60e0ecc68fca5c7b5007ed23c410c
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: E0D06270D142099F8784DFADC94156EFBF4EB48200F5085AA8919D7301F7715652CBD1

Function 032B8748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde06fd400bc28c44a6f25a6ccacee64af68f5ed37bb25c83257a046dd5a0d9a
Instruction ID: 21799420da24a9f168d06ecf46e089dadd85dfbf62aed9f481c3e9ef618e1236
Opcode Fuzzy Hash: dde06fd400bc28c44a6f25a6ccacee64af68f5ed37bb25c83257a046dd5a0d9a
Instruction Fuzzy Hash: 6ED017348141098BCB18EBA4E82B4BDBB34FA00302F4101ADD91762292EA311A4ACAC0

Function 032B791A Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f4c55da4f9320bbc8266c70a2c6de3f0d4cec470c5df727b1be5cea1340224e
Instruction ID: ee4c4d13ae42c3cba8c957f9abe604051b6fccdc1637ecb43d939883f8b36af5
Opcode Fuzzy Hash: 1f4c55da4f9320bbc8266c70a2c6de3f0d4cec470c5df727b1be5cea1340224e
Instruction Fuzzy Hash: 69D05E380497848FC7029B7890644853F70EF8270430108DED88A8F5B7D6B68446DB00

Function 032B8810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 604014a022065c31f823ded8bc225b0b52e73dd75a115bad79b12e917dc736b4
Instruction ID: d574533eec51ea79510c4298df09fbb3f644537b13d64b6b2ceefd57c4bf2040
Opcode Fuzzy Hash: 604014a022065c31f823ded8bc225b0b52e73dd75a115bad79b12e917dc736b4
Instruction Fuzzy Hash: 60D01734A1820A9FCB18EFA4E85686EBFB4EB88301F004169DA4993340EA306841CBC1

Function 032B7E90 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04cb04d1a01810a9849b6e70db447b480e8a5e2f3ca010e52b2a4871ae8b6acd
Instruction ID: 8a9f3a9a0a40fc3b8e08dfd830308a430bc7faf52c0641537b9dd6dff678c643
Opcode Fuzzy Hash: 04cb04d1a01810a9849b6e70db447b480e8a5e2f3ca010e52b2a4871ae8b6acd
Instruction Fuzzy Hash: F6C08C00408B814EEF0287344C350427FB0DF87B0030699D3C982CB6B6D9298801D381

Function 032B7928 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a5cdb083bfcdc304bec4d46083d79848ba37c8cdc90a890bb3502213a84705f
Instruction ID: 29bc4d1aa9e7d12fad7c534fdb4b7180a66e7d98be16298f27226d3ec2404921
Opcode Fuzzy Hash: 7a5cdb083bfcdc304bec4d46083d79848ba37c8cdc90a890bb3502213a84705f
Instruction Fuzzy Hash: 1BB092340447088FC698AFB9A4048147329AB8021538018A9EE0E4A6A78E3BE885CA44

Non-executed Functions

Function 07A31BE0 Relevance: 20.4, Strings: 16, Instructions: 395COMMON

Download Yara Rule

Strings

JJl, xrefs: 07A320CE
tPdq, xrefs: 07A31FDF
JJl, xrefs: 07A320C2
4'dq, xrefs: 07A31F89
$c<k, xrefs: 07A320B4
84Gl, xrefs: 07A31F6C
4'dq, xrefs: 07A31C92
4'dq, xrefs: 07A31F95
tPdq, xrefs: 07A31FEB
rIl, xrefs: 07A31C5D
84Gl, xrefs: 07A31F76
4'dq, xrefs: 07A31C86
rIl, xrefs: 07A31C53
JJl, xrefs: 07A32017
JJl, xrefs: 07A31FA1
JJl, xrefs: 07A3200B

Memory Dump Source

Source File: 0000000C.00000002.1928316456.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: $c<k$4'dq$4'dq$4'dq$4'dq$84Gl$84Gl$tPdq$tPdq$JJl$JJl$JJl$JJl$JJl$rIl$rIl
API String ID: 0-2568046780
Opcode ID: 1045f6250b30afca7ec0cdcb9c80f2aefcce40a3f1a946b0805e93731d781466
Instruction ID: e182696c8f3af88fd997709aa0d3969648385ea16bb802244c09cf127d2eac85
Opcode Fuzzy Hash: 1045f6250b30afca7ec0cdcb9c80f2aefcce40a3f1a946b0805e93731d781466
Instruction Fuzzy Hash: 61D106B1B0461ACFCB259F68D40076AFBF2AFC6311F24806BE9298B255DB31CD46C791

Function 07A33928 Relevance: 12.8, Strings: 10, Instructions: 314COMMON

Download Yara Rule

Strings

4'dq, xrefs: 07A33B35
tPdq, xrefs: 07A339B1
$dq, xrefs: 07A33960
?l, xrefs: 07A33A1D
4'dq, xrefs: 07A33B29
?l, xrefs: 07A33A0F
$dq, xrefs: 07A33C0E
$dq, xrefs: 07A3396C
tPdq, xrefs: 07A339A5
$dq, xrefs: 07A3393A

Memory Dump Source

Source File: 0000000C.00000002.1928316456.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$tPdq$tPdq$$dq$$dq$$dq$$dq$?l$?l
API String ID: 0-748277098
Opcode ID: 32621ff75fe157d9d0593f476673df5a3ff05358c6fdf4a507c38484fd65287e
Instruction ID: 737babf73325baee7dc82a74fa6ccd0b893d4460ca264b838d1ea9d8b746d053
Opcode Fuzzy Hash: 32621ff75fe157d9d0593f476673df5a3ff05358c6fdf4a507c38484fd65287e
Instruction Fuzzy Hash: E7A16AB17083559FCF209F69C811B66BBB2AFC5311F2480AAF969CB291DA31C845C7A1

Function 032BEBB8 Relevance: 10.2, Strings: 8, Instructions: 180COMMON

Download Yara Rule

Strings

$dq, xrefs: 032BED55
$dq, xrefs: 032BED07
$dq, xrefs: 032BED21
$dq, xrefs: 032BED6F
0oGp, xrefs: 032BED47
$dq, xrefs: 032BECB0
,hq, xrefs: 032BEC0D
$dq, xrefs: 032BED3B

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID: ,hq$0oGp$$dq$$dq$$dq$$dq$$dq$$dq
API String ID: 0-1797346928
Opcode ID: a125b38246fdf191490de5ec4a37cf2a117b75ed669529a41be733c259c22a24
Instruction ID: f2eebae3ecc67324c1a991b275f8743900d2c6a72aeac22ca3b47d0e23a7e8a5
Opcode Fuzzy Hash: a125b38246fdf191490de5ec4a37cf2a117b75ed669529a41be733c259c22a24
Instruction Fuzzy Hash: F55182703255128FC729EB79A4559ED7BFEAF897D131704AAD016CB3A2DE90CC8087D2

Function 032BEDE8 Relevance: 9.2, Strings: 7, Instructions: 452COMMON

Download Yara Rule

Strings

0oGp, xrefs: 032BF237
`Qdq, xrefs: 032BF2FC
$dq, xrefs: 032BF326
$dq, xrefs: 032BF16C
$dq, xrefs: 032BF110
0oGp, xrefs: 032BF205
0oGp, xrefs: 032BF243

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID: 0oGp$0oGp$0oGp$`Qdq$$dq$$dq$$dq
API String ID: 0-266769715
Opcode ID: 38d894419353e79532a696fce78cbead667581cccd6e0fe916b72dfc3cec2f83
Instruction ID: 2aa2c7a38163d1e640acf4230fadc076516c373c8b5e717fbb426de3806122a4
Opcode Fuzzy Hash: 38d894419353e79532a696fce78cbead667581cccd6e0fe916b72dfc3cec2f83
Instruction Fuzzy Hash: 51E129307302114FDB14DB7D98106AEB7EA9FC9B90B2A44AAD905DF3A1EE70CC8183D1

Function 07A33678 Relevance: 8.9, Strings: 7, Instructions: 187COMMON

Download Yara Rule

Strings

?l, xrefs: 07A3387B
$dq, xrefs: 07A3382A
4'dq, xrefs: 07A3372E
$dq, xrefs: 07A33836
$dq, xrefs: 07A337FF
4'dq, xrefs: 07A33722
?l, xrefs: 07A3386D

Memory Dump Source

Source File: 0000000C.00000002.1928316456.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$$dq$$dq$$dq$?l$?l
API String ID: 0-1414792763
Opcode ID: 69ae43db3afa676c0051126e4f185baa6de6487c16d5eea59b3d9818e680744b
Instruction ID: fd2af6119722eb1e2f867104facd3664ce94a43d2cf4d417f393a759a87da386
Opcode Fuzzy Hash: 69ae43db3afa676c0051126e4f185baa6de6487c16d5eea59b3d9818e680744b
Instruction Fuzzy Hash: A55126F57083169FCF249F698811777BBB2ABC6363F24806AE525CB251DB31C881CB91

Function 032B7A09 Relevance: 6.5, Strings: 5, Instructions: 243COMMON

Download Yara Rule

Strings

`eq, xrefs: 032B7B0B
`eq, xrefs: 032B7C2C
`eq, xrefs: 032B7B8A
tMIl, xrefs: 032B7ABC
`eq, xrefs: 032B7CAA

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID: tMIl$`eq$`eq$`eq$`eq
API String ID: 0-2840973237
Opcode ID: b04e5020f324b86ddee711a7f5b7cf0c058747f5336a578ddd742165944ca264
Instruction ID: ee00d4fbce706ac0c9174ca57cf5986106c8225004d8bcba1810cae3d02796ef
Opcode Fuzzy Hash: b04e5020f324b86ddee711a7f5b7cf0c058747f5336a578ddd742165944ca264
Instruction Fuzzy Hash: B9B1A374A003199FCB55DFA9D590A9DFBF2FF88300F108629E819AB314EB70A945CF90

Function 032B7A18 Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

`eq, xrefs: 032B7B0B
`eq, xrefs: 032B7C2C
`eq, xrefs: 032B7B8A
tMIl, xrefs: 032B7ABC
`eq, xrefs: 032B7CAA

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID: tMIl$`eq$`eq$`eq$`eq
API String ID: 0-2840973237
Opcode ID: 7267644b0dd91c48ffffc4f8bd0eb68c1e79cde08f3d5cf8c446b0c863bb67b0
Instruction ID: d71c1009f5de07c7306a515e9b88e20bac8419cc21fdeadee0a3b8a55edcc3d5
Opcode Fuzzy Hash: 7267644b0dd91c48ffffc4f8bd0eb68c1e79cde08f3d5cf8c446b0c863bb67b0
Instruction Fuzzy Hash: 22B18374A103199FDB54DFA9D590A9DFBF1FF88300F108629E819AB354EB70A945CF90

Function 07A31EF8 Relevance: 6.3, Strings: 5, Instructions: 81COMMON

Download Yara Rule

Strings

tPdq, xrefs: 07A31FDF
4'dq, xrefs: 07A31F89
84Gl, xrefs: 07A31F6C
JJl, xrefs: 07A31FA1
JJl, xrefs: 07A3200B

Memory Dump Source

Source File: 0000000C.00000002.1928316456.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'dq$84Gl$tPdq$JJl$JJl
API String ID: 0-3611598509
Opcode ID: db03a1fb2b97ed33ab42131015930781e5439657e9a64d566c0c03fad113754c
Instruction ID: 0e8d7ee876f4b9a88a4f1f31e043344112d9b0eeb87895b0e4a812e239b11f96
Opcode Fuzzy Hash: db03a1fb2b97ed33ab42131015930781e5439657e9a64d566c0c03fad113754c
Instruction Fuzzy Hash: 5021ADB2A0060ADBDB248F44C442F66FBB2BFC6751F1880A7FA255F295C732D945C7A1

Function 032B71F8 Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

`eq, xrefs: 032B7B0B
`eq, xrefs: 032B7C2C
`eq, xrefs: 032B7B8A
`eq, xrefs: 032B7CAA

Memory Dump Source

Source File: 0000000C.00000002.1888945626.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_32b0000_powershell.jbxd

Similarity

API ID:
String ID: `eq$`eq$`eq$`eq
API String ID: 0-2971809466
Opcode ID: ae70cf5dc7b7ac7969b398227b8dfe283d93c67941e3a9476b55435b65e6bd84
Instruction ID: e79b93634c7238ee609ec2b0c62ae4c188dc28a45c342417b1107003b4031ad2
Opcode Fuzzy Hash: ae70cf5dc7b7ac7969b398227b8dfe283d93c67941e3a9476b55435b65e6bd84
Instruction Fuzzy Hash: 319181B4E1121A9FDB54DFA9D590A9DFBF1FF88300F14862AD819AB304E731A945CF90

Function 07A35798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$dq, xrefs: 07A357C6
$dq, xrefs: 07A357AA
$dq, xrefs: 07A357F4
$dq, xrefs: 07A35800

Memory Dump Source

Source File: 0000000C.00000002.1928316456.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq
API String ID: 0-185584874
Opcode ID: 3abe0e1be98d66541de0bf3c650cf8673f28ded21665b82945d39c7b0fbdf5ba
Instruction ID: 24fd96f04b7f2a8db9826bab1514477a77cadadd7c5e6e205bc3327227a1b72b
Opcode Fuzzy Hash: 3abe0e1be98d66541de0bf3c650cf8673f28ded21665b82945d39c7b0fbdf5ba
Instruction Fuzzy Hash: FB2137B1B103169BDB349E7E8800B37BBE79BC1313F64842AFA15CB281DD35C9518361

Function 07A3226F Relevance: 5.1, Strings: 4, Instructions: 65COMMON

Download Yara Rule

Strings

JJl, xrefs: 07A32245
lc<k, xrefs: 07A32237
JJl, xrefs: 07A322A4
JJl, xrefs: 07A3229A

Memory Dump Source

Source File: 0000000C.00000002.1928316456.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: lc<k$JJl$JJl$JJl
API String ID: 0-2709026035
Opcode ID: 256d7447aaa234106a9ec9974870ce962bc7ffc636be98b032a421a811a40ec5
Instruction ID: e9d83ba86c791190d04059be6f1156895f1bead2f8d93d3a66c037d5a65b86c1
Opcode Fuzzy Hash: 256d7447aaa234106a9ec9974870ce962bc7ffc636be98b032a421a811a40ec5
Instruction Fuzzy Hash: 4611D5F160C3A15FC7128BE44C12F767F617BD2310B19849BE5648F5D6C9249986C3A2

Function 07A32107 Relevance: 5.0, Strings: 4, Instructions: 47COMMON

Download Yara Rule

Strings

$dq, xrefs: 07A32166
$dq, xrefs: 07A32172
JJl, xrefs: 07A3214A
JJl, xrefs: 07A32156

Memory Dump Source

Source File: 0000000C.00000002.1928316456.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: $dq$$dq$JJl$JJl
API String ID: 0-1139017277
Opcode ID: e1a8a1bcd2d0293aa67d1ad48567c9dd54d2b6b722fe94bda99415ff563e35a8
Instruction ID: bfb6cf2b019806c0221d732bdb6a092a54c61d638b9e721a6a90a718ba09c89b
Opcode Fuzzy Hash: e1a8a1bcd2d0293aa67d1ad48567c9dd54d2b6b722fe94bda99415ff563e35a8
Instruction Fuzzy Hash: 1801F0B15193514FC7234B6C4D01717BFB2AFD6210B298497EA54DF296C9358C47C392

Function 07A30308 Relevance: 5.0, Strings: 4, Instructions: 43COMMON

Download Yara Rule

Strings

$dq, xrefs: 07A30352
4'dq, xrefs: 07A30373
$dq, xrefs: 07A3035E
4'dq, xrefs: 07A3037F

Memory Dump Source

Source File: 0000000C.00000002.1928316456.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$$dq$$dq
API String ID: 0-4229963660
Opcode ID: d55064192fbcca4e547f1b9105838a011a5a91ea6426b44c12cf5d7bd60a8ceb
Instruction ID: 8501b227cb1397bbd6e6bffcaf60d9e0ab6c16b1e4ff0baa7cfee2de0cadad52
Opcode Fuzzy Hash: d55064192fbcca4e547f1b9105838a011a5a91ea6426b44c12cf5d7bd60a8ceb
Instruction Fuzzy Hash: 1401D6A07093964FC72F9B7858206266FB35BC3650B2941EBC491CF296CE6C8D49C753

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ekzbwv0.p1r.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2wjuv0yg.gdq.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_45trmmj0.et1.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4affsnnl.cx0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4k4ffrjg.rsw.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5d2ki1vs.kv5.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cp2etgf2.dg3.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dqkphgh1.ems.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_esz3eelj.ihu.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ghjd1qdr.q0h.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ji3rva4a.kx0.psm1

Windows Analysis Report
DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe

Function 04DF7358 Relevance: 3.3, Strings: 1, Instructions: 2040
COMMON

Function 04DF7368 Relevance: 3.3, Strings: 1, Instructions: 2020
COMMON